Paper 2021/531

LogStack: Stacked Garbling with $O(b \log b)$ Computation

David Heath and Vladimir Kolesnikov

Abstract

Secure two party computation (2PC) of arbitrary programs can be efficiently achieved using garbled circuits (GC). Until recently, it was widely believed that a GC proportional to the entire program, including parts of the program that are entirely discarded due to conditional branching, must be transmitted over a network. Recent work shows that this belief is false, and that communication proportional only to the longest program execution path suffices (Heath and Kolesnikov, CRYPTO 20, [HK20a]). Although this recent work reduces needed communication, it increases computation. For a conditional with $b$ branches, the players use $O(b^2)$ computation (traditional GC uses only $O(b)$). Our scheme LogStack reduces stacked garbling computation from $O(b^2)$ to $O(b \log b)$ with no increase in communication over [HK20a]. The cause of [HK20a]'s increased computation is the oblivious collection of garbage labels that emerge during the evaluation of inactive branches. Garbage is collected by a multiplexer that is costly to generate. At a high level, we redesign stacking and garbage collection to avoid quadratic scaling. Our construction is also more space efficient: [HK20a] algorithms require $O(b)$ space, while ours use only $O(\log b)$ space. This space efficiency allows even modest setups to handle large numbers of branches. [HK20a] assumes a random oracle (RO). We track the source of this need, formalize a simple and natural added assumption on the base garbling scheme, and remove reliance on RO: LogStack is secure in the standard model. Nevertheless, LogStack can be instantiated with typical GC tricks based on non-standard assumptions, such as free XOR and half-gates, and hence can be implemented with high efficiency. We implemented LogStack (in the RO model, based on half-gates garbling) and report performance. In terms of wall-clock time and for fewer than $16$ branches, our performance is comparable to [HK20a]'s; for larger branching factors, our approach clearly outperforms [HK20a]. For example, given $1024$ branches, our approach is $31\times$ faster.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
A minor revision of an IACR publication in EUROCRYPT 2021
Keywords
2PCGarbled CircuitsConditional BranchingStacked Garbling
Contact author(s)
heath davidanthony @ gatech edu
kolesnikov @ gatech edu
History
2021-04-23: received
Short URL
https://ia.cr/2021/531
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2021/531,
      author = {David Heath and Vladimir Kolesnikov},
      title = {LogStack: Stacked Garbling with $O(b \log b)$ Computation},
      howpublished = {Cryptology ePrint Archive, Paper 2021/531},
      year = {2021},
      note = {\url{https://eprint.iacr.org/2021/531}},
      url = {https://eprint.iacr.org/2021/531}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.