Fast Evaluation of S-boxes with Garbled Circuits (2405.20713v1)

Abstract: Garbling schemes are vital primitives for privacy-preserving protocols and secure two-party computation. This paper presents a projective garbling scheme that assigns $2^n$ values to wires in a circuit comprising XOR and unary projection gates. A generalization of FreeXOR allows the XOR of wires with $2^n$ values to be very efficient. We then analyze the performance of our scheme by evaluating substitution-permutation ciphers. Using our proposal, we measure high-speed evaluation of the ciphers with a moderately increased cost in garbling and bandwidth. Theoretical analysis suggests that for evaluating the nine examined ciphers, one can expect a 4- to 70-fold improvement in evaluation performance with, at most, a 4-fold increase in garbling cost and, at most, an 8-fold increase in communication cost compared to the Half-Gates (Zahur, Rosulek and Evans; Eurocrypt'15) and ThreeHalves (Rosulek and Roy; Crypto'21) garbling schemes. In an offline/online setting, such as secure function evaluation as a service, the circuit garbling and communication to the evaluator can proceed in the offline phase. Thus, our scheme offers a fast online phase. Furthermore, we present efficient Boolean circuits for the S-boxes of TWINE and Midori64 ciphers. To our knowledge, our formulas give the smallest number of AND gates for the S-boxes of these two ciphers.

• The paper presents a novel garbling scheme that uses multi-bit wire encodings to efficiently handle XOR and projection gates in SPN ciphers.
• It achieves significant evaluation speed improvements, showing up to a 70-fold acceleration with modest increases in garbling and communication costs.
• The scheme enhances secure computation in practical applications like IoT-to-cloud processing and distributed authentication while advancing cryptographic theory.

Fast Evaluation of S-boxes with Garbled Circuits

The paper "Fast Evaluation of S-boxes with Garbled Circuits" by Erik Pohle, Aysajan Abidin, and Bart Preneel presents a novel garbling scheme designed to improve the efficiency of evaluating substitution-permutation network (SPN) ciphers. This scheme introduces a projective approach that assigns $2^n$ values to wires in the circuit, thus generalizing the FreeXOR technique for higher bit-widths.

Overview

The primary contribution of this work is a garbling scheme where wire values are $n$-bit strings, as opposed to the traditional single-bit encodings. This approach allows for the efficient handling of XOR operations while maintaining privacy and security properties typical of garbled circuit protocols. The specific wire encoding and gate operational definitions are central to this improvement.

1. Wire Label Offsets: The paper defines wire label offsets as vectors of length $k = \kappa + n$, where $\kappa$ is the security parameter. These labels consist of $\kappa$ random bits and $n$ fixed bits arranged in a matrix.
2. XOR Gates: XOR operations are performed with negligible cost, akin to the FreeXOR optimization, allowing for efficient linear computations.
3. Projection Gates: Unary projection gates handle non-linear transformations by garbling $n$-bit to $m$-bit conversions. This involves $2^n$ ciphertexts, reduced by one using garbled row reduction.

Performance Analysis

The authors substantiate the performance benefits of their scheme by evaluating it against several symmetric-key SPN ciphers, including AES, TWINE, and Midori. Notable performance metrics include:

• Garbling Costs: The scheme incurs at most a 4-fold increase in garbling cost compared to existing schemes like Half-Gates and ThreeHalves.
• Communication Costs: Communication overheads are justifiably increased, capped at an 8-fold increase relative to the reference schemes.
• Evaluation Speed: Theoretical analysis and practical results indicate a 4- to 70-fold improvement in evaluation performance across nine examined ciphers.

Experimental Implementation

The implementation for the SPN primitives takes advantage of the structure where non-linear components, particularly S-boxes, are efficiently processed using projection gates. The paper shows a significant reduction in the computation cost for the evaluator, translating to faster online phases in protocols where these garbling schemes are deployed.

For practical evaluation, several SPN ciphers were implemented. Benchmark results exhibited a remarkable improvement, with AES-128 evaluations, for instance, showing a speed-up from 0.722 ms to 0.016 ms. The performance gains are attributed to the minimized computational burden on the evaluator during the evaluation phase, a direct outcome of using the proposed garbling scheme.

Implications

The implications of this research are multifaceted:

1. Practical Applications:
   • IoT-to-Cloud Secure Computation: The scheme facilitates efficient decryption of data encrypted by IoT devices before secure computation in the cloud. This decreases latency during the crucial online phase.
   • Distributed Authentication Protocols: In distributed Kerberos deployments, the scheme offers improved security by evaluating encryption and decryption operations without exposing secret keys.
2. Theoretical Implications:
   • The research introduces and leverages the notion of $n$-TCCR (generalized tweakable circular correlation robustness) for the security of garbling schemes handling multi-bit wire values. This is a notable progression from previous single-bit TCCRs.
   • The modular design of the garbling scheme ensures it can be integrated with existing protocols and garbling schemes, benefiting a broader array of privacy-preserving computations.

Future Directions

Future work could explore further optimizations in the construction of the $n$-TCCR secure hash function $H$. Additionally, applying the scheme to other domains beyond SPN ciphers, such as zero-knowledge proofs, could reveal further performance and security benefits.

In conclusion, this paper not only provides a substantial step forward in the efficient evaluation of SPN ciphers using garbled circuits but also opens avenues for enhanced privacy-preserving protocols through innovative cryptographic constructs. The balance between theoretical rigor and practical application underscores its value to the cryptographic research community.