 Thank you. So I'm gonna tell you about that actively secure global circuits from one way function So what is the problem? I want a server to compute a circuit on an input without learning anything else about the circuit for the input I'm assuming that the Topology of the graph circuit is known. So that's not something I need to hide So we have two parties. We can think of the second party as a server and the first party has all of the information the circuit and the Input so it will garble the circuit send it over at some point gets the input or decides on an input Also garbles it and send it to the second party and somehow the second party is able to evaluate the circuit and get that Of course, I want correctness security and efficiency and I might even want some other properties from the garbling a scheme But we just talk about this So what do I want? What do I mean when I say efficient? I Think about the computation in two phases the offline phase where we are garbling the circuit and You can't think that you're not in a rush at this point And then there is the online phase where you have the input and you want to be able to garble the input quickly In particular, you don't want to spend as much time as it takes to do the computational yourself So when we say an efficient online complexity, we are talking about Something that is much smaller than the size of the circuit So When it comes to security security, we have two definitions the selective version where we have our adversary and the challenger and the adversaries and picks an input and It gets back to the garbled circuit and the garbled input I say that the system is secure if there is a simulator that gets only the output of the computation and Can simulate the garbled circuit and garbled input and we want these two distributions to be indistinguishable for any circuit When it comes to adaptive security, we just change the game a little bit So we still want the same thing except that now the adversary gets to choose the input after seeing the garbled circuit and similarly the simulation needs to Output the simulated garbled circuit before seeing anything and then gets the output of the computation so What do we know about the online complexity of an adaptively secure garbling a scheme? We know that it has to at least be the size of the input plus the size of the output and So the two other hammer is a You can consider is the width of the circuit which is proportional to this base complexity of the computation and the depth of The circuit so we don't assume anything about the circuit. It can be a very Long circuit, but it's very with very small width or it can be a very a wide circuit But there's very small depth the only thing that we know is that the width has to be at least the size of the input or the so What are the constructions that we have already? that the work of the Laura tells us that well, we can actually have Adaptively secure garbled circuits from one-way function the online complexity is the side of the circuit But we have other it has other nice properties in addition to the efficiency in addition to the security That makes it very desirable for some parallel computation and other things the there is a work of Bonnet that Exumes exponential of w e and gets online complexity proportional to the input and the output and the depth of the circuit There are two constructions that actually get the optimal That get the optimal online complexity, but assume very strong assumptions like I are you and universal computational extracts What do we get in this work? We create a construction that is only based on one-way functions and give us online complexity Proportional to the depth or to the width of the circuit So this is just one result, but that it has two instantiations of it So you can just whichever that suits your circuit best I Just want to point out for the rest of the talk our circuits are going to be doubled over on the side so the input is on the left output on the side and The depth is actually the horizontal line So next we're going to see the yaw's gargling a scheme and see the proof of security for it And then we will have enough intuition to see why it's difficult to have adaptively secure garbling schemes So starting with just one gate you can we have two inputs wires one output wire we give each of them We give each of them two random keys associated by your value zero and one and to garble it we look at the Thread table of the gate and for each line I would we create one ciphertext, which is an encryption of the output wire using the input wire keys I'll use this notation of The encryption with two keys just to show this double encryption of the output key So if you want to so we do the same thing for all of them, and we just randomize the ciphertext So to come to evaluate this gate you just need to have sorry You need to have one of the keys So you need to know about one of the keys of each of the wires, and then you can get you can decipher exactly one of these Cypher text and get back the output key and For security we have to make sure that is you only get one of those keys out not anything else So for garbling the entire circuit you just repeat the same thing for all of the gates And you have the couple circuit you also have to map the output wires into value zero and one and This would be our what we do during the offline phase and therefore garbling up the input You just give back the keys that are Associated with the input X. What does the simulator do they try to do the same thing as much as possible She chooses the keys, but doesn't know what the gate is doing So it will just encrypt all Zeroes that just one key is going to be in the simulated gate and repeat the same thing for all of them and Since it knows the output it can just map the output wires that are associated with zero to the values of Y and This would be the garbled circuit for the simulation and Then to garble the input will just keep all zeros So now we have to just show that these two distributions are indistinguishable We start with hybrid arguments meaning that I'm going to define some distributions that are a hybrid of both at the simulation and the real garbling and Changing the gates one by one from the real to the simulated and Keep doing that until all of the circuit is red So this would be fine if these two were actually distinct indistinguishable, but they in fact are totally distinguishable Because one of them is always outputting Zero and the other one out with something that is dependent on what the input was So they don't even compute the same thing sometimes, but I want to be distinguishable So we look at our simulated gate and we see that the problem is that we are always encrypting C zero But we'll get the answer right there because we know the input X. We are getting it right here. So I Can just define a new version of the simulated gate that depends on the input Actually named input dependent simulated gate and I just put the right Key here that depends on the input X that I know the right output here And now if I replace this one, I can actually say that these two are computationally indistinguishable So it's great. We're gonna just replace this Replace the red ones with the instead use the black ones and keep doing that over and over I just want to make sure Note that there's a it's important that we are going about changing the colors row by row Because for example, if I want to turn this one black I'm going to be in trouble because there is a wire that comes from a real gate And then I can't really say anything about extinguishability of these two Distributions so it's important that the first the input The gates that the input wires are coming from are already simulated before I turned the output one into a black So this would be fine. So we keep doing this until the whole thing is black And then we just noticed that these two are the same distribution So We start we had three rules when we were changing the distributions and we started with the input gains and we were able to turn those into black gates and So if it gets all of its inputs was coming from black gates Then we could turn it into a black and finally when the entire circuit was black We were able to say that this is the same as being all red We actually can change that last rule and refine it a bit because we can turn these Turn black gates into red gates way before I Can turn this gate into a red gate because its output is only going to a simulated gate So when you look at the garbling of the scheme They both have only one key and that key also is going into another simulated gate So these two are exactly the same distribution everything else is symmetric So it's just a matter of whether you interpret this as a zero or not Doesn't change anything else. So I can actually use this New rule that says that the black gate with all of its inputs going into simulated gate can be turned red It doesn't make any difference as far as for selective security goes we already have a selected Security proof, but it will be useful for that type of case So why is it difficult to show that I always adaptively secure to start with we don't The online complexity of the yeah, the scheme is too small. It's only the size of the input The size of the input, but this is very easy to solve We just send the output table in the online phase and this not only gives us the right online complexity It also solves the problem of simulation because the garbling of the circuit didn't You really use the output. It was only the output table that was using the output So now we have not only we have a correct and efficient scheme We also have a simulator We had just had to have it in distinguishability proof and you can imagine this is where things Go wrong because our first hybrid had an input dependent simulated gates So this wire depended on the input that I'm only getting after I've already given out the garbled Circuit so this really isn't even well-defined And this would be the main problem that we have So this approach doesn't work and doesn't mean kid that Yeah, it's not that we secure, but it does mean that that approach is not gonna help us So what do we do we start with adaptive we will start with select this modified version of yo again And we try to solve this problem of not being able to have black gates So we have to come up with a way to go around this problem not being able to have hybrids that have black gates to do this We define a new encryption steam and we construct that That what they just in new magical encryption is seem does it just that it lets me Exactly defined such hybrids where there are gates that I can decide about them in the online phase and Another great thing about it is that the its key only grows with the number of black gates So if it's cable bit weight It's if the key is too big then it wouldn't be really useful Why because what I'm going to do is to to encrypt the entire Yo's garbled circuit with this encryption and keep give the key of the encryption in the online phase So I care that this key is not too big so what the evaluator would do is just to decrypt it and do the evaluation has did before so that would be the first thing that we need to do and The second thing is to keep make sure that the number of black gates are small Because the key grids growing with the number of black gates and then the key is part of the online complexity And I want to keep that small so to do that we Try to find a way to turn the black gates into the simulated gates as soon as possible Because the simulated gates don't depend on the input and I can't do that I can create them in the offline phase and we do this Using some smarter ways of doing hybrid So what is this magical encryption? It's got some very equivocal encryption and I'm just going to show you what it does Imagine you have a message that Is a vector of messages and you're going to have two procedures the honest procedure and the simulated procedure the honest procedure Does what you expect an honest procedure do it creases There's a key generation that gives you a key and then there's an encryption that this could he gets the key and the message And produces a cypher text of then there's a decryption key the decryption function So what does the simulation procedure do it just gets part of the message and there are like some holes in this vector But it still produces a cypher text that this looks in very similar to the Cypher except the honest procedure and then there's another procedure that gets the rest of the messages and Creates a key that will decrypt this cypher text into their correct messages that we want so to see this Torioli the honest procedure will have the message and the key and then Comes up with a way to cover the message completely But what does but what the simulated procedure will do is only gets some of the messages and no key and will still creates a cypher text and Then when it gets the rest of the messages it comes up with a key that the key Will make sure that when you decrypt this cypher taste you will get all the messages the great thing about this was this encryption scheme is that the security definition Guarantees that these two will actually look indistinguishable from each other and We get this we construct this based on distributed point functions that themselves are based on one-way functions And the last great thing about this scheme is that the key grows only with a number of holes So now that we have this encryption scheme as we saw before we're just going to encrypt the Garbling of yellows garbled circuits and give the key in the online phase. What does the simulator do? Does the exact same thing just using the car simulated garbled circuit? So both of them are using the honest procedure and neither of them are doing anything with this with the Simulated procedure. So this is just the honest procedure for both of them Where we use this simulated procedure for the encryption is going to be doing that The indistinguishability proof So let's see our first hybrid So now my first hybrid I'm going to first put a hole instead of the first where the first gate was and then in the online phase When I know the input X I will come up with a key that will put them input dependent gate Simulated gate in there so Voila, this is where the magic happens and now we did it. We wanted to come up with a way to Define hybrids with black case and we succeeded so this was one of the main points that we were going to achieve And we did I just want to point out. There is actually an intermediate step here That where we have a hole, but we are still we put the key that will put the right Like the real gate here not the input dependent simulated key and here I can argue that based on the equivocal Encryption scheme security these two are indistinguishable and based on CPA security these two are indistinguishable But this is just an intermediate hybrid and we'll go through it every time I want to take one of those steps and I won't mention it anymore So that's it now if you are able to do this we can go back to our rules that we had before for selective security and Just take the same exact steps We only have one additional rules that says that every black gate needs to have a hole So our rules of the extinguishable This is says that every black gate has to have a hole So the number of black gates determine determines the number of the hole then we start with the input gates We can turn those into black gates Same the same rules that we had before So using these rules now we can Have a hybrid distribution for adaptive case We first we start with the input gates by rule one. I will I will be able to turn those black By rule two, I can't turn the next Row black because their previous one already are black by rule three. I can turn this first row into Red gates. These are now simulated gate and are not dependent on the input and I can just keep doing that until the entire circuit is red I Just want to point out that we never used more than two rows of black gates so Mike this Therefore the key of the somewhere equivocal encryption only has to be proportional to the width of the circuit Then we generalize this Method by noticing that our rules are very similar to pebbling rules So we define a new pebbling game where these are the rules and if at any time that I Go from blue to black you can think of it as placing a black pebble on a note And then every time I go from black to red you can think of it as removing that black gate Then that pebble like pull so now I can just translate this into a bubbling game on a surf on a graph for So that says that the pebble can be placed on an input note Pebble can be placed if its predecessors already have pebble and it can be removed if its successors have pebbles This is a little bit too simplified because our rules are actually going both ways Here so I can actually remove a pebble and go back to blue and also here But since our destination is red there is no real intuition why we would want to go back from red So but this might be still useful So that now that we have this rule You have this game pebbling game We start with a graph that is all blue and you want to end up with a graph that is all red And you have to follow these rules to get from here to here and the great thing is that We have a way now to just Try to come up with a pebbling strategy instead of trying to find sequences of hybrids So our theorem says that if there is a way to pebble the circuit with s steps and p pebbles then And if the encryption scheme for the gates is epsilon cpa secure and the big encryption of the whole entire circuit is somewhere equivocal encryption that epsilon secure with Equivocation parameter p. This is the number of holes that we can tolerate Then we can see that our new garbolinga scheme is S-time epsilon adaptively secure with online complexity that is the size of the input and output Plus the number of pebbles that we have So we already saw one pebbling strategy which was going row by row You can think of this is step as removing those black pebbles and then put using them to put pebbles on the next level And then again removing pebbles putting more pebbles today So this is actually a pebbling strategy with number of pebbles in order of the width of the circuit and the number of the step It's just the size of the circuit. So using this we have our main we can plug this into the previous theorem and So there's a strategy with these parameters and this gives us that our scheme is Secure with online complexity proportional to the width. There is another strategy that has That has number of pebbles Proportional to the depth of the circuit and the number of steps being Exponential in the depth so our scheme is secure with online complexity order of depth But the security will be great Exponentially in depth so you might want to just use it for very low depth circuits There can be other pebbling strategies that are more efficient for a specific class of Circus, so if you have a class of circus that has a very good pebbling strategy Then you can use our scheme and you get to get much better security parameters for it That's it. Thank you