 Hi, my name is David Heath. In this video, I'll be presenting log stack and improvement to the recent stacked garbling technique. Stack garbling improves on the classic garbled circuit technique by reducing the communication cost of conditional branching. Unfortunately, the reduced communication comes at the cost of increased computation. In log stack, we further improve stacked garbling by reducing computation without sacrificing the improved communication. Let's get started. While that in garbled circuits, we consider two parties, a GC generator and a GC evaluator. The two parties have some function in mind, f, which they would select to securely compute. For garbled circuits, we need the parties to represent the function f as a Boolean circuit. The generator g starts by encrypting the Boolean circuit gate by gate. To do so, he first chooses a pseudo random seed, which will be the source of his randomness. This choice of seed will become important later when we talk about stacked garbling. He then expands this seed to choose pseudo random keys, two per wire. The two different keys represent the possible semantic values that can appear on the wire. For example, in this diagram, a red key represents a logical zero and a green key represents a logical one. Based on these keys, he constructs encrypted versions of the truth tables of each of the Boolean gates. So for example, in this particular gate, if the evaluator E obtains two input red keys, then she should obtain an output red key. And in all other cases, she should obtain an output green key. So this would encode a logical OR gate. The generator continues to step through the circuit, gate by gate, constructing encryptions of each of the logical gate gates until he has completed encrypting the entire circuit. We refer to these encryptions of the gates as the garbled circuit material. For the purposes of this talk, I'd like for you to think of this material as nothing more than a pseudo random string. And indeed, formally, most garbling schemes satisfy the property that their material happens to be indistinguishable from uniform strings. This property will be crucial when discussing stacked garbling. To continue GC evaluation, the generator G must convey the material to the evaluator E such that she can use the material to securely evaluate the circuit. This process is simple since the generator G just sends the material across the wire. However, here I'd like to emphasize an important point. The simple transmission of material from G to E is the most expensive part of garbled circuit protocols. This is the communication bottleneck that stacked garbling helps to relieve. To finish evaluation, we convey input keys to the evaluator E. From here, the evaluator can step through the circuit gate by gate, decrypting individual rows of each gate and propagating input keys to output keys. To reiterate, the bottleneck in this entire process is the amount of material that is sent from G to E. As I've already stated, stacked garbling is a technique that helps to relieve this bottleneck. Suppose that the target function F is expressed using conditional branching. For example, on the right, I have a piece of perhaps C code that uses a switch statement. The crucial property is that there must be some branches of the code whose behavior is completely conditional. That is, only one of the branches is actually going to be taken. The key idea of stacked garbling is that since only one branch is actually evaluated, we actually don't care whether or not any of the inactive branches are evaluated correctly. We only care that the single active branch is evaluated correctly. Before stacked garbling, it was necessary to express a conditional by expressing each of the branches separately. If we think back to our garbled circuit protocol, this meant that the GC generator would encrypt each of the branches separately, constructing material for each of the branches, and then send all of this material to the evaluator. Thus we needed material proportional to all of the branches. Stacked garbling showed that this amount of material is unnecessary. We can sacrifice the correct behavior of the inactive branches, which in some sense is not a sacrifice at all. What this means is that we only need enough material for the single longest branch, as I'll shortly explain. Unfortunately, stacked garbling has a downside. Specifically, the amount of computation consumed by the parties is increased. We're going to look at the cause of this increased computation in just a moment. Indeed, this is the entire focus of today's talk. Before we dive into any constructions, I'd like to have a look at the formal contribution of this work at a high level. Suppose that the function F has B branches, and further suppose that each branch has the same size. This restriction that the branches have the same size is not a limitation of our approach, but rather is used to simplify the analysis. In standard garbled circuits, the parties will separately handle each of the B branches. Thus each party incurs communication and computation that is linear in the number of branches. Stacked garbling improves on the communication cost. In particular, the communication cost is independent of the number of branches. However, notice that the computation is made far worse. Together, the parties have to consume a quadratic amount of computation in the number of branches. This work, LogStack, improves on this computation cost. We retain the communication advantage of stacked garbling. Our communication is also independent of the number of branches. However, our computation is greatly improved. We consume only order B log B computation. Next, I'd like to dive in and have a look at all three of these different approaches to conditional branching. My emphasis will be how stacked garbling improves over standard, and how this improved stacked garbling method leads to greatly increased computation. Then we'll look at how LogStack helps to relieve some of this computation overhead. Suppose, for sake of example, that the function F has eight exclusive conditional branches. Further suppose that each of these branches is expressed as a Boolean circuit, in this case, C0 through C7. I'd like to begin by covering how standard garbled circuits, that is, without stacked garbling, would handle evaluation of these circuits. First of all, we need to properly handle the semantics of conditional branching. What I mean by this is that although we will evaluate each of the eight branches, only one of the branches will be active. We'll use a special multiplexer circuit to select the output from the active branch and to discard the output from all inactive branches. Note that in standard garbled circuits, these multiplexers are nothing special. They are simply built from more Boolean gates. The multiplexer will take in indision bits, which indicate which of the eighth branches are supposed to be evaluated. Just like before, the generator G will start from a pseudo-random seed, then expand the seed into material. We'll denote the material corresponding to each of the subcircuits separately. Though in standard garbled circuits, the generator G simply takes all this material, concatenates it together, and sends it across the wire to E. Of course, this is very expensive. Upon receiving this material, the evaluator E will evaluate like normal. On the active branch, this will generate some values, which will be then propagated by the multiplexer. The evaluator also evaluates each of the inactive branches, since she doesn't know which branch is active. Stacked garbling works differently. The key contribution of stacked garbling is that it reduces the amount of communication needed. In particular, we won't send the material corresponding to each of the eight branches separately. The generator G doesn't start by drawing one pseudo-random seed for the entire circuit. Rather, he draws eight, one per branch. He then separately generates the material for each of the branches. Notice that now each of the seeds is a compact representation of the material of its corresponding branch. In particular, if the evaluator were to receive, say, the seed S3, then she would be able to recover the material M3 without needing to receive M3 directly from the generator. This is the key observation of stacked garbling. The generator stacks together all of the material and sends it across the wire to E. From here, we ensure that the evaluator E will obtain inactive branch seeds via encrypted truth tables. I won't go into the details on this, but suffice it to say that it's relatively simple to convey to E each of the seeds for each of the inactive branches. Crucially, we will never send to the evaluator the seed corresponding to the active branch. In general, we need to handle the case where neither player knows which branch is evaluated. Let's suspend that for just a moment and suppose that E did in fact know which branch is evaluated. We will restore obliviousness in just a moment. If she did know that C5 was the active branch, it would be relatively easy for her to correctly evaluate now. The idea is that she will take each of the seeds and copy the actions of the generator to recover the material for each of the inactive branches. The point is that since the generator only sent the X-word material rather than the concatenation, the amount of information transmitted to the evaluator is much smaller. We also need to convey the seeds to E, but these are short cryptographic seeds, not entire garblings of circuits, so we've greatly diminished the total communication cost. Now that she has all of these materials, notice that the evaluator E can reconstruct the material for the active branch. Notice that she can do this without the generator needing to explicitly send the material M5. Since she has the correct material, she can now propagate input keys to output keys, correctly evaluating the active branch. Much like the standard handling of conditional branching, we also need a multiplexer component to do stacked garbling. However, this multiplexer component is a special garbled gadget that needs to more carefully dispose of the outputs from the inactive branches. Discuss this more in a moment. There remains a key problem. We assumed that the evaluator E knows which branch is active, but in general, of course, she does not. Moreover, she should not learn which branch is active. This would be insecure. Stacked garbling solution to this problem is actually quite straightforward. E will simply try to evaluate each of the branches. In more detail, if in addition to receiving seeds for each inactive branch, the evaluator will also receive a seed for the active branch. However, this seed, S5 prime, will not be the seed that G used to construct material for C5. This will be some garbage seed, indistinguishable, yet distinct from the seed used by the generator. What this means is that when the evaluator generates material for C5, she will not obtain the correct material, M5, but rather some distinct material, M5 prime. Having constructed these materials, the evaluator now goes through the conditional branch by branch and tries to evaluate each branch one at a time. Notice that when the evaluator tries to unstack the material by XORing with her combined material received from the generator, she doesn't receive good material for any inactive branch. Rather, she receives some distinct string. So for example, on C0, she receives the string M0 plus M5 plus M5 prime. Here is where it is crucial that garbled circuit material look uniformly random. Since the material looks uniformly random, there is no way for the evaluator to distinguish whether she is correctly unstacking material for C0 or if she is constructing a string of some different form. We refer to these differently formed strings as garbage material. The garbage material does not correspond to the garbling of a particular circuit, but instead is essentially a useless string. Continuing, the evaluator tries to reconstruct the material for each branch. Notice that she only succeeds on the single active branch and everywhere else she receives garbage material. Having reconstructed all these materials, the evaluator interprets each of them as the correct material for that branch and tries to evaluate. There's a crucial detail here. On the active branch, the evaluator will correctly evaluate each of the internal Boolean gates. However, on every other branch, the Boolean gates will act in a seemingly uniformly random way. They won't correspond to any logical semantics internal to the branches at all, because the evaluator is essentially just using a random string as the material, not a well-formed encryption of a logical truth table. This means that instead of getting well-formed red and green keys on the output of, say, circuit C0, she just receives uniformly random keys. In terms of security, this is no problem, since the evaluator is unable to distinguish good keys from bad keys. Recall that stacked garbling needs a special multiplexer gadget to dispose the output from inactive branches. Although I won't cover this in detail, it turns out that to construct this multiplexer, the generator must know the form of each inactive branch label. As I stated earlier, these inactive branch labels are not well-formed red or green keys, but are instead random garbage output strings. The specific values of the garbage outputs depends on the garbage material. Thus, to calculate the garbage outputs, the generator is forced to put himself in the shoes of the evaluator when guessing which branch is active. That is, he explicitly evaluates each branch using corresponding garbage material. Notice that, as shown on this slide, the form of the garbage material depends on the identity of the active branch. For example, the garbage material for branch C0 depends on the material M5. Suppose some different branch, say, C2, were active, then the specific garbage material for each inactive branch would be different. This means that the garbage outputs from each branch will also be different. In full generality, each of the B branches has B minus 1 possible garbage outputs corresponding to each possible different active branch. To garble the multiplexer, the generator G must compute each possible garbage output label. This requires that the generator G evaluate each of the B branches B minus 1 times, leading to quadratic computation overhead. Having done so, the generator can finally garble the multiplexer. To recap, to design this multiplexer, the generator G must know all possible garbage output labels, which requires G to consider all possible pairs of the active branch in combination with a guess made by E about which branch might be active. There's a total of B squared such combinations. This is the source of Stack Garbling's B squared computation overhead. This significant computation overhead is problematic for the generator G, especially if the number of branches is large. We're finally ready to look at the log stack construction. Recall that log stack reduces stacked garbling computation overhead from O of B squared to O of B log B. To do so, log stack reduces the number of possible garbage output labels from B squared to B log B. Mechanically, this computation reduction involves organizing the branches into a binary tree. Specifically, the generator G will no longer sample eight independent pseudo-random seeds. Instead, G samples a single root seed, then derives a full binary tree, where each node is generated by its parent in the natural manner. From here and as before, G uses the leaf seeds to derive material for each branch. As before, we convey seeds to the evaluator. However, the strategy by which we reveal seeds to E is far more complicated. Although I won't describe its implementation, log stack uses a simple garbled gadget that we call the sorting hat to reveal certain seeds. The sorting hat distributes to E a labeling of the binary tree. Specifically, each node is labeled by a pseudo-random seed. Suppose that, as before, branch C5 is the active branch. The sorting hat will distribute to E seeds such that only the seeds just off the path from C5 match the seeds chosen by G. Every other seed will be independently and uniformly sampled. As before, the evaluator does not know which branch is active, and so simply tries to evaluate each branch one by one. Let's start by examining the evaluation of C0. E's strategy is to look at each seed in her tree just off the path through her guess. She then recursively derives trees of seeds starting from these parents until she's derived one seed for each leaf, other than her guess. She then uses these seeds to construct GC material. In this case, she constructs garbage material for each guest in active branch. She then attempts to use all of these materials to unstack material for her guest active branch. In this case, E generates garbage material, and hence when she evaluates, she obtains garbage output labels. Let's demonstrate that the strategy yields the correct result for the active branch. Consider what happens when E tries to evaluate the active branch. She again considers the seeds just off the path to her guess. Notice that this means that E chooses seeds that G used when constructing the full binary tree. Thus, when she recursively derives seeds for each branch, she obtains good seeds for each branch just other than her guess. Therefore, she correctly generates material for each guest in active branch. When she unstacks, she gets correct material for the active branch, allowing her to correctly evaluate. I claim that this binary tree organization of the branches has reduced the number of possible garbage output labels from B squared to B log B. Let's see why. Let's consider eight worlds, each of which has a different active branch. We will consider what happens when E evaluates circuit C0 in each of these worlds. We'll see that there are only a logarithmic number of possible garbage outputs from circuit C0. First, consider the world where circuit C0 is indeed active. We've already seen this one of counting for correctness. As already shown, in this case, E correctly reconstructs material for each guest in active branch, correctly reconstructs the material for the guest active branch, and evaluates correctly. If instead, circuit C1 is the active branch, then E will construct garbage material for circuit C1. When she goes to unstack, E will therefore unstack garbage material for her guest C0. This leads to a garbage evaluation of C0 in the first set of garbage output labels from C0. If instead, circuit C2 is the active branch, then E will construct garbage materials for both branches C2 and C3 due to this fixed seed as their parent. This leads to a second garbage material for C0, and hence a second possible set of garbage output labels from circuit C0. Now consider the world where circuit C3 is active. Here's the crucial point. Notice that E's evaluation of circuit C0 is entirely the same in the world where C2 is active and in the world where C3 is active. More precisely, E reconstructs the exact same garbage material for circuit C0 and arrives at the exact same garbage output labels. Thus, in both of these worlds, there is only one possible garbage output evaluation. Further, notice that in the four worlds where circuit C4 through C7 are the active branches, there's only a single possible garbage evaluation. Namely, in all four of these worlds, the evaluator E will reconstruct the same garbage material for each guest in active branch. This means that she will unstack the same garbage material for the guest active branch and arrive at the same garbage output labels. Thus, across all eight possible worlds, circuit C0 has only three possible garbage output values. More generally, for a circuit with B branches, each branch has only log B possible garbage output values. By extension, each branch will have only log B possible garbage output values, and therefore, together, there are only B log B total garbage output values. This means that the generator G can construct the multiplexer using only B log B work, whereas before, he needed to use quadratic work. We've now seen the key ideas of the log stack construction. Like stacked garbling, we compress GC material by XORing together the material from each branch and thus decrease the total communication cost for conditional branching. However, log stack reduces computation cost by consolidating the branches into a binary tree. As I showed, this binary tree arrangement reduces the number of possible garbage output labels from each branch, from order B to only order of log B. The GC generator must still compute all such garbage labels to construct the multiplexer. But of course, G can compute each of these O of B log B garbage labels in order B log B time. Thus, log stack greatly reduces computation overhead. We implemented log stack in comparative performance both to standard garbled circuits, that is, without stacked garbling, and to stacked garbling. On this slide, I plot wall clock time as a function of the branching factor. Here, for the purposes of benchmarking, each branch is simply the SHA-256 function. Log stack outperforms prior work both concretely and asymptotically. Although I didn't yet discuss it, log stack also asymptotically outperform stacked garbling in terms of space consumption. Specifically, stacked garbling consumes space linear in the number of branches. Log stack improves this space consumption to only order log B. So this was log stack. Again, log stack is an improvement to garbled circuits. Log stack improves the computation costs of stacked garbling while retaining stacked garblings' important communication advantage.