Pushing the Limits of Valiant's Universal Circuits: Simpler, Tighter and More Compact

A universal circuit (UC) is a general-purpose circuit that can simulate arbitrary circuits (up to a certain size n). Valiant provides a k-way recursive construction of UCs (STOC 1976), where k tunes the complexity of the recursion. More concretely, Valiant gives theoretical constructions of 2-way and 4-way UCs of asymptotic (multiplicative) sizes 5n log n and 4.75n log n respectively, which matches the asymptotic lower bound Omega(n log n) up to some constant factor. Motivated by various privacy-preserving cryptographic applications, Kiss et al. (Eurocrypt 2016) validated the practicality of 2-way universal circuits by giving example implementations for private function evaluation. Gunther et al. (Asiacrypt 2017) and Alhassan et al. (J. Cryptology 2020) implemented the 2-way/4-way hybrid UCs with various optimizations in place towards making universal circuits more practical. Zhao et al. (Asiacrypt 2019) optimized Valiant's 4-way UC to asymptotic size 4.5n log n and proved a lower bound 3.64n log n for UCs under Valiant's framework. As the scale of computation goes beyond 10-million-gate (n = 10(7)) or even billion-gate level (n = 10(9)), the constant factor in UC's size plays an increasingly important role in application performance. In this work, we investigate Valiant's universal circuits and present an improved framework for constructing universal circuits with the following advantages. Simplicity. Parameterization is no longer needed. In contrast to those previous implementations that resorted to a hybrid construction combining k = 2 and k = 4 for a tradeoff between fine granularity and asymptotic size-efficiency, our construction gets the best of both worlds when configured at the lowest complexity (i.e., k = 2). Compactness. Our universal circuits have asymptotic size 3n log n, improving upon the best previously known 4.5n log n by 33% and beating the 3.64n log n lower bound for UCs constructed under Valiant's framework (Zhao et al., Asiacrypt 2019). Tightness. We show that under our new framework the UC's size is lower bounded by 2.95n log n, which almost matches the 3n log n circuit size of our 2-way construction. We implement the 2-way universal circuit and evaluate its performance with other implementations, which confirms our theoretical analysis.