1 Introduction

Garbling schemes are ubiquitous to cryptography. Their notable applications include secure computation on the web [GHV10, HLP11], constructions of functional encryption [SS10, GVW12, GKP+12], one-time programs [GKR08], delegation of computation [GGP10, AIK10], and garbled RAMs [GHL+14, GLOS15]. In fact, there are many more applications under the umbrella of randomized encodings, which are implied by garbling schemes. These applications include parallel cryptography [AIK04, AIK06], bootstrapping theorems in functional encryption and indistinguishability obfuscation [ABSV15, App14a], and key-dependent message security [BHHI10, App14b]. More recently, garbling schemes were also crucially used to solve two longstanding open problems in cryptography: achieving two-round passively secure MPC [GS17, BL18, GS18c] and identity-based encryption from weaker assumptions [DG17, BLSV18, DGHM18].

A garbling scheme allows for efficiently encoding a circuit C, represented by \(\left\langle C \right\rangle \) (also referred to as garbled circuit), and separately encoding an input x, represented by \(\left\langle x \right\rangle \). We require that given \(\left\langle C \right\rangle \) and \(\left\langle x \right\rangle \), it is possible to efficiently recover C(x) and moreover, the encodings should not leak anything beyond (CC(x))Footnote 1. This notion was first introduced by Yao [Yao82, Yao86] as a technique to solve two-party secure computation (a full proof of this application was only given much later by Lindell and Pinkas [LP09]). More than three decades later, proposing new constructions of garbling schemes is still an active and fascinating research direction.

While the traditional notion of garbling schemes considers encoding circuits, this notion can be generalized for other models of computation. In particular, we consider garbling Turing machines; this notion is often referred to as succinct garbling schemes [BGL+15, CHJV15, KLW15]. The non-triviality in this setting is to encode both the Turing machine M and the input x in time independent of the runtime of M. In more detail, we require that the time to garble a Turing machine M should be polynomial in \(\lambda \) (security parameter) and |M| while the time to encode an input x should be polynomial in \(\lambda \) and |x|. For decoding, we require that it should only take time polynomial in \(\lambda \) and t to recover M(x), where t is the runtime of M on x.

Succinct garbling schemes have been used in many applications including time-lock puzzles [BGJ+16], concurrent zero-knowledge [CLP15], indistinguishability obfuscation for Turing machines [BGL+15, CHJV15, KLW15] and delegation for deterministic computations [BGL+15, CHJV15, KLW15]. In terms of constructions, the initial works of [BGL+15, CHJV15] proposed succinct garbling schemes with the caveat that the size of the garbled Turing machine grows with the maximum space taken by the Turing machine during its execution. Subsequently, Koppula et al. [KLW15] showed how to get rid of this caveat and presented a construction of succinct randomized encodings (a notion where M and x are encoded together) assuming indistinguishability obfuscation and one-way functions.

It is worth noting that the approach taken by [BGL+15] differs substantially from the approach taken by [CHJV15, KLW15] to obtain succinct randomized encodings. The construction of [BGL+15] is very simple to describe: they succinctly garble a Turing machine M (running in time at most T) by outputting an obfuscated program that on input \(i\le T\) outputs the ith garbled table of a Yao garbled circuit [Yao82, Yao86, LP09] associated to a circuit C representing M’s computation. One might hope that this already yields a fully succinct garbling scheme, but the security proof of [BGL+15] requires hardwiring O(s) bits of information in the obfuscated program when M requires space s, so this does not yield a fully succinct garbling scheme (which [KLW15] does achieve).

While the final result has an undesirable dependence on s, the [BGL+15] approach has the advantage of relying only on obfuscation for circuits of input length \(\log (T) = O(\log (\lambda ))\) and hence can be proved secure assuming the existence of polynomially secure functional encryption [AJ15, BV15, LZ17, LT17]. The approach of [CHJV15, KLW15] does not share this property, and indeed there is currently no known construction of fully succinct garbling from (poly-secure) FE. In general, there are a few primitives (such as trapdoor permutations and non-interactive key exchange) known to follow from FE [GPS16, GS16, GPSZ17, LZ17] while many others (such as NIZK [SW14, BP15], deniable encryption [SW14], and long output secure function evaluation [HW15]) we know only how to construct from IO (see [LZ17] for a more detailed discussion). One of our main goals is to understand whether constructing succinct garbling schemes requires the full power of IO in this sense.

Rather intriguingly, the progress on succinct randomized encodings followed a similar pattern to progress on the problem of constructing adaptively secure circuit garbling schemes. There is a simple transformation [BHR12] from selectively secure garbling schemes to adaptively secure garbling schemes in which the online complexity (that is, the size of the input encoding) grows with the circuit size. Subsequent to [BHR12], the work of [HJO+16] showed how to achieve adaptive schemes with online complexity that only depends on the width w of the circuit (from one-way functions) or depth d of the circuit (from \(2^{-O(d)}\)-secure one-way functions). Following [HJO+16], the works of [JW16, JSW17] present additional constructions of adaptive circuit garbling schemes. Finally, a beautiful work of Garg and Srinivasan [GS18a] showed how to achieve adaptive garbling schemes with online complexity \(|x|+\mathrm {poly}(\log (|C|,\lambda )\) assuming either the computational Diffie-Hellman (CDH) or learning with errors (LWE) assumption.

We note that the measure of width complexity in the case of circuits is related to the measure of space complexity in the case of Turing machines. Indeed, we can transform a Turing machine M that requires space s on inputs of length n into a circuit of width \(O(n+s)\); similarly, a circuit of width w can be simulated by a Turing machine which takes space at most O(w). Moreover, there are actually major similarities between the security proofs of [HJO+16] (for their width-dependent adaptive garbling scheme) and [BGL+15] (for their space-dependent succinct garbling scheme). At a high level, both require opening up the [LP09] proof of security for Yao’s garbling scheme and make use of the fact that security is argued by a gate-by-gate hybrid argument.

These similarities present the possibility of transporting some of the techniques from the adaptive garbling literature in order to construct new and improved succinct garbling schemes. In particular, we ask: can the ideas from [GS18a] be used to construct succinct garbling?

1.1 Our Contributions

We give a new construction of succinct garbling schemes using the ideas of [GS18a]. Unlike the work of [KLW15]Footnote 2 based on sub-exponentially secure compact functional encryption, our construction is based on polynomially secure compact functional encryption and polynomially secure CDH/LWE. As an added advantage, our construction is conceptually simpler. Instead of using IO/FE to compress a Yao garbled circuit as in [BGL+15], we compress an appropriately modified [GS18a] garbled circuit.

To prove security, we identify a property, termed as local simulation, of selectively secure garbling schemes for circuits that when combined with other tools yields succinct garbling schemes. To describe this property, we first recall the security experiment of garbling schemes. To prove that a given garbling scheme is secure, one needs to exhibit a simulator with the following property: given just the circuit C and the output C(x), it can output a simulated garbled circuit and input encoding that is indistinguishable from an honest garbled circuit and input encoding. Typically this indistinguishability is shown by a sequence of hybrids: in every step, a hybrid simulator is defined to take an input C and x produces the simulated garbling and input encoding. The first hybrid defines the honest garbling of C and the honest encoding of x, while the final hybrid defines the simulated distribution. At a bare minimum, our notion of local simulation captures a class of such hybrid arguments wherein the simulation of garbled circuit is divided into blocks and in every hybrid, only a small \(L_{\mathsf {sim}}\)-sized subset of blocks are simulated using C and x while the rest are simulated only using C. We observe that this seemingly artificial property is already satisfied by current known schemes [Yao86, GS18a].

To make the local simulation notion useful for applications, we need to consider strengthenings of this notion. We formalize the above informal description of local simulation and call this weak local simulation; correspondingly the garbling scheme will be called a weak locally simulatable garbling scheme (weak LSGS). We consider two strengthenings: (i) strong locally simulatable garbling schemes (strong LSGS) and (ii) semi-adaptive locally simulatable garbling schemes (semi-adaptive LSGS). Both the notions of semi-adaptive LSGS and strong LSGS imply weak LSGS and will be parameterized by \((L_{\mathsf {sim}},L_{\mathsf {inp}})\), where \(L_{\mathsf {inp}}\) refers to the online complexity of the garbling scheme.

We now state our results on succinct garbling.

We prove the following theorem.

Theorem 1

(Main Theorem) Assuming single-key compactFootnote 3 public-key functional encryption for circuitsFootnote 4 and X, where \(X \,{\in }\, \{\text {Computational Diffie-Hellman},\,\text {Factoring},\text { Learning with Errors}\}\), there exists a succinct garbling scheme for Turing machines.

Previous constructions of succinct garbling schemes were based on indistinguishability obfuscationFootnote 5 (implied by sub-exponentially secure compact functional encryption) and one-way functions [KLW15]. This is the first work to show the feasibility of succinct garbling schemes from falsifiable assumptions. Moreover, [KLW15] is significantly more involved whereas our construction is conceptually simpler. We note that several works subsequent to [KLW15] use their construction to achieve various primitives including garbled RAM [CH16, CCC+16, CCHR16, ACC+16], constrained PRFs for Turing machines [DKW16], indistinguishability obfuscation for Turing machines with constant overhead [AJS17a], patchable indistinguishability obfuscation [AJS17b, GP17] and so on. We hope that our simpler construction will correspondingly yield simpler presentation of these applications as well.

One new consequence of the above theorem is that we obtain collusion-resistant functional encryption for Turing machines from collusion-resistant functional encryption for circuits and standard assumptions; this follows from [AS16].

We prove Theorem 1 in two steps. First, we prove the following proposition.

Proposition 1

(Informal). Assuming strong \((L_{\mathsf {sim}},L_{\mathsf {inp}})\)-LSGS and compact functional encryption for circuits, there exists a succinct garbling scheme in which the complexity of garbling a Turing machine M is \(\mathrm {poly}(\lambda ,|M|,L_{\mathsf {sim}})\) and the complexity of encoding x is \(L_{\mathsf {inp}}(\lambda ,|x|,m)\), where m is the output length of M.

Once we prove the above proposition, we show how to instantiate strong LSGS from laconic oblivious transferFootnote 6 to obtain our result.

Proposition 2

(Informal). Assuming laconic oblivious transfer, there exists a strong \((L_{\mathsf {sim}},L_{\mathsf {inp}})\)-LSGS with \(L_{\mathsf {sim}}=\mathrm {poly}(\lambda )\).

Since laconic oblivious transfer can be instantiated from CDH, factoring, LWE and other assumptions [CDG+17, DG17, BLSV18, DGHM18], this proves Theorem 1. In addition, we note (in full version) that laconic OTFootnote 7 can be constructed from IO and one-way functions; combined with the above propositions, this says that our succinct garbling scheme can also be instantiated from IO and OWFs alone (giving an alternative construction to [KLW15]).

We note that the garbling scheme of Yao [Yao86] also yields a strong \((L_{\mathsf {sim}},L_{\mathsf {inp}})\)-LSGS with \(L_{\mathsf {sim}}\) proportional to the width of the circuit being garbled. Combining this with Proposition 1, we get a succinct garbling scheme for small space Turing machines; this is essentially the same scheme as that of [BGL+15].

Next, we show how to construct adaptive circuit garbling schemes using our notion of (semi-adaptive) LSGS. First, we recall the definition of adaptive circuit garbling schemes. In the adaptive security experiment, an adversary can submit the circuit C and the input x in any order; specifically, it can choose the input as a function of the garbled circuit or vice versa. We show,

Theorem 2

(Informal). Assuming semi-adaptive \((L_{\mathsf {sim}},L_{\mathsf {inp}})\)-LSGS and one-way functions, there exists an adaptively secure circuit garbling scheme with online complexity \(L_{\mathsf {inp}}+ \mathrm {poly}(\lambda ,L_{\mathsf {sim}})\).

This theorem can be seen as an abstraction of what the somewhere equivocal encryption-based technique of [HJO+16] can accomplish. For example, the semi-adaptive LSGS can be instantiated from laconic oblivious transfer, recovering the result of [GS18a]. The theorem below follows from a previous work [GS18a].

Theorem 3

([GS18a]). Assuming laconic oblivious transfer, there exists a semi-adaptive \((L_{\mathsf {sim}},L_{\mathsf {inp}})\)-LSGS scheme with online complexity \(L_{\mathsf {inp}}(\lambda ,n,m)=n+m+\mathrm {poly}(\lambda )\) and \(L_{\mathsf {sim}}=\mathrm {poly}(\lambda )\), where n and m denote the input and output lengths for the circuit.

We note that Yao’s garbling scheme is also a semi-adaptive \((L_{\mathsf {sim}},L_{\mathsf {inp}})\)-LSGS with \(L_{\mathsf {sim}}\) being proportional to the width of the circuit and thus, combining the above two theorems we get an adaptively secure circuit garbling scheme with the online complexity proportional to the width of the circuit. This construction is essentially the same as the width-based construction of [HJO+16], with a more modular security proof.

We summarise the results in Fig. 1.

Fig. 1.
figure 1

Summary of results.

Full size image

1.2 Concurrent Work

In concurrent and independent work, Garg and Srinivasan [GS18b] give a construction of succinct randomized encodings from IO (and laconic OT) that implicitly relies on only IO for logarithmic length inputs, and hence polynomially-secure functional encryption. While their work is phrased differently from this work (in particular, they give a direct construction without considering the abstraction of local simulatability), the basic SRE constructions are essentially the same.

1.3 Technical Overview

We first recall the garbling scheme of Yao [Yao86] and describe an overview of its security proof. Yao’s scheme will serve as a starting point to understanding the definition of locally simulatable garbling schemes.

Yao’s Garbling Scheme [Yao86]. Consider a boolean circuit \(C:\{0,1\}^{\ell } \rightarrow \{0,1\}\) comprising only of NAND gates. For ease of presentation, we assume that C is layered such that all gates that are at the same distance from the output gate belong to the same layer. Moreover, every intermediate wire in the circuit connects two gates in adjacent layers.

The first step in the garbling of a circuit C is to generate two wire keys \(K_w^0\) and \(K_w^1\) for every wire w in the circuit. Next, associate with every gate G a garbled table consisting of four entries \((\mathsf {CT}_{00},\mathsf {CT}_{01},\mathsf {CT}_{10},\mathsf {CT}_{11})\). For \(b_0,b_1 \in \{0,1\}\), \(\mathsf {CT}_{b_0b_1}\) is an encryption of \(K_{w_c}^{\text {NAND}(b_0,b_1)}\) under the two keysFootnote 8 \(K_{w_a}^{b_0}\) and \(K_{w_b}^{b_1}\). Wires \(w_a\) and \(w_b\) are input wires of G and \(w_c\) is the output wire of G. Finally, permute the garbled table \((\mathsf {CT}_{00},\mathsf {CT}_{01},\mathsf {CT}_{10},\mathsf {CT}_{11})\). The garbling of C consists of permuted garbled tables associated with every gate in the circuit. The input encoding of x consists of keys \(K_{w_i}^{x_i}\), where \(w_i\) is the \(i^{th}\) input wire of C and \(x_i\) is the \(i^{th}\) bit of x. Also part of the input encoding is a translation table that maps 0 to \(K_{w_{\text {out}}}^0\) and 1 to \(K_{w_{\text {out}}}^1\), where \(w_{\text {out}}\) is the output wire of C.

Selective Security of Yao’s Garbling Scheme: To show that Yao’s garbling scheme is secure we need to demonstrate a probabilistic polynomial time simulator \(\mathsf {Sim}\) that given (CC(x)) (and in particular, x is not given) outputs a simulated garbling of C and a simulated input encoding. \(\mathsf {Sim}\) is defined as follows: every wire w is only associated with a single key \(K_w\). Associated with every gate G is a garbled table consisting of \((\mathsf {CT}_{1},\mathsf {CT}_{2},\mathsf {CT}_{3},\mathsf {CT}_{4})\), where: for a randomly picked index \(i^* \in [4]\), (i) \(\mathsf {CT}_{i^*}\) is an encryption of \(K_{w_c}\) under keys \(K_{w_a}\) and \(K_{w_b}\), (ii) for \(i \ne i^*\), \(\mathsf {CT}_i\) is an encryption of 0 under two randomly chosen secret keys (and in particular these two keys are not used anywhere). The simulated garbling of C consists of the simulated garbled tables associated with every gate in the circuit. The input encoding consists of the keys \(\{K_w\}\) for every input wire w. In addition, it consists of the translation table that maps C(x) to \(K_{w_{\text {out}}}\) and maps \(\overline{C(x)}\) to \(K'_{w_{\text {out}}}\), where \(K'_{w_{\text {out}}}\) is generated afresh.

The indistinguishability of the output of \(\mathsf {Sim}\) from an honestly generated garbled circuit and input encoding can be argued by a hybrid argument explicitly described in [HJO+16]. This hybrid argument will be associated with a sequence of intermediate simulators \(\mathsf {Sim}_1,\ldots ,\mathsf {Sim}_q\). Except \(\mathsf {Sim}_q\), all the other simulators take as input circuit and the input; (Cx). The final simulator \(\mathsf {Sim}_q\) takes as input (CC(x)). \(\mathsf {Sim}_1\) computes the garbling of C and the input encoding of x as dictated by the scheme. The final intermediate simulator \(\mathsf {Sim}_q\) is identical to \(\mathsf {Sim}\).

The \(i^{th}\) intermediate simulator \(\mathsf {Sim}_i\) works as follows: for every wire w such that w is the output wire of a \(j^{th}\) layer for \(j \ge i\), sample two keys \(K_{w}^0\) and \(K_w^1\). For any other wire w, sample a single wire key \(K_w\). The simulator consists of two components:

  • Input-Dependent Simulation. This component takes as input (Cx) and simulates all the garbled gates in the \(i^{th}\) layer of C. For every gate G (with input wires \(w_a,w_b\) and output wire \(w_c\)) in the \(i^{th}\) layer, generate a garbled table \((\mathsf {CT}_{1},\mathsf {CT}_{2},\mathsf {CT}_{3},\mathsf {CT}_{4})\), where for a randomly picked index \(i^* \in [4]\), (i) \(\mathsf {CT}_{i^*}\) is an encryption of \(K_{w_c}^{\mathsf {val}(w_c)}\) under keys \(K_{w_a}\) and \(K_{w_b}\), (ii) for \(i \ne i^*\), \(\mathsf {CT}_i\) is an encryption of 0 under two randomly chosen secret keys (and in particular these two keys are not used anywhere). Here, \(\mathsf {val}(w_c)\) denotes the value assigned to the wire \(w_c\) during the evaluation of C on x.

  • Input-Independent Simulation. This component only takes as input C and simulates the garbled gates in all the layers except the \(i^{th}\) layer. There are two cases:

    -:

    for a gate G in the \(j^{th}\) layer, for \(j < i\), the simulation of the garbled gate for G is performed according to \(\mathsf {Sim}\).

    -:

    for a gate G in the \(j^{th}\) layer, for \(j > i\), the garbled gate for G is generated according to the scheme.

Once the computational indistinguishability of \(\mathsf {Sim}_i\) and \(\mathsf {Sim}_{i+1}\) is shown for every i, the security of the scheme follows.

Complexity of Input-Dependent Simulation. Observe that the output length of the input-dependent simulation component of every simulator \(\mathsf {Sim}_i\) is only proportional to the width of the circuit (in other words, the maximum length of any layer in C). This observation has been crucially exploited in two lines of work:

  • The work of [HJO+16] introduced the powerful tool of somewhere equivocal encryption (SEE) and showed how to combine it with the garbling scheme of Yao to obtain adaptive garbling schemes with online complexity that grows with the width of the circuit. Informally, somewhere equivocal encryption is used in conjunction with the above proof of security for Yao’s scheme: in each step of a hybrid argument, the input-dependent simulated gates are equivocated in the online phase of the adaptive security game. Since the number of input-dependent simulated gates is bounded by the width w of the circuit, the online complexity of this garbling scheme is proportional to w. Alternative proof strategies for Yao’s garbling scheme can be used instead of our sketch above to obtain, for example, the depth-based result of [HJO+16].

  • The work of [BGL+15] showed how to combine indistinguishability obfuscation for circuits and the garbling scheme of Yao to obtain a succinct garbling scheme for small-space Turing machines. To garble a Turing machine M that has worst-case runtime T, they construct an obfuscation of a circuit that takes as input an index i and outputs the garbled table corresponding to the ith gate of CFootnote 9. Security is argued by sequentially invoking the simulators \((\mathsf {Sim}_1,\ldots ,\mathsf {Sim}_{q})\) of Yao’s garbling scheme. Hardwiring the entire simulator’s output in the obfuscated circuit would ruin the encoding complexity of the succinct garbling scheme. However, it turns out that security can be argued when only the input-dependent simulation component is hardwired. This is exactly the reason why the encoding complexity of this succinct garbling scheme grows with the maximum space complexity of the Turing machines.

Locally Simulatable Garbling Schemes. We introduce the notion of a locally simulatable garbling scheme as an abstraction that connects the above proofs of adaptive security and succinctness for garbling schemes. We give a brief overview of the security property associated with a locally simulatable garbling scheme. The security property is parameterized by an integer \(L_{\mathsf {sim}}\) and a sequence of simulators \((\mathsf {Sim}_1,\ldots ,\mathsf {Sim}_{q})\) for some polynomial q. Every simulator \(\mathsf {Sim}_i\) consists of an input-dependent component and an input-independent component.

  • The input-dependent component of \(\mathsf {Sim}_i\) takes as input circuit C and input x to be simulated. We require that this component of \(\mathsf {Sim}_i\) is of size at most \(L_{\mathsf {sim}} \cdot \mathrm {poly}(\lambda )\) for some fixed polynomial \(\mathrm {poly}\).

  • The input-independent component of \(\mathsf {Sim}_i\) takes as input only the circuit C.

We require that the output distribution of \(\mathsf {Sim}_1\) is computationally indistinguishable from an honest generated garbling of C and honestly generated encoding of x. The output distributions of \(\mathsf {Sim}_i\) and \(\mathsf {Sim}_{i+1}\) are required to be computationally indistinguishable. Finally, we require that the final simulator \(\mathsf {Sim}_q\) does not have any input-dependent component and in particular, \(\mathsf {Sim}_q\) can simulate the garbled circuit and input encoding on input (CC(x)). We refer to this security property as weak local simulation security.

Note that Yao’s garbling scheme, using the security proof given in our outline, is a particular instantiation of a locally simulatable garbling scheme with \(L_{\mathsf {sim}}\) set to be the width of the circuit being garbled. The depth-based analysis of Yao’s garbling scheme given in [HJO+16] can also be seen as an instantiation of weak local simulation, albeit with \(q = 2^{O(d)}\) hybrids.

While the above security property captures the essence of local simulation, it does not suffice for either the application of adaptively secure garbling schemes or the application of succinct garbling schemes. To get around this, we strengthen the security definition in two ways, resulting in notions of semi-adaptive locally simulatable garbling schemes and strong locally simulatable garbling schemes.

Succinct Garbling from Strong LSGS. We define the notion of a strong locally simulatable garbling scheme and use it as an intermediate tool to construct a succinct garbling scheme. To motivate our definition, we will consider a candidate succinct garbling scheme (and proof strategy) from IO and a weak LSGS, and see what additional properties are required from the LSGS.

Generalizing the approach of [BGL+15], our candidate succinct garbling scheme is as follows: garbling a Turing machine M with a runtime bound T consists of computing an indistinguishability obfuscation of a circuit \(H_{M,T,\mathsf {MSK}}\) with hardwired values M, T and a master secret key \(\mathsf {MSK}\). This circuit takes as input an index \(i \le T\), constructs the \(i^{th}\) gate of C, where C is the circuit representing T steps of M’s computation on inputs of length n, and then outputs a garbling of this gate computed with respect to \(\mathsf {MSK}\). Encoding x consists of computing the input encoding of x with respect to the LSGS. Decoding proceeds by evaluating the obfuscated circuit on all indices ranging from 1 to T to obtain the different gate encodings. These encodings are then decoded to obtain the result.

We are already implicitly assuming some properties of the underlying LSGS in order for the above construction to make any sense at all. Specifically,

  • Our candidate implicitly assumes that a garbling of C is computed in a gate-by-gate fashion. To enable this, we introduce the notion of a local encoding of an LSGS, which guaratees that a garbling of C consists of components that are each computed in time independent of |C|; in particular, it must be computable from a small amount of information about C. In fact, we further require that this information about C is efficiently computable from M. In the case of Yao, this amounts to saying that an individual gate of C can be computed very efficiently from M.

  • A priori, the master secret key \(\mathsf {MSK}\) could be as large as \(|C| = \mathrm {poly}(T)\). Strictly speaking, this means that the above candidate is not succinct. To overcome this, we think of \(\mathsf {MSK}= (sk_1, \ldots , sk_N)\) and define a local key generation procedure that takes as input an index j and only generates the local secret key \(sk_j\). Then, the program H in our scheme takes as input an index i, determines the keys \(sk_j\) that are necessary to encode the \(i^{\text {th}}\) component of C, and then computes the \(i^{\text {th}}\) garbled component.

  • To identify the subset of keys to be locally generated for the \(i^{\text {th}}\) component, we define a key list generation procedure that takes as input i and outputs a list \(L_i\). This allows us to compress the potentially large \(\mathsf {MSK}\) using a pseudorandom function key.

  • The size of the input encoding of the succinct garbling candidate is exactly the same as the online complexity of the underlying strong LSGS scheme. Thus, in order for our scheme to be succinct, the online complexity of the underling LSGS scheme will have to be independent of T.

By carefully defining the above notions, we can guarantee that the program H is sufficiently small (polynomial in \(\lambda \)) so that the candidate garbling scheme is succinct. What remains is to prove security in a way such that programs \(H'\) that are obfuscated in the security proof are also small. This is the most subtle step; in particular, this is the step where [BGL+15] is limited to achieving succinctness that depends on the space of the Turing machine.

To prove the security of the above scheme, a naive approach would be to hardwire the entire simulated garbled circuit inside the obfuscation of \(H_{M,T,\mathsf {MSK}}\); however, this would violate succinctness. Instead, we want to leverage local simulation in the following way: in each of a sequence of hybrid circuits \((H_1, \ldots , H_q)\), only hardwire the input-dependent components of \(\mathsf {Sim}_i\), and instead include the code of the input-independent components of \(\mathsf {Sim}_i\) (which naively contains all of \(\mathsf {MSK}\)) inside \(H_i\). We would then hope to argue using some combination of IO security and LSGS security that adjacent hybrid programs in this sequence are indistinguishable.

If the size of the input-dependent portion is small, meaning polynomial in \(\lambda \), then we can hope to achieve succinctness using this proof strategy. This approach again implicitly assumes properties of the LSGS; namely, that the input-independent local simulators each require only a small portion of the master secret key (just as in the honest garbling case). This is required so that the hybrid circuit \(H_i\) is still small.

Unfortunately, the security argument above is flawed. The problem is that information about the master secret key \(\mathsf {MSK}\) is contained within the obfuscated program \(\tilde{H}\), so it is unclear how to argue that the input-dependent components of \(\mathsf {Sim}_i\) and \(\mathsf {Sim}_{i+1}\) (i.e. the components that are hardwired) are indistinguishable. Indeed, if the above strategy is not carefully implemented (e.g. if the program \(H_i\) actually reveals the entire \(\mathsf {MSK}\)), they will be distinguishable.

To circumvent these issues, we require that the input-dependent portion of the garbled circuit output by \(\mathsf {Sim}_i\) is indistinguishable from the corresponding input-dependent portion of the garbled circuit output by \(\mathsf {Sim}_{i+1}\) even in the presence of \(\{sk_j\}_{j \in S}\), where S consists of all indices accessed by the input-independent portion of the garbled circuit. In fact, we define a stronger property that allows the adversary to choose the keys \(\{sk_j\}_{j \in S}\).

In order to complete the hybrid argument, our proof strategy then works in two steps: first switch the input-dependent components of the simulated circuit from \(\mathsf {Sim}_i\) to \(\mathsf {Sim}_{i+1}\) (using the above strong LSGS security), and then switch the input-independent components from \(\mathsf {Sim}_i\) to \(\mathsf {Sim}_{i+1}\). Since we are actually including the code of these input-independent simulators within the obfuscated circuit, we must require that the input-independent components of \(\mathsf {Sim}_i\) and \(\mathsf {Sim}_{i+1}\) are functionally equivalent to invoke IO security.

To summarize, a strong LSGS must satisfy two main properties in order for the security of our succinct garbling scheme to be proved:

  • The input-dependent components of \(\mathsf {Sim}_i\) and \(\mathsf {Sim}_{i+1}\) must be indistinguishable even given all of the local secret keys necessary to compute the input-independent components of \(\mathsf {Sim}_i\).

  • The algorithms computing the input-independent components of \(\mathsf {Sim}_i\) and \(\mathsf {Sim}_{i+1}\) must be functionally equivalent.

Indeed, the security proof of [BGL+15] can be retroactively seen as invoking the above properties of Yao’s garbling scheme. For completeness, we sketch a proof (see the full version) that Yao’s garbling scheme satisfies this definition with \(L_{\mathsf {sim}}\) proportional to the width of the circuit.

Constructing Strong LSGS from Laconic OT. In order to complete the proof of Theorem 1, we show that the garbling scheme of [GS18a] can be adapted to satisfy our strong LSGS notion with \(L_{\mathsf {sim}}= \mathrm {poly}(\lambda )\). We begin by giving a high level description of the [GS18a] garbling scheme:

  • An encoding of an input x consists of (1) a somewhere equivocal encryption secret key, (2) a one-time pad encryption \(r\oplus x\) of x, (3) a hash value \(h_0 = H(r\oplus x || 0^{|C| - n})\) of an initial memory state for the computation, (4) a signature on \(h_0\), and (5) the one-time pads corresponding to each output gate. The hash function H is associated to a laconic OT scheme (we omit a discussion of laconic OT from this overview).

  • An encoding of a circuit C consists of \(s = |C|\) “garbled programs” maintaining the following invariant: after executing i such programs, the evaluator will have obtained a one-time pad encryption of the first \(n + i\) gates of C evaluated on the input x along with a hash of this one-time padded state and a signature on this hash value. The garbled programs are then jointly encrypted using a somewhere equivocal encryption scheme.

  • Simulation security is argued by a sequence of hybrid simulators; in a hybrid simulator, each garbled program is either computed via an input-independent simulator or an input-dependent simulator, and moreover only \(\mathrm {poly}(\lambda )\) garbled programs require input-dependent simulation. To prove adaptive security, the input-dependent simulated gates are equivocated as part of the input encoding.

We interpret the scheme of [GS18a] – after removing the somewhere equivocal encryption layer – as a LSGS by thinking of each garbled program above as one component of the LSGS. Indeed, we show that each garbled program in the [GS18a] scheme only requires a small amount of the garbling secret key and that the input-dependent components of \(\mathsf {Sim}_i\) and \(\mathsf {Sim}_{i+1}\) are indistinguishable even in the presence of adversarially chosen secret keys used for the other components. In fact, all but one of the properties of a strong LSGS as defined earlier can be demonstrated to hold for the [GS18a] scheme without modification.

The only problem with using the [GS18a] scheme as a strong LSGS is that computation of the initial hash value \(H(r\oplus x || 0^{|C| - n})\) requires O(|C|) time. Naively, this means that computing even the input encoding would take O(|C|) time, but [GS18a] note that if H is computed via a Merkle tree, the computation of \(H(0^{|C|-n})\) can be delegated to the garbled circuit and only \(H(r\oplus x)\) need be computed during the input encoding. However, computing \(H(0^{|C|-n})\) cannot be done locally (i.e. distributed in pieces to local components of the garbled circuit), which violates the local encoding property of a strong LSGS.

To circumvent this problem, we modify the [GS18a] scheme so that the initial hash value \(h_0 = H(r\oplus x)\) is a hash of only an n-bit string, and we redesign the garbled programs so that each step updates the one-time padded computation state by appending the next value. Instantiating this corresponds to a new notion of appendable laconic OT, which we define and construct generically from laconic OT. The local simulators for our new scheme remain essentially the same, and our previous security proof carries over to this modified version. We note that the same modification could be made to the [GS18a] adaptive garbled circuit construction, with the advantage that the more complicated notion of updatable laconic OT is not required, and hence the [GS18a] scheme can be somewhat simplified.

Combining this construction of strong LSGS from laconic OT with our construction of succinct garbling from FE and strong LSGS, we obtain Theorem 1.

Adaptive Garbling from Semi-Adaptive LSGS. In order to construct adaptive garbling schemes, it turns out that the notion of strong LSGS does not capture the essence of the adaptive security proof. We define a notion of semi-adaptive LSGS and show that a semi-adaptive LSGS can be used to construct adaptive circuit garbling schemes. We define the notion below.

The semi-adaptive security property is associated with a sequence of simulators \((\mathsf {Sim}_1,\ldots ,\mathsf {Sim}_q)\) for some polynomial \(q=q(\lambda )\). As before, the output of \(\mathsf {Sim}_i\) consists of an input-dependent component and an input-independent component. However, in this security definition, we allow the adversary to choose the input after he receives the input-independent component of the garbled circuit from the challenger. In particular, the adversary can choose the instance as a function of the input-independent component.

Our transformation from semi-adaptive LSGS to adaptive garbling is inspired by the work of [HJO+16]. In particular, our transformation abstracts out the usage of somewhere equivocal encryption in this and other prior works. In this transformation, the size of the input-dependent component (i.e. \(L_{\mathsf {sim}}\)) determines the size of the secret key in a somewhere equivocal encryption scheme, and hence plays a role in determining the online complexity of the adaptive garbling scheme. The online complexity of the resulting adaptively secure garbling scheme is the sum of \(\mathrm {poly}(\lambda ,L_{\mathsf {sim}})\) and the online complexity \(L_{\mathsf {inp}}\) of the semi-adaptive LSGS. This can be used to recover the result of [GS18a] (as well as that of [HJO+16]).