 Now, hi everyone, welcome to the first talk of third day and I'm going to talk about adaptive gavel circuits with near optimal online complexity. And this is joint work with Sanjan Pill. Okay, so let me first give a brief overview of gavel circuits. Gavel circuits consist of three algorithms. The first algorithm is the circuit gargling algorithm that takes a Boolean circuit C and outputs a gavel circuit C tilde along with the secret key. The second algorithm is the input gargling algorithm that takes input x and the secret key and outputs the garbled input x tilde. The third algorithm is the evaluation algorithm that takes the gavel circuit C tilde and the garbled input x tilde and outputs C of x. The security of gavel circuits is usually defined in two ways. The most standard notion of selective security or the stronger notion of adaptive security. So let me start with the selective security here. So it's modeled as a game between an adversary and a challenger and the adversary first commits to the circuit C and this input x to the challenger and it gets C tilde and x tilde, the gavel circuit C tilde and the garbled input x tilde and tilde. In this game the gavel circuit C tilde and x tilde are generated as follows. The challenger tosses a random point B. If the output of this coin toss is zero, it generates C tilde and x tilde using the honest algorithms. Otherwise it generates C tilde and x tilde as the output of a simulator who's just given C of x as input. And the goal of the adversary is to guess this bit. In the stronger adaptive security notion, the adversary first commits to the Boolean circuit C and obtains the gavel circuit C tilde and tilde. Later, depending on the C tilde, it might adaptively choose an input x on which it wants to evaluate the circuit and it gets x tilde and tilde. So in this game, C tilde and x tilde are generated by the challenger by again tossing a random point B. If the output of this coin toss is zero, it generates both C tilde and x tilde honestly. Otherwise it generates C tilde as the output of a simulator who's just given the size of C as input. So it has to generate the garbled circuit C tilde without knowing anything apart from just the size of the circuit C. And later it generates x tilde as the output of a simulator who's given C of x as input. And the goal of the adversary is to guess this bit B. And in this stock we'll be focusing on the adaptive security notion. And we'll call the phase where C tilde is generated as the offline phase and the phase where x tilde is generated as the online phase. We typically want the online phase to be extremely efficient meaning that it should only grow with the size of the input x. So let me try to first motivate why is adaptive security important. So even though for the most important application of garbled circuits, meaning two-pathic computation, the standard notion of selective security is sufficient, there are certain applications for which you need the stronger notion of adaptive security. For example, the online off-line two-pathic computation setting, the one-time programs, the verifiable computation, and even adaptive compactivity for all these applications, you need the stronger notion of adaptive security. And crucially for all of these applications, the efficiency is directly dependent on the online complexity of the adaptive garbled scheme. So it's important to have an adaptively secured garbled scheme with good online complexity. So let me recall what is already known about adaptively secured garbled scheme. We know several constructions from various cryptographic assumptions and these constructions can be classified into the following three categories. They are either in the random or active model or the security proof incurs an exponential loss or the online cost grows with either the width or the depth of the circuit and the security in the third case is just polynomial. Notice that the width or the depth of the circuit could be as large as the circuit itself and in this case it does not give any meaningful savings when compared to a trivial approach where you just send the garbled circuit and the input just in the online phase. And these are the positive results. On the negative side, AppleBum et al. showed that any standard model construction with adaptively secured garbled scheme must incur an online cost that is at least n plus m where n is the input length and n is the output length. So there is a significant gap with the known upper bounds which grow with the circuit width or depth and the known lower bound which is n plus m. So this brings us to the main question whether can we construct adaptively secured garbled schemes with better online complexity. In this work we show that assuming standard cryptographic assumptions such as CDH, factoring or LWV we can construct an adaptively secured garbled scheme with an online cost that is n plus m plus poly Atlanta. So it is just an additive poly Atlanta factor away from the optimum low amount of n percent and it incurs a polynomial loss in the security and the construction is in the standard model. So let me straight away go into the ideas behind the construction. So to garble a Boolean circuit, we view the Boolean circuit in a different form. So to explain this let me take an example of a very simple Boolean circuit which takes in 3 bits x1, x2, x3 has 3 gates and has a single output gate. So we view this Boolean circuit as a sequence of 3 step circuits along with the database. So this database is initially populated with the inputs x1, x2 and x3 and each of these step circuits implement a single gate of the original Boolean circuit. So the first step circuit SC1 reads x1 and x2 from the database computes the output of this gate G1 and writes it back to the database. Similarly the second step circuit reads x2 and x3 computes the output of this gate G2 and writes the output back to the database and similarly SC3 reads G1 and G2 and writes back G3. So to garble the Boolean circuit in this form we need to garble the database which contains all the intermediate values along with the input and we should also garble these step circuits. So let me first explain how to garble the database and let me then say how to garble these step circuits. So the garbling the database is very simple. We just use a one time plan. So to be more precise the initial contents of the database is not the input but input masked with some randomness. Each of these step circuits has the random mass corresponding to the input locations and the output mask hardware. So this first step circuit reads x1, x1 with R1, x2 with R2. It unmasks them using R1 and R2, computes G1, masks it using R4 and writes it back to the database. Similarly other step circuits do the same thing. So given this database it just contains masked values of the input and the intermediate wires so you don't get anything. And unlike a RAM program where the locations that have to be accessed by each of those step circuits are chosen dynamically dependent on the input in this case it's just fixed. So we can hardware the input and the output mask in every step circuit. So we have now seen how to garble the database. Let me explain how to garble these step circuits. So the first step in garbling these step circuits is to garble each of them using a selectively secure garbage scheme. Let's say, yeah, it was garbage scheme. Now this question that might arise is that how do these garbled step circuits access the database? We need a mechanism in which they can read the database and write to the database. So in order for the step circuits to access the database we use a primitive called as Laconic Oblivious Transfer. So let me first recall what is a Laconic Oblivious Transfer. And this was introduced in last crypto by Joe Edoch. A Laconic Oblivious Transfer consists of three algorithms. The first algorithm is a hash algorithm which takes a large database and hashes it to a small dynasty. So one can think about this hash as just a Merkle hash. So the second algorithm is the read algorithm. So the read function takes the hash value h, a location i of the database and two messages m0 and m1 and outputs a read ciphertext here. Given this read ciphertext and the database one can obtain the message corresponding to the bit that is there in this location i. So let's say t of i is 0 then one can obtain m0 otherwise you can obtain m1. The security is that the other message is hidden. An important efficiency property for this read algorithm is that the computational cost only grows polynagogically with the size of the database. So this might not be true for any oblivious transfer but it's true for a Laconic Oblivious Transfer. So the final algorithm is the write algorithm which takes a hash value h, a location i of the database and the bit b to be written to this location i and it outputs the updated hash value h prime. So this updated hash is the hash of the database which is same as d but now the location i is overwritten with this bit b. And a sequence of logs shows how to construct an updatable Laconic Oblivious Transfer from CDH, Factoring or LW. So let us now see how to use an updatable Laconic OT to enable the Garble Step Circuits to access the database. So we have the initial database which contains the input masked with random bits and let's see how this step circuit accesses the locations. This step circuit takes the initial hash which is the hash of this initial database as input and it reads the two locations using the read function of the Laconic OT and it writes to the location using the write function. Notice that the write function outputs an updated hash value which is the hash of this new database with this location being written and this is passed on to the next step circuit as input and this process continues for every step circuit. So this is it. This is the Garble Step Circuits along with how they access the database and consist of our Garble Circuit C tilde. The Garble Input Extender consists of the masked values of the inputs, the output mask so that one can obtain the output from the final location and the labels corresponding to evaluating the first step circuit. The labels correspond to the initial hash value. So a quick check is that the input masked values are n bits long. The output mask here is just one bit but it would generally be n bits and these labels are polylambda long. So we have the size of x tilde to be n plus m plus polylambda and that is the online cost. So this is the construction. So in the remaining time I will give you a high level idea of how the adaptive security proof works. Let me first describe the simulated distribution. So we need to prove that the real world distribution is indistinguishable to the simulated distribution. So let me start with the simulated distribution. So the simulated database consists of just random junk values. It does not contain the input mask. And the simulated step circuits are just dummy step circuits which read the same locations that the original step circuit does, do no computation and just write random values to the database. So this is the simulated distribution. So we need to show that the real world distribution is indistinguishable to the simulated distribution. So in the real world, every step circuit is generated honestly and I will denote them by a white box. In the ideal world, every step circuit is generated as a dummy step circuit and I will denote them by a black box. So we need to go from all whites distribution to the all blacks distribution. So a natural approach one might come up with is that you first change this first step circuit to black, then the next step circuit to black and so on until you change all these step circuits to black. However in this work, we follow a rather unusual approach where we first change the last step circuit to black, then change the second last step circuit to black and so on until we get all these step circuits to black. So this is reminiscent of the work of KLW which obtained a succinct indistinguishability of this case. So that's just a connection. So in order to prove this the real world is indistinguishable to the ideal world, we need to prove that each of these intermediate hybrids are in turn indistinguishable. And of course we cannot prove that the real world is indistinguishable to hybrid one where the last step circuit is black in a single shot. So this in turn requires a sequence of hybrids. So let me explain the first hybrid where we go from real to hybrid one and the other hybrids are similar. So again the real world we have the all whites distribution and in the hybrid one we have all of them are white except that the last step circuit is black. So in order to go from the real world to the ideal world we make use of some intermediate hybrids where we maintain some of these step circuits in this. I don't know what color you're seeing. It's supposed to be brown but say it's brown. So we maintain some of these step circuits in the brown one. So intuitively a step circuit is in the brown one. If the distribution of this garbled step circuit depends only on the output of the gate that is computed by this step circuit. So let's say if this output of this gate emulated by this step circuit is zero then this garbled step circuit depends just on this bit zero. Now one might think that there seems to be a apparent problem. One is as follows. So first of all we need to generate these garbled step circuits in the offline phase even before we know the input. But I told you that these garbled step circuits in the brown mode depend on the output of the gate that is being computed. So there seems to be a circularity issue where we need to know the output of the gate in the offline phase but we cannot know it because we know the input that we want to evaluate only in the online phase. So how do we get around this? Basically the question is how to garble a step circuit in the brown mode in the offline phase. The answer is that we just guess the output of these gates. So let's say that if there are L gates in the intermediate or hybrid in the brown mode then we incurred 2 to the minus L loss in the security if this is correct. I mentioned to you that we incur only a polynomial loss in security. So in order to make sure that our security loss is just polynomial we need to maintain that the L which is the number of gates in the brown mode should be logarithmic. So now the question is how do we make sure that the number of step circuits in the brown mode is just a logarithmic number. So the answer is that we use a combinatorial pebbling argument to show that in each intermediate hybrid the number of step circuits in the brown mode is just a logarithmic number. I won't be having the time to go into the details of this argument but I would encourage you to look into a paper for the details. And interestingly an optimal strategy for a pebbling game directly gives the actual sequence of hybrids that we want. The pebbling game just gives a sequence of hybrids where the number of step circuits in the each intermediate hybrid in the brown mode is just logarithmic. So to conclude we gave a construction of adaptive gavel circuits with a near optimal online complexity from standard cryptographic assumptions namely CDH, LWE or Factoring. In a follow up work which is about to appear in this year's crypto with Sanjay Berga and Rafi Ustraski we give a construction of adaptive garbled RAM with near optimal online complexity under the same assumptions. In the RAM setting the locations that are accessed by each step circuit are not fixed so this involves some technical challenges and we show how to solve them in the follow up work. Some of the interesting open questions from our work are as follows the first is can we improve the assumptions? Namely we seem to require some public key assumptions with this approach like CDH, Factoring or LWE and it's not clear whether these are necessary. So it would be great if we can do it from the minimal assumptions that one way functions exist. Another interesting question is to improve the concrete efficiency of a scheme. So we have to gobbling as some real-world applications as well so it would be fantastic if we can improve the concrete efficiency. And that's it. Thank you all for your attention. We have time for a question. Any questions? Can you comment on the use of laconic OT in your construction in particular? How many of these laconic OT's do you need? For each step circuit you need the laconic OT to access the locations in the database and also to write. So that's for every gate? For every gate of the circuit. Is this somehow related to the standard OT's that you use in the selective scheme? Standard OT's does not give you a laconic OT because of the fact that the complexity of this read algorithm grows polylogrhythmically in the size of the data. I don't think there is a formal separation but it seems hard to construct the laconic OT from any standard OT. So what's the... Sorry, we have to move on. Let's thank the speaker again. Thank you.