 Hi everyone, I am Chetan and I am going to present our paper on tree width separators and yaw-scarbling. This is joint work with current line and this is of pH. Our main source is that for william-soccus of size S and tree width W, yaw-scarbling is adaptively indistinguishable with only a loss in CQT, which is S to the O of W. As a consequence, yaw-scarbling is adaptively indistinguishable for constant tree width circuits with only a polynomial loss in CQT. So, what is tree width? Tree width is a notion from algorithmic graph theory and it is informally a measure of how far the circuit is from a william formula or more generally how far the graph is from a tree. And it is also worth pointing out that the loss in CQT is with respect to the underlying symmetric or encryption scheme. A few remarks regarding our result is in order. Firstly, Apelbaum et al. ruled out adaptive simulatability of the yaw-scarbling and as a consequence, our result is the best possible result one could hope for. Secondly, the fagolian mix proved adaptive simulatability of a closed variant of the yaw-scarbling, which we denote by gamma prime. And we can prove adaptive simulatability of this variant in terms of tree width as well. So, our results can basically be tuned slightly to achieve adaptive simulatability of gamma prime. This is the overview of our talk. In the first off, we will just make ourselves familiar with the various notions, with the various security models and also most importantly with the yaw-scarbling. And in the second part, we will talk about our reduction. We will keep it informal and explain the things on a very high level. So, garbling was originally motivated by a secure functional evaluation. So, here we have a party Alice who holds a circuit C and another party pop who holds an input x to this circuit. The circuit is from n bits to l bits and they want to jointly evaluate the circuit C on the input x. A trivial way to do this would be for either Alice to simply send her circuit over to Bob or for Bob to send the input x to Alice. But what we would like is for the respective parties to not reveal their information that is Alice does not want to reveal her circuit C whereas Bob doesn't want to reveal his input x. So, yaw suggested the following elegant idea to carry this out. So, first Alice completes the garbling of her circuit C and sends it over to Bob. Bob then retrieves the appropriate secret information regarding this garbled circuit from Alice and then Bob evaluates the garbled circuit on the garbled input to obtain the output C of x. So, garbling as a standalone primitive was formalized much later by Belary Hong and Raghave. So, they suggested the following syntax for garbling. It consists of three algorithms, a randomized garbling circuit algorithm which takes a circuit C and outputs a garbled circuit C and a secret key K. The garbled input algorithm is also randomized. It takes the input x and the secret key K as input and outputs a garbled input x tilde. Finally, garbled evaluation is a deterministic algorithm which takes the garbled circuit and the garbled input and outputs the output y. The main motivation for such a syntax was to separate oblivious transfer from garbling. It's also about pointing out that for our setting that is yaw's garbling, the garbled input is deterministic. As for correctness, it should hold that for every security parameter lambda and every circuit C and every input x, the evaluation of a garbled circuit on the garbled input should match the output of the circuit on x. And before moving on, it's about pointing out that the garbling of the circuit is independent of the input x. One could think of the whole garbling process being split into an on-line phase and an off-line phase. In the off-line phase, one generates the garbled circuit, whereas in the off-line phase, one generates the garbled input and these are being independent of each other. What about security? Recall that our goal is to capture the security requirement that the two parties involved in the garbling and also the respective information, secret information. And this is captured by the following game, which is called adaptive simulatability. It's played between an adversary and a challenger. The adversary first sends over a circuit C of its own choice to the challenger. The challenger tosses a coin B and depending on its output either outputs the honest garbling of C as above or a simulated version of the garbling shown below. The adversary next picks an input x and as before, the challenger either gives the honest garbling or a simulated version of the garbling. So, the simulator in this case is either two algorithms, this s-circuit and s-input. Finally, the adversary guesses outputs a bit B and wins if B prime equals B. As mentioned, the advantage of the adversary is defined as the probability with which he guesses correctly bounded away from half. The source of adaptivity in this game is the ability of the adversary to pick up x after the fact that he has seen the garbling of the circuit C tilde. And in the selective version of this game, he would have to output both the circuit and the input in a single go. Adaptivity is important in some applications like one time program. A weaker notion of security that we are interested in is called adaptive indistinguishability. In this game, the adversary sends over two circuits C0 and C1 over to the challenger conditioned on the topology of the two circuits being the same. The challenger next flips a coin B and sends over the garbling of the circuit Cb to the adversary. Next, the adversary picks two inputs x0, x1, again conditioned on the task being non-trivial, which is that the evaluation of C0 on x0 and C1 on x1 should be the same. The challenger sends over the garbling of the input xb. Finally, the adversary guesses a bit B prime and wins if the guess is correct. As in the case of adaptive simulatability, the source of adaptivity in this game is the fact that the adversary can choose the inputs after he has seen the garble circuit. It can be easily shown that adaptive simulatability implies adaptive indistinguishability using the standard two-step hybrid argument. Moreover, adaptive indistinguishability suffices for certain applications like some forms of symmetric key functional encryption. Finally, we explain Yaw's garbling. Recall that Yaw's garbling is built on top of a symmetric encryption scheme. The first step in the garbling process is to associate each wire w in the circuit C to a pair of secret keys Kw0 and Kw1. Next, Alice computes the garble circuit C which consists of two components, a garbling table and an output map. The garbling table is associated with each gate of the circuit and for each gate G, the garbling table encodes the gate table of the underlying gate G. For example, let's consider the AND gate in the example above. Here, the garbling table consists of four double ciphertexts of the underlying encryption and the outer and the inner keys of this used in this encryption correspond to the incoming wires, the two incoming wires to the AND gate whereas the payload to the encryption is one of the two keys of the outgoing wire denoted by six here. And so what exactly is the payload is determined by the gate being evaluated. For example, in this case, in the case of the AND gate, in the first three cases, we encode, we encrypt case 6-0 which corresponds to the bit 0 whereas only in the last case when the outer and the inner keys correspond to the one bit that's the only case when we encrypt case 6-1. Finally, we have the output map which takes each output wire and maps it to a bit 0 or 1. The goal of this output map is to help Bob evaluate the garbled input and it accessor guide to the decoding procedure. The garbled input X tilde is simply determined by the input X and the idea is to use X to choose the subset of input wires determined by this input that is for example, if your input is 0 1 1 0 then the garbled input simply consists of the correct keys selected according to the bit of the input. So, once Bob has the garbled circuit and garbled input how does he evaluate? The basic idea is to evaluate where the encryption what we mean by this given the garbled input he proceeds in a topological order he picks like each gate and then the garbled table of this gate and then he simply decrypts all the ciphertext by the special property of the encryption scheme it is guaranteed that only one of the ciphertext will decrypt correctly and this way he learns the output wire the key is corresponding to the output wire he proceeds in a similar manner until he reaches the output gates at which point he can use the output map to decode and figure out which bits the output really are not that the online complexity of Yau's garbling is more or less optimal since it only depends on the length of the input and also the security parameter. There is a close variant of Yau's garbling which we already alluded to called gamma prime where the output map is sent in the online phase therefore the garbled circuit consists only of the garbled garbling tables where the garbled input consists of the garbled input and also the output map. The drawback of this variant is that the online complexity now grows also with the output length for example if you use gamma prime to encode to garble a PRG which maps from n bits to n to the c bits and the online complexity now grows with n to the c and moreover as we saw in the first slide such a scheme cannot be proven adaptively simulatable for the original Yau scheme. So we have seen various security models and various variants of Yau so what do we know about the security of all these schemes? The security of original Yau scheme was initiated in the seminal work of Linderland-Pinkas they showed that gamma is selectively simulatable since this is the strongest possible notion in the selective setting it automatically implies the other notions of security in the selective setting. This was followed by the work of Appelbaum et al who showed that gamma cannot be adaptively simulatable so this was a corollary of a more general theorem which they proved which said that the online complexity of a randomized encoding scheme which is secure in the adaptive, which is adaptively simulatable must exceed the output length. As we saw in the description before the online complexity of Yau it depends solely on the input and not on the output. Jaffa Goli and Vicks observed that this is not true for the variant in fact this was their motivation to come up with the variant and they proceeded to show that this variant gamma prime is actually adaptively simulatable. There are some caveats here their security actually degrades exponentially with the depth of the circuit but they still managed to prove adaptive simulatability. But the situation with adaptive and distinguishability of Yau has remained open and largely neglected and we show in this work that there are some regimes where gamma is actually adaptively indistinguishable that concludes the first part of our talk. In the second part we will focus on our reduction as mentioned earlier we will keep it on a high level and largely informal. Since we've built on the works of in the previous works on the previous works of Glendale and Pinkas and Jaffa Goli and Vicks we will spend a few slides on these security reductions. Key to all these security reductions is the notion of garbling modes. As we saw in one of the previous slides the honest garbling table of a gate G it encodes the gate table of the gate G and this is what we call the real mode. On the other hand we have the simulated mode where instead of garbling the gate G we simply garble the constant zero gate. Therefore the payload in the garbling tables is always KW0 the key corresponding to the output wire which encodes the zero bit. In between these two modes is something called the input dependent mode. Here the payload is a constant but this constant is determined by the value of the wire when we evaluate the circuit on the input X so it can be constant zero on constant one depending on the value. Now that in order to simulate this mode the knowledge of the value of the wire W is necessary unlike in the case of real or sim. We would also like to point out that in the distinguishability game the real mode will consist of two real modes real zero and real one. For example real zero will consist of the gate in the circuit C0 whereas real one will consist of the gate in circuit C1 and for the input dependent modes there would also be two modes input zero and input one. For example input one will consist of the garbling table which is the constant gate but where the value is determined by the circuit C1 run on the input X1. So let's look at the selective simulatability game and the security reduction of Lindelren pink cars. So there are two main parts in this reduction the first is the hybrid argument where we progressively replace each garbling table with simulated ones and the second is a programming step where we program the outward maps so that these changes are indistinguishable to an adversary. How does the hybrid argument works? So we proceed in a topological order with some topological order and then what we do is we progressively replace each real garbling table with an input dependent garbling table as shown in this illustration. So why is it crucial to proceed in a topological order? So the idea is to ensure that before switching some gate to input dependent mode we want to guarantee that both its parents have already been switched to input dependent mode and why do we need this? This is crucial for the security argument to go through. We want to ensure that at least one of the keys of both the parents are free and this will help us embed the challenge key of the underlying SKE into one of these gates and therefore this step it can be shown indistinguishable on the cybertext indistinguishability of the underlying SKE and we go on switching the gate to input dependent until we have switched everything and then we switch the gates from input dependent to sim in the reverse topological order. Note that unlike the first step this step is information theoretic since the keys are used in a symmetric manner in the gates. Note that if one uses the default outward map the adversary can trivially tell like the hybrids from each other since it can tell us why the evaluation of the garbled circuit. Therefore it is necessary that in each hybrid we program the output map so that it maps correctly to the output CFX. Note that this is not an issue in the selective setting since the input is already available in the off-land phase. Note that this automatically implies adaptive simulatability but with the loss which is exponential in the input length. One simply guesses the input and then applies a selective simulatability reduction and we get adaptive simulatability. The whole point of our work and also that of Jeff Rogolian mixed is to avoid this exponential loss. So what are the hurdles to adaptive security? The most obvious problem is that the input act is only available in the online phase unlike in the case of the selective game. So this manifests itself in two ways. So first we cannot program the output map in the off-land phase since the input becomes available only in the online phase. Jeff Rogolian mixed basically sidestep this issue and resorted to sending the output map in the online phase. That's why they had to change the scheme and resort to the variant gamma prime. But what then was the ability to defer the programming after they saw the input? Our solution is different. So first of all we cannot avoid to defer sending news since we want to prove the security of the original protocol. Therefore our idea is to avoid steam mode in the hybrid cell together. This is based on our observation that the requirement to program the output map is closely related to the steam mode. The second problem that we come across is now how do we simulate the input dependent gobbling tables? We call that the input dependent gates. In order to simulate them we need to know the value of the wire, the output fire of these gates since the input is only available in the online phase whereas we have to send the gobbling table in the off-land phase. We have a dilemma here. So Jaffa Woli and Vicks solved this in a very clever manner and this was their main technical contribution. So instead of using a lot of input dependent gates as in the case of Linderland Ginkus what they did was they had a more frugal approach, they minimized the number of input dependent gates and then they went on to simply guess the value of these input dependent gates. In case the number of input dependent gates is not too many the security loss that results is not too much either. But the question still remains how does one minimize the number of input dependent gates? So what Jaffa Woli and Vicks did was they looked at restricted critical classes which kind of allowed you to use a few input dependent gates. An example for this is NC1 that is loaded circuits. Since we cannot... But this approach is tightly linked to the ability to program the output map. Since we don't have this ability we need a totally different approach and what our approach is to have a more divide and conquer based approach based on tree width and separators to reiterate. Since we do not have the ability to program the output map we have to avoid the SIM mode and this means we need a totally different approach to minimizing the number of input dependent gates. We believe this is our main technical contribution. There is a notion from algorithmic graph theory. Informally it is the measure of how far a circuit is from a formula or more generally how far an undirected graph is from a tree. The exact definition is not important. As we will rely on the notion of separators more a separator for a circuit C is a subset of a gate but that removing this set of gates S and the incident wires results in the circuit C being disconnected into sub-circuits and each of the sub-circuits should not be too large. For example in the figure we have a circuit C on the left and the separator for this circuit is shown in between the dashed lines. As you can see if you remove the gates in between the dashed lines the circuit splits nicely into a circuit C1 and another circuit C2. What we crucially rely on is a classical theorem of Robertson and Seymour which says that in case the tree width of a graph is bounded by W then it also has separators which are bounded by W. We call this the tree width separator theorem and note that since the tree width is a monotonous property which means that whenever you remove gates from a circuit its tree width can only decrease. This means that it is possible to apply the tree width separator theorem recursively on smaller and smaller sub-circuits and we will use this observation crucially. We are almost there to explain our reduction. We will consider a slightly simpler indistinguishability game just for the sake of simplicity where instead of sending two inputs the adversary only sends one input our result can be easily adapted to the full case. Just to state the game now the adversary first sends two circuits C0 C1 over to the challenger. The challenger flips a bit B and sends the garbling of the circuit Cb the adversary now just picks one input X and gets back the garbling of this input X then he guesses the bit B and then see if he guesses correctly. Also to recall we will have four garbling modes two corresponding to the real modes and two corresponding to the input dependent modes. So the goal of our reduction is to switch the garbling tables all from real 0 to real 1. We call that our goal is to show that the cases where the garbling of C0 and X is sent and the garbling of C1 and X is sent are indistinguishable. This will corresponding to all the gates being either in the real 0 mode or in the real 1 mode. We also proceed via a hardware argument and our constraint in this hybrid argument is to minimize the number of gates in input 0 or input 1 mode. Our main idea is to maintain gates in input dependent modes only at the separator. Whether this bias by the property of the separator this means that the circuit is kind of split into two parts and it is possible to recurse on these two components independently of each other. Moreover if the separator is not too big this would mean that the number of gates in input dependent mode be maintained is also not too many and this would mean that we don't have to guess a lot when we try to simulate the gates in input dependent mode. This is the structure of our recursive this is the recursive structure of our hybrids. So as described we start with the all real 0 gates then what we do is we switch the gates on the separator to input dependent mode and this splits the graph the circuit into C1 and C2 and we recursively switch the two components to real 1. That's illustrated here. Finally we can switch also the separator from input dependent to real. What is the cost of this whole operation? The number of gates we maintain in input dependent mode is roughly a size of the separator times the degree times the log of the size of the circuit. Roughly speaking the dependence on log S it comes from the fact that we have to continue recursing till we reach constant size circuits. In the paper we have abstracted all these details out and we have a more formal approach which we describe using a Pable game. So our main theorem is proved using two lemmatas. In the first lemma we show a tight coupling between the Pable configurations and the hybrids. In particular we show that any two hybrids which correspond to neighboring Pable configurations they can be shown to be indistinguishable. In the second step what we show is that there exists a Pable strategy which does not use too many Pables which are of particular color. These two lemmatas will give us our main theorem and to prove this we will also use the V-square guessing framework of Schaffer-Gouli et al. With that I would like to conclude my talk and I would like to thank you for your attention. These are the references and these are the people we would like to acknowledge. Thank you.