**How to Compress (Reusable) Garbled Circuits**

*Craig Gentry and Sergey Gorbunov and Shai Halevi and Vinod Vaikuntanathan and Dhinakaran Vinayagamurthy*

**Abstract: **A fundamental question about (reusable) circuit garbling schemes is: how small can
the garbled circuit be? Our main result is a reusable garbling scheme which
produces garbled circuits that are the same size as the
original circuit {\em plus} an additive $\mathsf{poly}(\secp,d)$ bits, where $\secp$
is the security parameter and $d$ is the circuit depth. Save the additive $\mathsf{poly}(\secp,d)$ factor, this is the
best one could hope for. In contrast, all previous constructions of even single-use
garbled circuits incurred a {\em multiplicative} $\mathsf{poly}(\secp)$ blowup.

Our techniques result in constructions of attribute-based and (single key secure) functional encryption schemes where the secret key of a depth $d$ circuit $C$ consists of $C$ itself, {\em plus} $\mathsf{poly}(\secp,d)$ additional bits. All of these constructions are based on the subexponential hardness of the learning with errors problem.

We also study the dual question of how short the garbled inputs can be, relative to the original input. We demonstrate a (different) reusable circuit garbling scheme, based on multilinear maps, where the size of the garbled input is the same as that of the original input, {\em plus} a $\mathsf{poly}(\secp,d)$ factor. Similar to the above, this also results in attribute-based and (single key secure) functional encryption schemes where the size of the ciphertext encrypting an input $x$ is the same as that of $x$, plus $\mathsf{poly}(\secp,d)$ additional bits.

**Category / Keywords: **Attribute-based Encryption, Functional Encryption, Reusable Garbled Circuits, Short Secret Key, Short Ciphertext

**Date: **received 24 Oct 2013, last revised 9 Dec 2013

**Contact author: **sergeyg at mit edu

**Available format(s): **PDF | BibTeX Citation

**Version: **20131210:024928 (All versions of this report)

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]