 This talk is about limits on the adaptive security of Yaw's garbling. It is joint work with Chetan Kamat, Krzysztof Pieczak and Daniel Wicks. Consider the following scenario. Alice holds some circuit C, Bob holds some input X, and they want to jointly evaluate the circuit on input X without revealing their respective secret information. Yaw suggested the following solution to this problem. First Alice garbles the circuit, and I will show you a bit later how this precisely works, and sends over the garbled circuit C tilde. Alice and Bob then run an oblivious transfer protocol so that Bob learns the garbled input and can evaluate the garbled circuit on the garbled input to learn C of X. While this scheme was presented already in the 80s, its security was analyzed only much later. The first security proof was due to Lindel and Pincas in 2009. However, it was in a selective setting where the input is known ahead of time. Adaptive security then follows by randomly guessing the input. However, this involves a loss in security that is exponential in the input size. The late-datch of Goli and Wicks proved adaptive security at the loss that is exponential only in the depth of the circuit. So for NC1 circuits, for example, they achieve security of Yaw's scheme at the polynomial loss in security only. In this talk, we are interested in lower bounds on this loss in security. More precisely, we proved that for any black box proof of adaptive indistinguishability for Yaw's garbling scheme, for circuits with n-bit input, 1-bit output, and depth of D small equal to n, from an MCPA Secure Secret Key Encryption scheme, incurs a security loss that is exponential in square root of D. Note that this lower bound only applies to Yaw's specific construction, and we do not prove a separation of garbled circuits from one-way functions. In fact, Hemingway et al. gave a construction of adaptively secure garbling from one-way functions using somewhere equivocal encryption. However, this scheme is less efficient than Yaw's scheme, since its online complexity increases with the pebble complexity of the circuit. Our results hold even for indistinguishability, which is a weaker notion than simulatability, which is usually considered in the context of garbled schemes. And furthermore, we consider a variant of Yaw that was introduced by Schaffer-Goli and Wicks where the output mapping is sent online. Clearly, it is easier to achieve security for this variant of Yaw, so again, this makes our lower bound only stronger. The only previously known limitation of Yaw's scheme was due to Applebaum et al. who proved that Yaw's original scheme is not adaptively simulatable for circuits with large output. So our result differs in three aspects. First, we consider indistinguishability instead of simulatability. Second, we consider the variant of Yaw that was introduced by Schaffer-Goli and Wicks and for which they could prove an upper bound. And finally, we consider circuits of constant output. Before discussing the proof, let's recall Yaw's garbling scheme. To garble the circuit, Alice assigns a key pair for each wire in the circuit. And forget each gate in the circuit. She computes double encryptions under all possible input combinations and assigns this gate a garbling table g tilde that contains these four ciphertexts in randomly permuted order. The garbling of the circuit then consists of all these garbling gates and the secret key that Alice holds consists of all the input key pairs. Clearly, this can be computed offline and independently of the input. For an input X, the garbled input then contains the respective input keys. And finally, there's also an output mapping that allows to map output keys to output bits. So if Bob holds one key for each input wire, this allows him to decrypt exactly one of the four double encryptions and receive exactly one of the two output keys. And then he can use the output mapping to map this key to a bit. For security, we consider the notion of indistinguishability there in the selective setting. The addresser chooses a circuit C, two inputs X0, X1 and receives a garbling of C and a garbling of one of the two inputs. Note that this notion is clearly weaker than selective simulatability. But furthermore, it is also a very weak notion of indistinguishability because we do not consider circuit hiding but only input hiding. However, again, this makes our result only stronger because we consider lower bounds. In the adaptive setting, the adversary first receives the garbling of the circuit and then can adaptively choose inputs X0 and X1. To prove our theorem, we define two oracles F and A. F will be an ideal secret key encryption scheme that in particular is information theoretically in CCA secure and A will be an inefficient adversary that breaks your scheme by brute force breaking the encryption scheme but still it will not be too helpful in breaking the encryption scheme. More precisely, to define A, we need to define a carefully crafted circuit C that maps all input strings to the constant bit 0 and the adversary then chooses X0, X1 uniformly random and decides whether to output the bit 0 or 1 depending on some good predicate. Clearly, it is crucial to define the circuit C and good predicate such that the adversary indeed succeeds and breaks the garbling scheme. And we will define this good predicate through some pebble game on graphs. More precisely, given the garbled circuit and the garbled input the adversary extracts some pebble configuration on the circuit. The adversary does this by brute force breaking all the encryptions contained in a garbling table and checking whether they are correct with respect to the input keys it learns during evaluation of C tilde on input XB tilde and with respect to the bits that were drawn over these wires when C is evaluated on X0. We then consider a pebbling game where in each step one can place or remove a pebble on a note if at least one of its parents cares a pebble. To get an intuition on this pebbling game consider for example the following pyramid graph and assume we want to pebble the sink of this graph. Then we can start by placing a pebble on any source note and then can place a pebble on a child of the source note then can remove the pebble on the source note note that we can always place pebbles on any source note because the source doesn't have any parents. We can then continue until we have placed a pebble on the sink of this graph and we can then remove all the remaining pebbles also following the same pebbling rules but again we have to place a pebble on the source note to remove the second last pebble and can also remove the last pebble. The pebbling game that we consider for our lower bounds is in fact significantly more involved but this is outside the scope of this preliminary talk. Such pebble games have turned out very useful for proving adaptive security of various cryptographic primitives that involve some graph structure. Having this pebble game in mind we then define a pebble configuration to be good if it is reachable with less than D pebbles where D is some threshold that is linear in the depth of the circuit. We then prove that for appropriately chosen circuit C with high pebble complexity the adversary will extract a good pebbling configuration when it receives a garbling of x0 and a bad configuration when it receives a garbling of x1. Note that clearly the adversary by contraction will extract an empty pebbling configuration whenever it receives an honest garbling of the circuit and x0. To capture the idea that our adversary is not too useful for any reduction we define a punctured adversary that has the inCPA challenge ciphertext C star hard-coded and never decrypts this ciphertext but instead assumes that this would encrypt the all-zero string. Clearly it is not useful for any reduction. However a reduction can only distinguish A of C star from A if the pebbling configuration at A extracts is good whereas in the same execution of the game using the same randomness we define the configuration that A of C star extracts is bad. We then prove that P and P star defended most one valid pebbling move according to our pebbling game and this then implies that the reduction can only distinguish A of C star from A if P contains d-1 pebbles and is good. We then prove that it is very unlikely for the reduction to reach such a threshold configuration. More precisely we prove that for any garbled circuit C tilde the probability over uniformly random input x0 that there exists a garbled input xB tilde such that P is good and P star is bad is very small and to prove this lemma we use the following two properties so first the property that we just established that P must contain many pebbles and second we will argue that the reduction needs to correctly guess the output of all pebbled gates during evaluation of C of x0. To guarantee these properties it is now crucial how to define the circuit C. First C must have high pebbling complexity in particular at least d, our threshold. Furthermore we define C to contain a block of x0 gates which maintains high entropy and pebbles on this block correspond to guessing the input x0. Furthermore our circuit contains subsequent end gates that serve as some control mechanism. Pebbles on these gates mean that some guess on the previous x0 block was incorrect. In a bit more detail our circuit looks as follows it contains a so-called tower graph where all gates are implemented as x0 gates. By some linear algebra results we can show that for randomly chosen x0 and x1 the output of C x0 will differ and we then use the fact that end gates are asymmetric with respect to their input so we can use them as control gates. So if we consider such a different output for x1 compared to the output of C x0 on input x0 if this is an input to an end gate then this end gate will be considered pebbled by the adversary. We then prove a pebbling lower bound for the C x0 graph structure. Namely that placing a pebble on layer d requires at least d pebbles on the x0 circuit but since for C tilde x1 tilde the adversary extracts a pebble on an end gate on layer d plus 1 and such an end gate can only be pebbled if a parent in the x0 circuit was pebbled. This implies that the adversary extracts a bad pebbling configuration and implies that the adversary indeed breaks the governing scheme. To complete the picture of our circuit it contains end gates for each input and each xOR gate and whenever a gate evaluates wrong or some input key is wrong then the corresponding end gate is pebbled and the adversary automatically extracts a bad configuration independently of the challenge. This implies that the reduction needs to place d minus 1 pebbles on the xOR circuit and for each of these pebbles it needs to guess the output during evaluation of C on input x0. However for any subset of d gates in this xOR circuit there exists a subset of square root of d gates such that their output bits are independent and actually this bound is optimal for example if you would place all these pebbles in a square then indeed you could only find a square root of the number of pebbles that have independent output bits. This implies that the reduction succeeds with probability at most 1 over 2 to the square root of d. Finally to complete the picture of the circuit we add a binary tree of end gates that guarantees constant output 0. I hope I could give you some intuition on the proof and to conclude we considered black box reductions that prove security of your scheme based on the security of the underlying encryption scheme. And starting from the upper bound by Jaffa Goldie and Wix that is exponential in the depth of the circuit we prove a lower bound that is exponential in square root of the depth of the circuit. In this talk we left out many details and many technicalities and we refer to the full version of our paper which is an e-print. Finally I want to mention some open problems. First of all it would be interesting to close the gap between our lower bound and the upper bound by Jaffa Goldie and Wix. We believe that our lower bound could be improved potentially even to a bound exponential in the depth but this would require a more sophisticated pebbling lower bound at the moment we do not know how to do that. Another interesting problem would be if one can achieve a stronger lower bound for Jaffa's original construction where the output mapping is sent in the off-land phase. Recall that apple bound and all already proved a lower bound for similarity for Jaffa's original construction for circuits with large output. On the other hand in the concurrent work that we published on e-print we gave an upper bound for indistinguishability for Jaffa's original scheme that depends on the tree width. However an interesting result in this direction could be to construct circuits of small depth and small output that incur a loss exponentially in the input size potentially even for indistinguishability. Another interesting problem would be if one can turn our lower bound into a concrete counter example. Such a counter example could be a very contrived encryption scheme even based on obfuscation. Finally let us mention that we hope that similar ideas could be used for other constructions of gobbling or even to analyze completely different cryptographic primitives. Thanks for listening to this talk. I hope to see many of you in the live session at Crip to 2021.