Adaptively Indistinguishable Garbled Circuits

Transcription

1 Adaptively Indistinguishale Garled Circuits Zahra Jafargholi Alessandra Scafuro Daniel Wichs Astract A garling scheme is used to garle a circuit C and an input x in a way that reveals the output C(x ut hides everything else. An adaptively secure scheme allows the adversary to specify the input x after seeing the garled circuit. Appleaum et al. (CRYPTO 13 showed that in any garling scheme with adaptive simulation-ased security, the size of the garled input must exceed the output size of the circuit. Here we show how to circumvent this lower ound and achieve significantly etter efficiency under the minimal assumption that one-way functions exist y relaxing the security notion from simulation-ased to indistinguishaility-ased. We rely on the recent work of Hemenway et al. (CRYPTO 16 which constructed an adaptive simulation-ased garling scheme under one-way functions. The size of the garled input in their scheme is as large as the output size of the circuit plus a certain pele complexity of the circuit, where the latter is (e.g., ounded y the space complexity of the computation. By uilding on top of their construction and adapting their proof technique, we show how to remove the output size dependence in their result when considering indistinguishaility-ased security. As an application of the aove result, we get a symmetric-key functional encryption ased on one-way functions, with indistinguishaility-ased security where the adversary can otain an unounded numer of function secret keys and then adaptively a single challenge ciphertext. The size of the ciphertext only depends on the maximal pele complexity of each of the functions ut not on the numer of functions or their circuit size. Aarhus University, Denmark. zahra@cs.au.dk North Carolina State University, USA. ascafur@ncsu.edu Northeastern University, USA. wichs@ccs.neu.edu

2 1 Introduction Garled Circuits. A garling scheme [Yao82, Yao86] can e used to garle a circuit C and an input x to derive a garled circuit C and a garled input x. It s possile to evaluate C on x and get the correct output C(x. However, the garled values C, x should not reveal anything else eyond this. In many applications, the garled circuit C can e computed in an off-line pre-processing phase efore the input is known and therefore we are not overly concerned with the efficiency of this procedure. On the other hand, once the input x ecomes availale in the on-line phase, creating the garled input x should e extremely efficient. Therefore, the main efficiency measure that we consider here is the on-line complexity of a garling scheme, which is the time it takes to garle an input x, and hence also a ound on the size of x. Security of Garled Circuits. There are several natural notions of garled circuit security that one can consider. Firstly, we can consider either selective or adaptive security. For selective security, we consider a scenario where the adversary chooses the circuit C and the input x first and only then gets the garled versions C, x. For adaptive security, we consider a scenario where the adversary first gets the garled circuit C and can then adaptively chooses the input x to e garled. Adaptive security is the natural notion in the on-line/off-line setting where we envision the garled circuit to e created first in an earlier stage efore the input is selected. Secondly, we can consider either simulation-ased or indistinguishaility-ased definitions of security. In the simulation-ased setting, we require that the garled circuit and the garled input can e simulated given only the output of the computation and the topology of the circuit. In the indistinguishaility-ased setting, we require that the adversary cannot distinguish etween a garling of C 0, x 0 or C 1, x 1 as long as C 0 (x 0 = C 1 (x 1 and C 0, C 1 have the same topology. Prior Work. Yao s construction of garled circuits under one-way functions already achieves essentially optimal on-line complexity, where the time to garle an input x and the size of x are only linear in the input size x, independent of the circuit size. 1 However, it was only shown to satisfy selective simulation-ased security [LP09]. Recently, the work of Hemenway et al. [HJO + 16] showed how to modify Yao s construction and get adaptive simulation-ased security under one-way functions. The on-line complexity of their scheme depends linearly on a certain pele complexity t of the circuit, its input size n and output size m. Furthermore, they showed that the pele complexity t is upper ounded y the circuit width which is in turn ounded y the space complexity of the computation. The work of [JW16] (see also [JKK + 17] shows that even Yao s original garled circuit construction already achieves adaptive simulation-ased security via reduction with a 2 t security loss as long as the mapping etween output laels and the its they represent is only given in the garled input. In oth of the aove works, the online complexity is always at least as large as the output size m. The work of Appleaum et al. [AIKW13] (see also [HW15] gives a lower ound showing that this is inherent for adaptive simulation-secure garled circuits. Our Results. In this work, we show how to construct adaptively secure garling schemes ased on one-way functions, where the on-line complexity of our scheme can e smaller than the output size of the circuit. This necessarily requires us to give up on simulation-ased security and instead we achieve indistinguishailityased security. In more detail, we propose a new garling scheme which uilds on top of the ideas of [HJO + 16] ut essentially removes the output size dependence in their construction, making the on-line complexity only linear in the pele complexity t and the input size n, ut independent of the output size m. As an application of the aove result, we consider the scenario where we garle a circuit C which consists of many disjoint oolean su-circuits C 1,..., C l which all take the same input x ut do not share any other wires/gates except for the input wires. In that case, although the output size of C is l (which we think of as large the pele complexity of C is just t = max{t i } where t i denote the pele complexities of the 1 More precisely, in Yao s garled circuits, the garled input is of size x poly(λ where λ is the security parameter. The work of Appleaum et al. [AIKW13] shows how to reduce this to x + poly(λ assuming stronger assumptions such as DDH, RSA or LWE. 1

3 individual circuits C i, and therefore is independent of the numer of circuits l. We can also think of the aove as allowing us to construct an adaptively indistinguishale private-key functional encryption (FE scheme y thinking of the garled versions of the circuits C i as function secret keys and the garled input as a ciphertext. The size of the ciphertext is linear in the size of the input x and the maximal pele complexity of the individual functions, which we can ound y their space complexity, ut is independent of the numer of function secret keys l or even their circuit size. Finally it ears mentioning that an adaptively indistinguishale scheme is also adaptively secure under the simulation-ased security definition for any efficiently invertile function. 2 Therefore for this class of functions our construction provides a simulation-ased adaptively secure garling scheme with online complexity independent of the output size. 1.1 Our Techniques Before we can explain our techniques, we first review Yao s garled circuit construction, the issue with adaptive security and the technique of [HJO + 16]. The discussion elow is adapted from [HJO + 16]. Yao s Scheme. First, let s start y recalling Yao s garled circuits. For each wire w in the circuit, we pick two keys kw, 0 kw 1 for a symmetric-key encryption scheme. For each gate in the circuit computing a function g : {0, 1} 2 {0, 1} and having input wires a, and output wire c we create a garled gate consisting of 4 randomly ordered ciphertexts created as: c 0,0 = Enc k 0 a (kc g(0,0 c 1,0 = Enc k 1 a (kc g(1,0, c 0,1 = Enc k 0 a (kc g(0,1 c 1,1 = Enc k 1 a (kc g(1,1 (1 where (Enc, Dec is a CPA-secure encryption scheme. The garled circuit C consists of all of the galed gates, along with an output map {k 0 w 0, k 1 w 1} which maps the keys to the its they represent for each output wire w. To garle an n-it value x = x 1 x 2 x n, the garled input x consists of the keys kw xi i for the n input wires w i. To evaluate the garled circuit on the garled input, it s possile to decrypt exactly one ciphertext in each garled gate and get the key kw v(w corresponding to the it v(w going over the wire w during the computation C(x. Once the keys for the output wires are computed, it s possile to recover the actual output its y looking them up in the output map. To prove the selective simulation-ased security of Yao s scheme, we have a simulator that gets the output y = y 1 y 2 y m = C(x and must produce C, x. The simulator picks random keys k1, 0 kw 1 for each wire w just like the real scheme, ut it creates the garled gates as follows: c 0,0 = Enc k 0 a (kc 0 c 0,1 = Enc k 0 a (kc 0 c 1,0 = Enc k 1 a (kc, 0 c 1,1 = Enc k 1 a (kc 0 (2 where all four ciphertext encrypt the same key k 0 c. It then sets the output map as {k 0 w y w, k 1 w 1 y w } y programming it so that the key k 0 w corresponds to the correct output it y w for each output wire w. This defines the simulated garled circuit C. To create the simulated garled input x the simulator simply gives out the keys k 0 w for each input wire w. Note that, when evaluating the simulated garled circuit on the simulated garled input, the adversary only sees the keys k 0 w for every wire w. Proof of Security and Issues with Adaptivity. There are two main issues with proving adaptive security of Yao s construction. The first issue is that, in the simulation-ased security setting, the simulator now cannot program the output map since it is given as part of the garled circuit efore the output y 1,..., y m is defined. This can e fixed y modifying the construction and moving the output map from the garled circuit to the garled x. 2 More generally, any function f for which, given any image element y it is possile to efficiently find a canonical pre-image 2

4 input, at the cost of raising the on-line complexity to depend on the output size. In the simulation-ased setting we know this to e inherent, ut one could hope to avoid this in the indistinguishaility-ased setting. The second and more serious issue is the sequence of hyrids used to prove security. At a high level, the selective proof proceeds via a series of carefully defined hyrid games that switch the distriution of one garled gate at a time, starting with the input level and proceeding up the circuit level y level. In addition to the two modes of creating garled gates defined aove, we also define an additional mode where the garled gate is set to: c 0,0 = Enc k 0 a (kc v(c c 1,0 = Enc k 1 a (kc v(c, c 0,1 = Enc k 0 a (kc v(c c 1,1 = Enc k 1 a (kc v(c (3 where v(c is the correct value of the it going over the wire c during the computation of C(x. Let us give names to the three modes for creating garled gates that we defined aove: (1 is called RealGate mode, (2 is called SimGate mode, and (3 is called InputDepSimGate mode, since the way that it is defined depends adaptively on the choice of the input x. The proof of selective security of Yao s garled circuits proceeds in a sequence of hyrids where the way we garle a gate goes from RealGate mode to InputDepSimGate mode to SimGate mode in some carefully chosen order. The prolem with adapting this technique to the adaptive setting is that the InputDepSimGate mode is not (even syntactically well defined; in this mode the way that we garle the gate depends on the value that the output wire takes on during the computation C(x ut in the adaptive setting the input x is not yet defined when we create the garled circuit. The Technique of [HJO + 16]. Essentially, the work of [HJO + 16] proves adaptive security y leveraging two ideas. Firstly, they encrypt the entire Yao garled circuit under an additional layer of encryption using a special somewhere equivocal encryption scheme, and give the decryption key as part of the garled input. Such a scheme can e used to create a simulated ciphertext given only some ut not all of the plaintext locks (think of the unknown locks as holes and later create a secret key that decrypts all the known locks correctly ut plugs the holes with aritrarily specified values. The size of the secret key only depends on the numer of holes and not the entire size of the plaintext. By leveraging this type of encryption, they can define hyrid games where some of the gates are in InputDepSimGate mode (which is not well defined when the circuit is created y putting holes in place of all such gates when creating the garled circuit and then coming up with a decryption key that opens the holes to the correct value when creating the garled input (at which point InputDepSimGate is well defined. Secondly, the aove idea requires the numer of holes (and therefore the size of the garled input to scale with the numer of gates in InputDepSimGate mode in any hyrid. Therefore, to get a non-trivial result, we need a sequence of hyrids that minimizes the numer of gates in InputDepSimGate mode at any point in time. Recall that we start with all gates in RealGate mode and want to end with all gates in SimGate mode. We are allowed to make the following changes: We can change a gate from RealGate to InputDepSimGate (and ack as long as its predecessors are in InputDepSimGate mode (or it is at the input level. This is ecause, in this case, only one of the keys for each input wire appears in the game. We can change a gate from InputDepSimGate to SimGate (and ack as long as all of its successors are in SimGate mode (or it is at the output level. This is ecause the two keys associated with the output wire are used interchangealy in the game. The work of [HJO + 16] connects the aove with a peling game over the circuit, where the goal is to change all the gates from RealGate to SimGate suject to the aove rules while minimizing the numer of gates in InputDepSimGate mode at any point in time: this latter numer is defined to e the pele complexity of the circuit. For example, they show that the pele complexity of a circuit is ounded y its width which in turn corresponds to the space complexity of the computation. The size of the garled input in their scheme is the maximum of the pele complexity of the circuit and the input/output size. 3

5 Our Construction and Proof Technique. One could hope to get rid of output dependence in the construction of [HJO + 16] y simply sending the output map (the mapping etween the keys of the output wires and the its they represent with the garled circuit rather than with the garled input. Although we know that such a construction cannot achieve adaptive simulation security, one could conjecture it to achieve adaptive indistinguishaility security. Unfortunately, we do not know how to prove such a construction secure. Essentially, the issue is that the only reason we can change output gates from InputDepSimGate to SimGate in the proof of [HJO + 16] is that we can program the output map after the actual output of the computation is known; if the output map is sent with the garled circuit this is no longer possile. Instead, we come up with a modified construction which we are ale to prove secure. Our new garling construction leverages that of [HJO + 16] and proceeds as follows. To garle a circuit C we use the scheme of [HJO + 16] and garle two copies of C completely independently: we call the resulting garled circuits C L, C R. These are just Yao garled circuits (without an output map encrypted under an additional layer of somewhere equivocal encryption. We choose one of the two garled circuits at random to e the active one: active {L, R}. Then we merge the two garled circuits y creating a layer of garled selection gates (s-gates: for each output it i [m] we create an s-gate that takes the i th output wire from oth garled circuits, and outputs the value on the wire coming from the active circuit (the output of the garled s-gate is a it in the clear rather than a wire key. The garled circuit consists of C = (CL, C R, sgate. To garled an input x we use the scheme of [HJO + 16] to garle two copies of it for the left and right garled circuit. The evaluation procedure does the natural thing y evaluating oth C L, C R respectively, and using the output wire keys on the garled s-gates to recover the output its in the clear. Ideas similar to the use of two circuits along with a selection layer have appeared in prior works, e.g., [PST14]. To prove security, we consider an adversary that chooses C 0, C 1, gets a garled version of C, then adaptively chooses x 0, x 1 such that C 0 (x 0 = C 1 (x 1, and gets a garled version of x. We want to show that the adversary cannot distinguish etween = 0 and = 1. We show security via the following sequence of hyrids. 1. We start with the security game where the challenge it is = 0. In this case, oth C L, C R garle C 0 and oth garled inputs correspond to x 0. Let active {L, R} e the identity of the active circuit. We use the notation C active, C passive to denote the active and passive garled circuits respectively. 2. We change the passive garled circuit C passive and the garled input for it to e simulated. This change essentially follows the proof of [HJO + 16]. In particular, we rely on the fact that the keys associated with the its 0 and 1 for the output wires of C passive are used symmetrically y the s-gates (since the s-gates are ignoring the output of the passive circuit and therefore we can safely change the garled output gates of C passive from InputDepSimGate to SimGate. 3. We change the passive garled circuit C passive and the garled input for it from eing simulated to eing a garling of C 1, x 1. This follows from the same argument as the previous step. 4. We now modify the s-gates one-y-one to output the value of the passive circuit instead of the active circuit. This is the most delicate part of the proof. It essentially follows via a sequence of steps where, for each output i [m], we use the proof strategy of [HJO + 16] to change the i th output gate of oth C active, C passive to e in InputDepSimGate mode. This means that these garled gates aren t really created until the on-line phase when the garled input is given out. Furthermore, when they are created in the on-line phase, each of these garled gates only contains one key for the output wire corresponding to the correct it going over that wire during the computation (either oth corresponding to 0 or oth to 1 since C 0 (x 0 = C 1 (x 1. This allows us to change the encrypted value in 2 out 4 of the ciphertexts in the garled s-gate so as to switch it from outputting the value of the active circuit to the one of the passive circuit. 5. We now repeat steps 2 and 3 for C active to switch it from a garling C 0, x 0, to simulated, to a garling of C 1, x 1. Finally, we are left with the original security game with the challenge it = 1. The aove steps except for step 4 rely on the adaptive security of the underlying garling scheme in a lackox manner. It remains an open prolem whether it is possile to show a more general transformation 4

6 from garled circuits with adaptive security (and maye other natural properties to garled circuits with indistinguishaility ased adaptive security and online complexity independent of the output size. 2 Preliminaries General Notation. For a positive integer n, we define the set [n] := {1,..., n}. We use the notation x X for the process of sampling a value x according to the distriution X. For a vector m = (m 1, m 2,, m n, and a suset P [n], we use (m i i P to denote a vector containing only the values m i in positions i P and symols in all other positions. We use (m i i / P as shorthand for (m i i [n]\p. Circuit Notation. A oolean circuit C consists of gates gate 1,..., gate q and wires w 1, w 2,..., w p. A gate is defined y the tuple gate i = (g, w a, w, w c where g : {0, 1} 2 {0, 1} is the function computed y the gate, w a, w are the incoming wires, and w c is the outgoing wire. Although each gate has a unique outgoing wire w c, this wire can e used as an incoming wire to several different gates and therefore this models a circuit with fan-in 2 and unounded fan-out. We let q denote the numer of gates in the circuit, n denotes the numer of input wires and m denote the numer of output wires. The total numer of wires is p = n + q (since each wire can either e input wire or an outgoing wire of some gate. For convenience, we denote the n input wires y in 1,..., in n and the m output wires y out 1,..., out m. For x {0, 1} n we write C(x to denote the output of evaluating the circuit C on input x. Definition 1. Two distriutions X and Y are (T, ε-indistinguishale, denote D T [X, Y ] = ε if for any proailistic algorithm A, running in time T, Pr [A(X = 1] Pr [A(Y = 1] ε. For two games Game and Game we say they are (T (λ, ε(λ- indistinguishale, D T (λ [ Game, Game ] = ε(λ, if for any adversary A running in time T (λ, Pr [Game A = 1] Pr [ Game A = 1 ] ε(λ. Let games Game(λ and Game (λ e parametrized y the security parameter [ λ. If for any polynomial function T (λ, there exists a negligile function ε(λ, such that for all λ, D T (λ Game(λ, Game (λ ] ε(λ, we say the two games are computationally indistinguishale and denote this y Game(λ comp Game (λ. We say C is leveled, if each gate has an associated level and any gate at level l has incoming wires only from gates at level l 1 and outgoing wires only to gates at level l +1. We let the depth d denote the numer of levels and the width w denote the maximum numer of gates in any level. A circuit C is fully specified y a list of gate tuples gate i = (g, w a, w, w c. We use Φ(C to refer to the topology of a circuit which indicates how gates are connected, without specifying the function implement y each gate. In other words, Φ(C is the list of sanitized gate tuples ĝate i = (, w a, w, w c where the function g that the gate implements is removed from the tuple. 3 Definitions The ulk of this section defining what garled circuits are and presenting Yao s construction, is taken veratim from [HJO + 16]. We now give a formal definition of a garling scheme. There are many variants of such definitions in the literature, and we refer the reader to [BHR12] for a comprehensive treatment. Definition 2. A Garling Scheme is a tuple of PPT algorithms GC = (GCircuit, GInput, Eval such that: ( C, k $ GCircuit(1 λ, C: takes as input a security parameter λ, a circuit C : {0, 1} n {0, 1} m, and outputs the garled circuit C, and key k. x GInput(k, x: takes as input, x {0, 1} n, and key k and outputs x. 5

7 y = Eval( C, x: given a garled circuit C and a garled input x output y {0, 1} m. Correctness There is a negligile function ν such that for any λ N, any circuit C and input x it holds that Pr[C(x = Eval( C, x] = 1 ν(λ, where ( C, k GCircuit(1 λ, C, x GInput(k, x. Adaptive Security (Based on Simulation. There exists a PPT simulator Sim = (SimC, SimIn such that, for any PPT adversary A, there exists a negligile function ε such that: Pr[Exp adaptive A,GC,Sim (λ, 0 = 1] Pr[Expadaptive A,GC,Sim (λ, 1 = 1] ε(λ where the experiment Exp adaptive A,GC,Sim (λ, is defined as follows: 1. The adversary A specifies C and gets C where C is created as follows: if = 0: ( C, k GCircuit(1 λ, C, if = 1: ( C, state SimC(1 λ, Φ(C, 2. The adversary A specifies x and gets x created as follows: if = 0, x GInput(k, x, if = 1, x SimIn(C(x, state. 3. Finally, the adversary outputs a it, which is the output of the experiment. In other words, we say GC is adaptively secure if [ ] D T (λ Exp adaptive GC,Sim (λ, 0, Expadaptive GC,Sim (λ, 1 = ε(λ. For any PPT adversary A, there exists a negli- Adaptive Security (Based on Indistinguishaility. gile function ε such that: Pr[Exp adaptive A,GC,Ind (λ, 0 = 1] Pr[Expadaptive A,GC,Ind (λ, 1 = 1] ε(λ where the experiment Exp adaptive A,Π,Ind (λ, is defined as follows: 1. A specifies two circuits C 0, C 1 of the same topology, and gets ack C GCircuit(1 λ, C. 2. A specifies x 0, x 1 such that C 0 (x 0 = C 1 (x 1 and gets x GInput(k, x. 3. Finally, the adversary outputs a it, which is the output of the experiment. In other words, we say GC is adaptively indistinguishale if [ ] D T (λ Exp adaptive GC,Ind (λ, 0, Expadaptive GC,Ind (λ, 1 = ε(λ. On-line Complexity. The time it takes to garle an input x, (i.e., time complexity of GInput(, is the on-line complexity of the scheme. Clearly the on-line complexity of the scheme gives a ound on the size of the garled input x. Ideally, the on-line complexity should e much smaller than the circuit size C. Projective Scheme. We say a garling scheme is projective if each it of the garled input x only depends on one it of the actual input x. In other words, each it of the input, is garled independently of other its of the input. Projective schemes are essential for two-party computation where the garled input is transmitted using an olivious transfer (OT protocol. Our constructions will e projective. 6

8 Hiding Topology. A garling scheme that satisfies the aove security definition may reveal the topology of the circuit C. However, there is a way to transform any such garling scheme into one that hides everything, including the topology of the circuit, without a significant asymptotic efficiency loss. More precisely, we rely on the fact that there is a function HideTopo( that takes a circuit C as input and outputs a functionally equivalent circuit C, such that for any two circuits C 1, C 2 of equal size, if C 1 = HideTopo(C 1 and C 2 = HideTopo(C 2, then Φ(C 1 = Φ(C 2. An easy way to construct such function HideTopo is y setting C to e a universal circuit, with a hard-coded description of the actual circuit C. Therefore, to get a topology-hiding garling scheme, we can simply use a topology-revealing scheme ut instead of garling the circuit C directly, we garle the circuit HideTopo(C. 4 Construction of [HJO + 16] In our construction (presented in the following section, we will use the construction of [HJO + 16], as a uilding lock. Furthermore we will need the details of this construction in order to proceed with the proof of security of our construction. Therefore in this section we present the construction of [HJO + 16] which consists of two simple steps: (1 garle the circuit using Yao s garling scheme; (2 hide the garled circuit (without the output tales under an outer layer of encryption instantiated with a somewhere-equivocal encryption scheme. In the on-line phase, the garled input consists of Yao s garled input plus the output tales. Next we provide the formal description of the scheme of [HJO + 16] which contains the details of Yao s garling scheme. Let C e a leveled oolean circuit with fan-in 2 and unounded fan-out, with inputs size n, output size m, depth d and width w. Let q denote the numer of gates in C. Recall that wires are uniquely identified with laels w 1, w 2,..., w p, and a circuit C is specified y a list of gate tuples gate = (g, w a, w, w c. The topology of the circuit Φ(C consists of the sanitized gate tuples ĝate i = (, w a, w, w c. For simplicity, we implicitly assume that Φ(C is pulic and known to the circuit evaluator without explicitly including it as part of the garled circuit C. To simplify the description of our construction, we first descrie the procedure for garling a single gate, that we denote y GarleGate. Let Γ = (Gen, Enc, Dec e a CPA-secure symmetric-key encryption scheme satisfying the special correctness property defined in Appendix A. GarleGate is defined as follows. g GarleGate(g, {k σ a, k σ, kσ c } σ {0,1} : This function computes 4 ciphertexts c σ0,σ 1 : σ 0, σ 1 {0, 1} as defined elow and outputs them in a random order as g = [c 1, c 2, c 3, c 4 ]. c 0,0 Enc k 0 a (kc g(0,0 c 0,1 Enc k 0 a (kc g(0,1 c 1,0 Enc k 1 a (kc g(1,0 c 1,1 Enc k 1 a (kc g(1,1 Let Π = (sekeygen, seenc, sedec, SimEnc, SimKey e a somewhere-equivocal symmetric-encryption scheme as defined in Appendix B. Recall that in this primitive the plaintext is a vector of n locks, each of which has s its. In this construction the following parameters are used: the vector size n = q is the numer of gates and the lock size s = g is the size of a single garled gate. The equivocation parameter t is defined y the strategy used in the security proof and will e specified later. The garling scheme is formally descried in Fig Adaptive Simulator The adaptive security simulator for [HJO + 16] is essentially the same as the selective security simulator for Yao s scheme (as in [LP09], with the only difference that the output tale is sent in the on-line phase, and is computed adaptively to map to the correct output. Note that the garled circuit simulator does not rely on the simulation properties of the somewhere equivocal encryption scheme - these are only used in the proof of indistinguishaility. More specifically, the adaptive simulator (SimC, SimIn works as follows. In the off-line phase, SimC computes the garled gates using procedure GarleSimGate, that generates 4 ciphertexts that encrypt the same output key. 7

9 GCircuit(1 λ, C 1. Garle Circuit (Yao s scheme (Wires k σ w i Gen(1 λ for i [p], σ {0, 1}. (Input wires K = ( k 0 in i, k 1 in i i [n]. (Gates For each gate i = (g, w a, w, w c in C: g i GarleGate (g, { } k σ wa, k σ w, k σ wc. σ {0,1} (Output [( tales For ( each output ] j [m]: d j := kout 0 j 0, kout 1 j Outer Encryption key $ sekeygen(1 λ. C seenc (key, ( g 1,..., g q. Output C, k = (K, key, ( d j j [m]. GInput(x, k (Select input keys K x = ( k x1 in 1,..., k xn in n. Output x = (K x, key, ( d j j [m]. Eval( C, x 1. Parse x = (K, key, ( d j j [m]. 2. Decrypt Outer Encryption ( ( g i i q sedec key, C. 3. Evaluate Circuit. Parse K = (k in1,..., k inn. For each level j = 1,..., d and for each ĝate i = (, w a, w, w c at level j: Let g i = [c 1, c 2, c 3, c 4 ]; For δ [4] let k w c Dec kwa (Dec kw (c δ If k w c then set k wc := k w c. 4. Decrypt output. For j [m]: Parse d j = [(k 0 out j 0, (k 1 out j 1]. Set y j = iff k outj = k out j. Output y 1,..., y m. Figure 1: Adaptively-secure Garling Scheme. More precisely, GarleSimGate({k σ w a, k σ w } σ {0,1}, k w c takes oth keys for input wires w a, w and a single key for the output wire w c, that we denote y k w c. It then output g c = [c 1, c 2, c 3, c 4 ] where the ciphertexts, arranged in random order, are computed as follows. c 0,0 Enc k 0 a (k c c 0,1 Enc k 0 a (k c c 1,0 Enc k 1 a (k c c 1,1 Enc k 1 a (k c The simulator invokes GarleSimGate on input k c = k 0 c. It then encrypts the garled gates so otained y using the honest procedure for the somewhere equivocal encryption. In the on-line phase, SimIn, on input y = C(x adaptively computes the output tales so that the evaluator otains the correct output. This is easily achieved y associating each it of the output, y j, to the only key encrypted in the output gate g outj, which is kout 0 j. For the input keys, SimIn just sends keys kin 0 i for each i [n]. The detailed definition of (SimC, SimIn is provided in Fig Our Construction Let cgc = (cgcircuit, cginput, ceval e the adaptive garling scheme of [HJO + 16], with simulator csim = (csimc, csimin. In this section we construct a new garling scheme, using cgc as a uilding lock. See Figure 5 for a formal description of our construction. The new garling scheme creates two copies of the garled circuit (called C L, C R. It chooses one at random to e the active one (active = R or active = L. Then for each output it i [m], it creates a selection gate that takes the output wire i from oth garled circuits, and selects the value on the wire coming from the active circuit. We call these selection gates, 8

10 Simulator SimC(1 λ, Φ(C (Wires k σ w i Gen(1 λ for i [p], σ {0, 1}. (Garled gates For each gate gate i = (, w a, w, w c in Φ(C: g i GarleSimGate ( k σ w a, k σ w } σ {0,1}, k 0 w c. (Outer Encryption: key $ sekeygen(1 λ, C seenc ( key, g 1,..., g q. Output C, state = ( {k σ w i }, key. SimIn(y, state [ (k y Generate output tale: sdj j out j 0 ( ], k 1 yj out j 1. // ensures kout 0 j y j j [m] ( (k ( 0 Output x = in, key, sdj i. i [n] j [m] Figure 2: Simulator for Adaptive Security. sgate R sgate L Enc l 0(Enc r 1(1 Enc l 0(Enc r 1(0 Enc l 0(Enc r 0(0 Enc l 0(Enc r 0(0 Enc l1 (Enc r 1(1 Enc l 1(Enc r 1(1 Enc l 1(Enc r 0(0 Enc l 1(Enc r 0(1 Figure 3: s-gates. sgate L (sgate R outputs the value associated with the wire coming form C L, (C R. s-gates, to distinguish them from the output gates of the two original garled circuits. Let l and r e the output wires of C L and C R, then s-gate (for each output it is defined as in Figure 4. Note that C active and C passive are encrypted Yao garled circuits. But the output wires and the output map are not encrypted and are part of the key k which is an output of cgcircuit(,. 6 Hyrid Games Overview. We need to prove that Game 0 = Exp adaptive A,NGC,Ind (λ, 0 and Game 1 = Exp adaptive A,NGC,Ind (λ, 1 are indistinguishale. Namely, we need to show a strategy to move from Game 0, where (C passive, C active are oth garling of C 0 and (x active, x passive are garlings of x 0 ; to Game 1 where (C passive, C active are garling of C 1 and (x active, x passive are garlings of x 1. At high-level, the proof strategy is the following: starting from Game 0, (1 first we change C passive, x passive to e the garling of C 1, x 1, (2 then we change the selection gates so that they select outputs from C passive, (3 finally we change C active, x active to e the garling of C 1, x 1. For step (1 and (3, we switch from garling C 0, x 0 to garling C 1, x 1 y using simulated circuits, namely first we change C passive into a simulated circuit, and then we switch it into a real garling of C 1. Indistinguishaility of this steps follows directly from the adaptive simulation-ased security of the underlying garling scheme in a lack-ox manner (we discuss this next in Sec Changing the selection gates (Step 2 instead requires a surgical proof, where we selective simulate one output gate of C passive, C active at the time, and this enale us to change (switch the content of the selection gates, from selecting the output of C passive instead of C active (or viceversa. Following the language of [HJO + 16], this means that we need to place lack peles on the output gates of circuits C passive, C active. We discuss this in details in Lemma 3. 9

11 N Garling Scheme NGCircuit(1 λ, C. 1. active {L, R}. If active = L then passive = R else passive = L. 2. (C L, k L cgcircuit(1 λ, C and (C R, k R cgcircuit(1 λ, C 3. Parse k α into (K α, key α, ( cd α,i i [m] for α {L, R} 4. For i [m] let sgate i computed as sgate active (Figure 4 with the ith output wire of C R and C L as input. Let sgate = (sgate 1,..., sgate m 5. C := (C L, C R, sgate. 6. k L := (K L, key L, k R := (K R, key R, k := (k L, k R. 7. Output C, k. NGInput(x, k 1. (select keys K x L = SelGInput (x, K L and K x R = SelGInput (x, K R. 2. x L = (K x L, key L, x R = (K x R, key R 3. Output x = ( x L, x R NEval( C, x 1. {w α,i } i [m] := ceval (C α, x α, for α {L, R} 2. Parse sgate 1,..., sgate m sgate. 3. Use keys {w α,i } i [m] to evaluate gates sgate 1,..., sgate m and otain y. 4. Output y. Figure 4: New garling scheme 6.1 Hyrid Games Template The hyrid games are parameterized y the distriutions of C active, C passive, their respective inputs x active, x passive and a flag α {active, passive} denoting the fact that s-gates are selecting the ouput of C α For example the original Game is descried as: - Game 0 = (( cgcircuit(1 λ, C 0, x 0, ( cgcircuit(1 λ, C 0, x 0, active - Game 1 = (( cgcircuit(1 λ, C 1, x 1, ( cgcircuit(1 λ, C 1, x 1, active Note that when the active and passive garled circuit distriutions are the same, it does not make a difference whether α = active or α = passive. However in our hyrid argument we will sometimes set α = passive when these distriutions are different. We use csimc(1 λ, Φ(C to denote a simulated circuit. Since the simulated garling of any circuit only depends on its topology and not the function it computes, the output of the simulation has the same distriution for C 0 and C 1, thus for simplicity we write csimc(1 λ, Φ(C. Using this template we define 4 new hyrid games: HyA through HyD. See Figure 6. The changes in these hyrids follow a two-step simulate and switch approach. In HyA the passive circuit is simulated. Note that the garled input to a simulated circuit is created independent of the input, therefore its distriution does not change whether it s x 0 that is garled or x 1. In HyB the passive circuit is switched from simulation to real 10

12 garling of C 1. Now with oth active and passive circuits outputing the same value y = C 0 (x 0 = C 1 (x 1, we go to the next hyrid. In HyC we change the content of the s-gates to output the passive circuit. Then we turn the active circuit into a garling of C 1 with input x 1, y first simulating it (HyD and then changing it to a garling of C 1 with input x 1 (Game 1. The transitions from Game 0 to HyA then to HyB are identical to the ones going from Game 1 to HyD and then to HyC. Thus we only prove it once for comp Game 0 HyA comp HyB. Hyrids Game 0 HyA HyB C active, x active C passive, x passive sgate outputs cgcircuit(1 λ, C 0, x 0 cgcircuit(1 λ, C 0, x 0 active cgcircuit(1 λ, C 0, x 0 csimc(1 λ, Φ(C, x 1 active cgcircuit(1 λ, C 0, x 0 cgcircuit(1 λ, C 1, x 1 active Hyrids HyC HyD Game 1 C active, x active C passive, x passive sgate outputs cgcircuit(1 λ, C 0, x 0 cgcircuit(1 λ, C 1, x 1 passive csimc(1 λ, Φ(C,x 1 cgcircuit(1 λ, C 1,x 1 passive cgcircuit(1 λ, C 1,x 1 cgcircuit(1 λ, C 1,x 1 passive Figure 5: Hyrids From Game 0 to HyA. To prove this, we are going to need a special property that is enjoyed y the garling scheme cgc. We define the special property elow. Definition 3 (Output-key Security. We say that an adaptively simulation-secure garling scheme is output-key secure if it is adaptively secure even when the output keys (e.g., {w α,i } i [m] without the output mapping are sent together with the garled circuit C. Proposition 1. Under the same assumptions as [HJO + 16], the garling scheme cgc is adaptively secure and output-key secure. [Proof Sketch]. Intuitively this is true ecause throughout the proof of security for cgc we rely on the CPA security of the encryption scheme used to garle the gates, to prove the adversary does not learn the content of any gates, efore getting the garled input, and even after seeing the garled input he can only decipher one ciphertext from each garled gate. During these reductions, we can even let the adversary choose the keys encrypted in a garled output gate (as in the game for the CPA security, the adversary can choose any message to e encrypted. Furthermore the output keys are not used as an encryption key somewhere else in the same garled circuit, therefore revealing the output key does not jeopardize the adaptive security of cgc. Now that we have defined the property aove, we can prove the following Lemma. Lemma 1. If cgc is adaptively secure and output-key secure, then Game 0 and HyA are computationally indistinguishale. Proof. If a PPT adversary A distinguishes Game 0 and HyA with advantage ε, we construct adversary B that reaks the adaptive security of cgc with the same advantage ε. B will receive C 0, C 1 from A, and sends C 0 to its challenger, and gets ack C, which is ( C, k cgcircuit(1 λ, C 0 if = 0 and( C, state csimc(1 λ, Φ(C if = 1. B then sets (C active, k 0 cgcircuit(1 λ, C 0 and C passive = C. Next, B creates the s-gates so that they would reveal the output of C active. Note that B does not need the output map of C to create s-gates, it only needs the keys encrypted in the output level gates of C. Which we assume are given as part of the garled circuit, without jeopardizing the security of cgc (due to output-key security. 11

13 Finally B sends C = ( C L, C R, sgate to A and gets ack x 0, x 1. B sends x 0 to the challenger and gets ack x which is x cginput(x 0, k if = 0 and x SimIn(C 0 (x 0, state if = 1. The reduction will set x active cginput(x 0, k active, x passive = x and sends ( x L, x R to A and outputs A s final output,. Note, since SimIn does not even take in the input x 1 or x 0, it only gets the output of the computation in order to create the appropriate output map. And in this application, the output wires are treated the same way, regardless of whether they are mapped to 0 or 1, it doesn t matter which input is garled y the simulator. Reduction B 1. Receive C 0, C 1 from A. 2. active {L, R}. If active = L then passive = R else passive = L. 3. Send C 0 to the challenger and get ack C. 4. Follow the steps for creating NGCircuit(1 λ, C 0 with one exception; use C as C passive. 5. Send C ( := C L, C R, sgate to A and receive x 0, x Send x 0 to the challenger and get ack x. 7. (select keys K x0 = SelGInput(x 0, K active. 8. x active = (K x0, key active, x passive = x 9. Send x = ( x L, x R to A and receive from A 10. Output Figure 6: Reduction of Lemma 1 Lemma 2. If cgc is adaptively secure and output-key secure, then HyA and HyB are computationally indistinguishale. Proof. It follows from a similar reduction to the one used in the proof of Lemma 1, with the difference that C 1, x 1 are sent to the challenger instead of C 0, x 0. Lemma 1 and Lemma 2 prove that: Game 0 comp From HyB to HyC HyA comp Recall the distriution of hyrid HyB and HyC HyB and HyC comp - HyB = (( cgcircuit(1 λ, C 0, x 0, ( cgcircuit(1 λ, C 1, x 1, active - HyC = (( cgcircuit(1 λ, C 0, x 0, ( cgcircuit(1 λ, C 1, x 1, passive HyD comp Game 1. The difference etween these two hyrids is only in the s-gates: instead of selecting the output from C active (in HyB, now s-gates will select the output from C passive (in HyC. Recall the description of s-gate in Fig. 4. Changing the s-gates from active to passive entails changing 2 of the encryptions. In order to argue that these changes are indistinguishale, we must rely on the CPA security of the encryption. However the keys used to create these ciphertexts are not independent, since they are used in the garling of the output gates of C L and C R. Therefore, if we want to change even one encryption, we need to remove those keys from 12

14 the correspondent gates in C L and C R. In other words, those two gates need to e simulated. Now, in order to change one gate at the time from real to simulated, we need to leverage the details of the proof provided in [HJO + 16]. Proof Strategy in [HJO + 16]. We now give an overview of the proof strategy of [HJO + 16]; we rely on specific components of the strategy in our proof. For more details see Appendix C. In [HJO + 16] hyrid games are parametrized y a circuit configuration, that is, a vector indicating the way the gates are garled. There are three modes for how each gate can e garled: RealGate, InputDepSimGate, SimGate. There are also rules that allow one to indistinguishaly move from one configuration to another. These configurations/rules are summarized via a peling game where we associate RealGate mode to a gate not having a pele on it, InputDepSimGate mode is associated with a gate having a lack pele, and SimGate mode is associated with a gate having a grey pele. The indistinguishaility rules are then translated to rules for the peling game: Peling Rule A. We can place or remove a lack pele on a gate as long as oth predecessors of that gate have lack peles on them (or the gate is an input gate. Peling Rule B. We can replace a lack pele with a grey pele on a gate as long as all successors of that gate have lack or grey peles on them (or the gate is an output gate. We can follow the same rules for the two garled circuits C active, C passive with one major difference: we cannot replace a lack pele with a grey pele on the output gates (this part relied on the fact that the output map, which specified the correspondence etween wire keys at the output level and the its they correspond to, was only sent in the on-line phase; in our case this correspondence is needed to create the s-gates in the off-line phase, at least for the active circuit. We rely on one more property (*: if a gate has an output wire w which is associated with keys k 0 w, k 1 w and we garle the gate in InputDepSimGate mode then we only use one key (k w where is the it that the wire takes on during the computation C(x when creating this garled gate in the on-line phase. Let us define C [γ, t] to e the class of circuits C such that we can place a lack pele on any single output gate of C in γ peling steps and using at most t lack peles at each step. For the following lemma, theorem and corollaries, assume: 1. The adversary selects C 0, C 1 C [γ, t]. 2. Π = (sekeygen, seenc, sedec, SimEnc, SimKey is a somewhere equivocal encryption scheme with equivocation parameter t. 3. Γ = (Gen, Enc, Dec is an encryption scheme secure under chosen doule encryption. Lemma 3. HyB and HyC are computationally indistinguishale. Proof. Let m e the output size of the circuits C 0, C 1 selected y the adversary. For i = 1,..., m, we rely on the following sequence of su-hyrids: 1. Via a sequence of su-su-hyrids, change the configurations of oth C active and C passive so that the i th output gate is in InputDepSimGate mode (has a lack pele on it. This follows using the same argument as in [HJO + 16]. 2. Change the i th s-gate from sgate active to sgate passive (see Figure 4. This change relies on property (* and the CPA-security of the encryption scheme Γ used to garle the gates. In particular, this change requires changing the contents of the ciphertexts Enc l 0(Enc r 1(? and Enc l1 (Enc r 0(? in s-gate. However, since C 0 (x 0 = C 1 (x 1 y property (* the only keys that are used as plaintexts in other garled gates in this hyrid are either (l 0, r 1 or (l 1, r 0. In either case, we can rely on encryption security to change the contents of the aove two ciphertexts. 3. Via a sequence of su-su-hyrids, change the configurations of oth C active and C passive ack so that all gates are in RealGate mode (no peles. This is the same as step 1 in reverse. 13

15 From lemmas 1,2, 3, it follows that Game 0 and Game 1 are computationally indistinguishale which proves our main result, summarized in the following theorem. Theorem 1. Assuming the existence of one-way functions, NGC is adaptively indistinguishale with online complexity (n + tpoly(λ for all circuits in C [poly(λ, t]. Using the peling strategies from [HJO + 16] summarized in Appendix D we get the following ounds. Lemma 4. Any circuit C of depth d, width w, with input size n and output size m, is in the class C [γ, t] with either of the following two settings of γ, t: γ = 2 (2d+1 m steps using t = 2d lack peles. γ = 4 C steps using t = 2w lack peles. Plugging the aove lemma into Theorem 1 we get the following corollary. Corollary 1. Assuming the existence of one-way functions, NGC is adaptively indistinguishale with online complexity n poly(λ for all circuits with either linear width w = O(n or logarithmic depth d = O(log n. Note that any computation which can e performed in linear space can e represented y a circuit with linear width. Therefore the aove covers all linear space computations. 7 Application: Private-key Adaptively Secure Functional Encryption Overview. Our new garling scheme can e used to implement a private-key functional encryption ( [SW05, BSW11] ased on one-way functions, with indistinguishaility ased security where the adversary can otain an unounded numer of function secret keys and then adaptively a single challenge ciphertext (the formal definition is provided in Sec In our scheme (descried in Fig. 8, the functional keys are garled circuits computed according to (a slightly modified version of NGCircuit, and the ciphertext for a message m corresponds to the garling of the input m. Since a single garled input should e used to evaluate multiple garled circuits, we slightly tweak the construction of our garling scheme so to allow an initial state that is used upon each invocation of the garling function. We explain this modification in greater length in Sec Definition A private-key functional encryption scheme Π, over a message space M = {M λ } λ and a circuit space C = {C λ } λ is a tuple of PPT algorithms (Π.FE.Setup, Π.FE.KeyGen, Π.FE.Enc, FE.Dec defined as follows: Π.FE.Setup(1 λ : The setup algorithm takes as input the unary representation of the security parameter, and outputs a secret key MSK. Π.FE.KeyGen(MSK, C: The key-generation algorithm takes as input a secret key MSK and a circuit C C λ and outputs a functional key sk C. Π.FE.Enc(MSK, m: The encryption algorithm takes as input a secret key MSK and a message m M λ and outputs a ciphertext CT. Π.FE.Dec(sk C, CT The decryption algorithm takes as input a functional key sk C and a ciphertext CT, and outputs m M λ { }. The correctness property requires that there exists a negligile function negl( such that for all sufficiently large λ N, for every message m M λ, and for every circuit C C λ it holds that: P r[fe.dec(π.fe.keygen(msk, C, FE.Enc(MSK, m = C(m] 1 negl(λ where MSK = FE.Setup(1 λ and the proaility is taken over the random choices of all algorithms. 14

16 For any PPT adversary A, there exists a neg- Many Functions Single Message Adaptive Security. ligile function ε such that: Pr[Exp Private FE A,Π,Ind (λ, 0 = 1] Pr[Exp Private FE (λ, 1 = 1] ε(λ A,Π,Ind where the experiment Exp Private FE A, Ind (λ, is defined as follows: 1. Query. The adversary A specifies circuits C 1, C 2,.... It then otain functional keys sk 1, sk 2,... which are created as follow: Run MSK = Π.FE.Setup(1 λ. Let q e the numer of queries. i [q], sk i = Π.FE.KeyGen(MSK, C i. 2. Challenge. The adversary A specifies messages m 0, m 1, such that for all i [q], C i (m 0 = C i (m 1 and otains CT, which is created as follows: CT = Π.FE.Enc(MSK, m 3. Output. Finally, the adversary outputs a it, which is the output of the experiment. 7.2 Construction Our private-key functional encryption scheme is depicted in Figure 8. The FE.Setup algorithm generates the keys that need to e shared y all garled circuits. Such keys are: (1 the keys for the input wires (i.e., K L, K R (2 the keys for the outer somewhere-equivocal encryption seenc (i.e., key L, key R. The FE.Setup also sets the flag active. The FE.KeyGen algorithm generates a garled circuit according to procedure NGCircuit which is a slight modification of NGCircuit (shown in Figure 4 that enales to use a single garled input to evaluate many garled circuits generated at different times. The modifications are: (1 instead of running procedure GCircuit(1 λ, C (descried in Figure 1 which would select fresh keys for the input wires and for the outer encryption it runs a slightly modified procedure GCircuit (1 λ, C, Input keys which takes such keys as an external input; (2 the encryption algorithm seenc used in GCircuit, is also slightly modified so that it allows locks to e encrypted in a streaming fashion (that is, instead of having a one-time encryption of n locks, we allow for many encryptions, where the total numer of encrypted locks is overall N where N is an upperound (e.g., 2 λ. In Appendix B we discuss why this modification (that we call seenc follows naturally from the implementation of seenc provided in [HJO + 16]. The FE.Enc algorithm takes in input a message m and simply runs the procedure GInput(m, Input keys to select the keys for m. The ciphertext then consists of the keys for the garled inputs, and the keys for the outer encryption key R, key L. Note that the size of the ciphertex depends on the length of the input and the length of the keys key R, key L for somewhere-equivocal encryption. Finally the decryption algorithm simply consists of the evaluation of the garled circuits. 7.3 Security Proof In this section we show that protocol in Figure 8 is a private-key functional encryption scheme that is adaptively secure for many function queries and a single message query (according to Definition 7.1. Let Game 0, e the experiment Exp Private FE A,Π,Ind (λ, 0 where the adversary receives encryption of m 0, and let Game 1 e the experiment Exp Private FE A,Π,Ind (λ, 1. The proof of security consists of a sequence of hyrid games from Game 0 to Game 1, and each hyrid is computational indistinguishale. We now argue that this sequence of hyrids follows exactly the hyrids provided in the proof of Theorem 1. Recall that in the security experiment Exp Private FE A,Π,Ind (λ,, A sends all function queries C 1, C 2,..., C q at the eginning in one-shot. Concretely, y instantiating the experiment with Π, when A sends functional queries C 1, C 2,..., C q, she otains: ( Functional Keys: 1 [CL, C 1 R, SG 1 ],..., [C q L, C q R, SG q ] where SG j is the selection circuit sgate associated to C j L, C j R. 15