Private Circuits: A Modular Approach

We consider the problem of protecting general computations against constant -rate random leakage. That is, the computation is performed by a randomized boolean circuit that maps a randomly encoded input to a randomly encoded output, such that even if the value of every wire is independently leaked with some constant probability p > 0, the leakage reveals essentially nothing about the input. In this work we provide a conceptually simple, modular approach for solving the above problem, providing a simpler and self-contained alternative to previous constructions of Ajtai (STOC 2011) and Andrychowicz et al. (Eurocrypt 2016). We also obtain several extensions and generalizations of this result. In particular, we show that for every leakage probability p < 1, there is a finite basis Ig such that leakage-resilient computation with leakage probability p can be realized using circuits over the basis lg. We obtain similar positive results for the stronger notion of leakage tolerance, where the input is not encoded, but the leakage from the entire computation can be simulated given random p' -leakage of input values alone, for any p < < 1. Finally, we complement this by a negative result, showing that for every basis U there is some leakage probability p < 1 such that for any p' < 1, leakage tolerance as above cannot be achieved in general. We show that our modular approach is also useful for protecting computations against worst case leakage. In this model, we require that leakage of any t (adversarially chosen) wires reveal nothing about the input. By combining our construction with a previous derandomization technique of Ishai et al. (ICALP 2013), we show that security in this setting can be achieved with 0(t1+') random bits, for every constant s > 0. This (near-optimal) bound significantly improves upon previous constructions that required more than t3 random bits.