Practical Garbled Circuit Optimizations

Mike Rosulek

Collaborators: David Evans / Vlad Kolesnikov / Payman Mohassel / Samee Zahur

Garbled circuit framework [Yao86]

A0,A1

B0,B1

C0,C1

D0,D1

E0,E1

F0,F1

G0,G1

H0,H1

I0, I1

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)

EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

I Pick random labelsW0,W1 on each wire

I “Encrypt” truth table of each gate

I Garbled circuit ≡ all encrypted gates

I Garbled encoding ≡ one label per wire

Garbled evaluation:

I Only one ciphertext per

gate is decryptable

I Result of decryption =

value on outgoing wire

Garbled circuit framework [Yao86]

A0,A1

B0,B1

C0,C1

D0,D1

E0,E1

F0,F1

G0,G1

H0,H1

I0, I1

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)

EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

I Pick random labelsW0,W1 on each wire

I “Encrypt” truth table of each gate

I Garbled circuit ≡ all encrypted gates

I Garbled encoding ≡ one label per wire

Garbled evaluation:

I Only one ciphertext per

gate is decryptable

I Result of decryption =

value on outgoing wire

Garbled circuit framework [Yao86]

A0,A1

B0,B1

C0,C1

D0,D1

E0,E1

F0,F1

G0,G1

H0,H1

I0, I1

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)

EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

I Pick random labelsW0,W1 on each wire

I “Encrypt” truth table of each gate

I Garbled circuit ≡ all encrypted gates

I Garbled encoding ≡ one label per wire

Garbled evaluation:

I Only one ciphertext per

gate is decryptable

I Result of decryption =

value on outgoing wire

Garbled circuit framework [Yao86]

A0,A1

B0,B1

C0,C1

D0,D1

E0,E1

F0,F1

G0,G1

H0,H1

I0, I1

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)

EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

I Pick random labelsW0,W1 on each wire

I “Encrypt” truth table of each gate

I Garbled circuit ≡ all encrypted gates

I Garbled encoding ≡ one label per wire

Garbled evaluation:

I Only one ciphertext per

gate is decryptable

I Result of decryption =

value on outgoing wire

Garbled circuit framework [Yao86]

A0,A1

B0,B1

C0,C1

D0,D1

E0,E1

F0,F1

G0,G1

H0,H1

I0, I1

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)

EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

I Pick random labelsW0,W1 on each wire

I “Encrypt” truth table of each gate

I Garbled circuit ≡ all encrypted gates

I Garbled encoding ≡ one label per wire

Garbled evaluation:

I Only one ciphertext per

gate is decryptable

I Result of decryption =

value on outgoing wire

Garbled circuit framework [Yao86]

A0,A1

B0,B1

C0,C1

D0,D1

E0,E1

F0,F1

G0,G1

H0,H1

I0, I1

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)

EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

I Pick random labelsW0,W1 on each wire

I “Encrypt” truth table of each gate

I Garbled circuit ≡ all encrypted gates

I Garbled encoding ≡ one label per wire

Garbled evaluation:

I Only one ciphertext per

gate is decryptable

I Result of decryption =

value on outgoing wire

Garbled circuit framework [Yao86]

A0,A1

B0,B1

C0,C1

D0,D1

E0,E1

F0,F1

G0,G1

H0,H1

I0, I1

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)

EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

I Pick random labelsW0,W1 on each wire

I “Encrypt” truth table of each gate

I Garbled circuit ≡ all encrypted gates

I Garbled encoding ≡ one label per wire

Garbled evaluation:

I Only one ciphertext per

gate is decryptable

I Result of decryption =

value on outgoing wire

Garbled circuit framework [Yao86]

A0,A1

B0,B1

C0,C1

D0,D1

E0,E1

F0,F1

G0,G1

H0,H1

I0, I1

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)

EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

I Pick random labelsW0,W1 on each wire

I “Encrypt” truth table of each gate

I Garbled circuit ≡ all encrypted gates

I Garbled encoding ≡ one label per wire

Garbled evaluation:

I Only one ciphertext per

gate is decryptable

I Result of decryption =

value on outgoing wire

Garbled circuit framework [Yao86]

A0,A1

B0,B1

C0,C1

D0,D1

E0,E1

F0,F1

G0,G1

H0,H1

I0, I1

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)

EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

I Pick random labelsW0,W1 on each wire

I “Encrypt” truth table of each gate

I Garbled circuit ≡ all encrypted gates

I Garbled encoding ≡ one label per wire

Garbled evaluation:

I Only one ciphertext per

gate is decryptable

I Result of decryption =

value on outgoing wire

Garbled circuit framework [Yao86]

A0,A1

B0,B1

C0,C1

D0,D1

E0,E1

F0,F1

G0,G1

H0,H1

I0, I1

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)

EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

I Pick random labelsW0,W1 on each wire

I “Encrypt” truth table of each gate

I Garbled circuit ≡ all encrypted gates

I Garbled encoding ≡ one label per wire

Garbled evaluation:

I Only one ciphertext per

gate is decryptable

I Result of decryption =

value on outgoing wire

Garbled circuit framework [Yao86]

A0,A1

B0,B1

C0,C1

D0,D1

E0,E1

F0,F1

G0,G1

H0,H1

I0, I1

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)

EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

I Pick random labelsW0,W1 on each wire

I “Encrypt” truth table of each gate

I Garbled circuit ≡ all encrypted gates

I Garbled encoding ≡ one label per wire

Garbled evaluation:

I Only one ciphertext per

gate is decryptable

I Result of decryption =

value on outgoing wire

Garbled circuit framework [Yao86]

A0,A1

B0,B1

C0,C1

D0,D1

E0,E1

F0,F1

G0,G1

H0,H1

I0, I1

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 0

1 1 0

0 0 0

0 1 1

1 0 1

1 1 1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)

EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

I Pick random labelsW0,W1 on each wire

I “Encrypt” truth table of each gate

I Garbled circuit ≡ all encrypted gates

I Garbled encoding ≡ one label per wire

Garbled evaluation:

I Only one ciphertext per

gate is decryptable

I Result of decryption =

value on outgoing wire

Applications: 2PC and more

x y

garbled circuit f

garbled input x ,output wire labels

OT

input

wire labels

y

garbled y

f (x ,y )

Private function evaluation, zero-knowledge proofs, encryption with

key-dependent message security, randomized encodings, secure

outsourcing, one-time programs, . . .

Garbling is a fundamental primitive [BellareHoangRogaway12]

Applications: 2PC and more

x y

garbled circuit f

garbled input x ,output wire labels

OT

input

wire labels

y

garbled y

f (x ,y )

Private function evaluation, zero-knowledge proofs, encryption with

key-dependent message security, randomized encodings, secure

outsourcing, one-time programs, . . .

Garbling is a fundamental primitive [BellareHoangRogaway12]

Applications: 2PC and more

x y

garbled circuit f

garbled input x ,output wire labels

OT

input

wire labels

y

garbled y

f (x ,y )

Private function evaluation, zero-knowledge proofs, encryption with

key-dependent message security, randomized encodings, secure

outsourcing, one-time programs, . . .

Garbling is a fundamental primitive [BellareHoangRogaway12]

Applications: 2PC and more

x y

garbled circuit f

garbled input x ,output wire labels

OT

input

wire labels

y

garbled y

f (x ,y )

Private function evaluation, zero-knowledge proofs, encryption with

key-dependent message security, randomized encodings, secure

outsourcing, one-time programs, . . .

Garbling is a fundamental primitive [BellareHoangRogaway12]

Applications: 2PC and more

x y

garbled circuit f

garbled input x ,output wire labels

OT

input

wire labels

y

garbled y

f (x ,y )

Private function evaluation, zero-knowledge proofs, encryption with

key-dependent message security, randomized encodings, secure

outsourcing, one-time programs, . . .

Garbling is a fundamental primitive [BellareHoangRogaway12]

Applications: 2PC and more

x y

garbled circuit f

garbled input x ,output wire labels

OT

input

wire labels

y

garbled y

f (x ,y )

Private function evaluation, zero-knowledge proofs, encryption with

key-dependent message security, randomized encodings, secure

outsourcing, one-time programs, . . .

Garbling is a fundamental primitive [BellareHoangRogaway12]

Syntax [BellareHoangRogaway12]

Garble Encode

Eval

Decode

f

garbled circuit

decoding info

garbled

input

garbled

output

encoding

info

x f (x )

Security properties:

Privacy: (F ,X ,d ) reveals nothing beyond f (x )

Obliviousness: (F ,X ) reveals nothing

Authenticity: given (F ,X ), hard to find Y that decodes < {f (x ),⊥}

Syntax [BellareHoangRogaway12]

Garble Encode

Eval

Decode

f

garbled circuit F

decoding info d

garbled

input X

garbled

output Y

encoding

info e

x f (x )

Security properties:

Privacy: (F ,X ,d ) reveals nothing beyond f (x )

Obliviousness: (F ,X ) reveals nothing

Authenticity: given (F ,X ), hard to find Y that decodes < {f (x ),⊥}

Syntax [BellareHoangRogaway12]

Garble Encode

Eval

Decode

f

garbled circuit F

decoding info d

garbled

input X

garbled

output Y

encoding

info e

x f (x )

Security properties:

Privacy: (F ,X ,d ) reveals nothing beyond f (x )

Obliviousness: (F ,X ) reveals nothing

Authenticity: given (F ,X ), hard to find Y that decodes < {f (x ),⊥}

Parameters to optimize

computation

size

hardness assumption

Parameters to optimize

computation

size

hardness assumption

Average bits per garbled gate

1λ

2λ

3λ

4λ

5λ

1986 1990 1999 2008 2009 2014 2015

[BeaverMicaliRogaway]

[NaorPinkasSumner]

[KolesnikovSchneider]

[PinkasSchneiderSmartWilliams]

[KolesnikovMohasselRosulek]

[ZahurRosulekEvans]

[Yao,GoldreichMicaliWigderson]

DES

AES

SHA1

SHA256

Prediction: by 2026, all garbled circuits will have zero size.

Average bits per garbled gate

1λ

2λ

3λ

4λ

5λ

1986 1990 1999 2008 2009 2014 2015

[BeaverMicaliRogaway]

[NaorPinkasSumner]

[KolesnikovSchneider]

[PinkasSchneiderSmartWilliams]

[KolesnikovMohasselRosulek]

[ZahurRosulekEvans]

[Yao,GoldreichMicaliWigderson]

DES

AES

SHA1

SHA256

Prediction: by 2026, all garbled circuits will have zero size.

Average bits per garbled gate

1λ

2λ

3λ

4λ

5λ

1986 1990 1999 2008 2009 2014 2015

[BeaverMicaliRogaway]

[NaorPinkasSumner]

[KolesnikovSchneider]

[PinkasSchneiderSmartWilliams]

[KolesnikovMohasselRosulek]

[ZahurRosulekEvans]

[Yao,GoldreichMicaliWigderson]

DES

AES

SHA1

SHA256

Prediction: by 2026, all garbled circuits will have zero size.

Murky beginnings [Yao86]

A0,A1

B0,B1

C0,C1

EA0,B0 (C0)EA0,B1 (C1)EA1,B0 (C0)EA1,B1 (C0)

I Position in this list leaks semantic value

=⇒ permute ciphertexts

I Need to detect [in]correct decryptionI (Apparently) no one knows exactly what Yao had in mind:

I EK0,K1(M) = 〈E (K0,S0),E (K1,S1)〉 where S0 ⊕ S1 = M

[GoldreichMicaliWigderson87]

I EK0,K1(M) = E (K1,E (K0,M)) [LindellPinkas09]

Murky beginnings [Yao86]

A0,A1

B0,B1

C0,C1

EA0,B0 (C0)EA0,B1 (C1)EA1,B0 (C0)EA1,B1 (C0)

I Position in this list leaks semantic value

=⇒ permute ciphertexts

I Need to detect [in]correct decryptionI (Apparently) no one knows exactly what Yao had in mind:

I EK0,K1(M) = 〈E (K0,S0),E (K1,S1)〉 where S0 ⊕ S1 = M

[GoldreichMicaliWigderson87]

I EK0,K1(M) = E (K1,E (K0,M)) [LindellPinkas09]

Murky beginnings [Yao86]

A0,A1

B0,B1

C0,C1

EA0,B0 (C0)EA0,B1 (C1)EA1,B0 (C0)EA1,B1 (C0)

I Position in this list leaks semantic value =⇒ permute ciphertexts

I Need to detect [in]correct decryptionI (Apparently) no one knows exactly what Yao had in mind:

I EK0,K1(M) = 〈E (K0,S0),E (K1,S1)〉 where S0 ⊕ S1 = M

[GoldreichMicaliWigderson87]

I EK0,K1(M) = E (K1,E (K0,M)) [LindellPinkas09]

Murky beginnings [Yao86]

A0,A1

B0,B1

C0,C1

EA0,B0 (C0)EA0,B1 (C1)EA1,B0 (C0)EA1,B1 (C0)

I Position in this list leaks semantic value =⇒ permute ciphertexts

I Need to detect [in]correct decryption

I (Apparently) no one knows exactly what Yao had in mind:

I EK0,K1(M) = 〈E (K0,S0),E (K1,S1)〉 where S0 ⊕ S1 = M

[GoldreichMicaliWigderson87]

I EK0,K1(M) = E (K1,E (K0,M)) [LindellPinkas09]

Murky beginnings [Yao86]

A0,A1

B0,B1

C0,C1

EA0,B0 (C0)EA0,B1 (C1)EA1,B0 (C0)EA1,B1 (C0)

I Position in this list leaks semantic value =⇒ permute ciphertexts

I Need to detect [in]correct decryptionI (Apparently) no one knows exactly what Yao had in mind:

I EK0,K1(M) = 〈E (K0,S0),E (K1,S1)〉 where S0 ⊕ S1 = M

[GoldreichMicaliWigderson87]

I EK0,K1(M) = E (K1,E (K0,M)) [LindellPinkas09]

Permute-and-Point [BeaverMicaliRogaway90]

A

•

0,A

•

1

B

•

0,B

•

1

C

•

0,C

•

1

••

EA

•

0,B

•

0

(C

•

0)

••

EA

•

0,B

•

1

(C

•

1)

••

EA

•

1,B

•

0

(C

•

0)

••

EA

•

1,B

•

1

(C

•

0)

•• EA

•

0,B

•

1

(C

•

1)

•• EA

•

0,B

•

0

(C

•

0)

•• EA

•

1,B

•

1

(C

•

0)

•• EA

•

1,B

•

0

(C

•

0)

I Randomly assign (•,•) or (•,•)to each pair of wire labels

I Include color in the wire label

(e.g., as last bit)

I Order the 4 ciphertexts

canonically, by color of keys

I Evaluate by decrypting

ciphertext indexed by your

colors

Can use one-time-secure symmetric encryption!

Permute-and-Point [BeaverMicaliRogaway90]

A•0,A•

1

B•0,B•

1

C•0,C•

1

••

EA•0,B•

0

(C•0)

••

EA•0,B•

1

(C•1)

••

EA•1,B•

0

(C•0)

••

EA•1,B•

1

(C•0)

•• EA•0,B•

1

(C•1)

•• EA•0,B•

0

(C•0)

•• EA•1,B•

1

(C•0)

•• EA•1,B•

0

(C•0)

I Randomly assign (•,•) or (•,•)to each pair of wire labels

I Include color in the wire label

(e.g., as last bit)

I Order the 4 ciphertexts

canonically, by color of keys

I Evaluate by decrypting

ciphertext indexed by your

colors

Can use one-time-secure symmetric encryption!

Permute-and-Point [BeaverMicaliRogaway90]

A•0,A•

1

B•0,B•

1

C•0,C•

1

•• EA

•

0,B

•

0

(C•0)

•• EA

•

0,B

•

1

(C•1)

•• EA

•

1,B

•

0

(C•0)

•• EA

•

1,B

•

1

(C•0)

•• EA

•

0,B

•

1

(C•1)

•• EA

•

0,B

•

0

(C•0)

•• EA

•

1,B

•

1

(C•0)

•• EA

•

1,B

•

0

(C•0)

I Randomly assign (•,•) or (•,•)to each pair of wire labels

I Include color in the wire label

(e.g., as last bit)

I Order the 4 ciphertexts

canonically, by color of keys

I Evaluate by decrypting

ciphertext indexed by your

colors

Can use one-time-secure symmetric encryption!

Permute-and-Point [BeaverMicaliRogaway90]

A•0,A•

1

B•0,B•

1

C•0,C•

1

•• EA

•

0,B

•

0

(C•0)

•• EA

•

0,B

•

1

(C•1)

•• EA

•

1,B

•

0

(C•0)

•• EA

•

1,B

•

1

(C•0)

•• EA

•

0,B

•

1

(C•1)

•• EA

•

0,B

•

0

(C•0)

•• EA

•

1,B

•

1

(C•0)

•• EA

•

1,B

•

0

(C•0)

I Randomly assign (•,•) or (•,•)to each pair of wire labels

I Include color in the wire label

(e.g., as last bit)

I Order the 4 ciphertexts

canonically, by color of keys

I Evaluate by decrypting

ciphertext indexed by your

colors

Can use one-time-secure symmetric encryption!

Permute-and-Point [BeaverMicaliRogaway90]

A

•

0,A•

1

B

•

0,B•

1

C

•

0,C

•

1

•• EA

•

0,B

•

0

(C•0)

•• EA

•

0,B

•

1

(C•1)

•• EA

•

1,B

•

0

(C•0)

•• EA

•

1,B

•

1

(C•0)

•• EA

•

0,B

•

1

(C

•

1)

•• EA

•

0,B

•

0

(C

•

0)

•• EA

•

1,B

•

1

(C

•

0)

•• EA

•

1,B

•

0

(C

•

0)

I Randomly assign (•,•) or (•,•)to each pair of wire labels

I Include color in the wire label

(e.g., as last bit)

I Order the 4 ciphertexts

canonically, by color of keys

I Evaluate by decrypting

ciphertext indexed by your

colors

Can use one-time-secure symmetric encryption!

Permute-and-Point [BeaverMicaliRogaway90]

A

•

0,A•

1

B

•

0,B•

1

C•0,C

•

1

•• EA

•

0,B

•

0

(C•0)

•• EA

•

0,B

•

1

(C•1)

•• EA

•

1,B

•

0

(C•0)

•• EA

•

1,B

•

1

(C•0)

•• EA

•

0,B

•

1

(C

•

1)

•• EA

•

0,B

•

0

(C

•

0)

•• EA

•

1,B

•

1

(C•0)

•• EA

•

1,B

•

0

(C

•

0)

I Randomly assign (•,•) or (•,•)to each pair of wire labels

I Include color in the wire label

(e.g., as last bit)

I Order the 4 ciphertexts

canonically, by color of keys

I Evaluate by decrypting

ciphertext indexed by your

colors

Can use one-time-secure symmetric encryption!

Permute-and-Point [BeaverMicaliRogaway90]

A

•

0,A•

1

B

•

0,B•

1

C•0,C

•

1

•• EA

•

0,B

•

0

(C•0)

•• EA

•

0,B

•

1

(C•1)

•• EA

•

1,B

•

0

(C•0)

•• EA

•

1,B

•

1

(C•0)

•• EA

•

0,B

•

1

(C

•

1)

•• EA

•

0,B

•

0

(C

•

0)

•• EA

•

1,B

•

1

(C•0)

•• EA

•

1,B

•

0

(C

•

0)

I Randomly assign (•,•) or (•,•)to each pair of wire labels

I Include color in the wire label

(e.g., as last bit)

I Order the 4 ciphertexts

canonically, by color of keys

I Evaluate by decrypting

ciphertext indexed by your

colors

Can use one-time-secure symmetric encryption!

Computational cost of garbling

2 hash� 1 hash � 1 block cipher � 1 block cipher w/o key schedule

EA,B (C): cost to garble AES

PRF(A,gateID) ⊕ PRF(B,gateID) ⊕ C ∼6s [extrapolated]

[NaorPinkasSumner99] time from Fairplay [MNPS04]: PRF = SHA256

H(A‖B‖gateID) ⊕ C 0.15s

[LindellPinkasSmart08] time from [sS12]; H = SHA256

AES256(A‖B,gateID) ⊕ C 0.12s

[shelatShen12]

AES(const,K ) ⊕ K ⊕ C 0.0003s

where K = 2A ⊕ 4B ⊕ gateID[BellareHoangKeelveedhiRogaway13]

Computational cost of garbling

2 hash� 1 hash

� 1 block cipher � 1 block cipher w/o key schedule

EA,B (C): cost to garble AES

PRF(A,gateID) ⊕ PRF(B,gateID) ⊕ C ∼6s [extrapolated]

[NaorPinkasSumner99] time from Fairplay [MNPS04]: PRF = SHA256

H(A‖B‖gateID) ⊕ C 0.15s

[LindellPinkasSmart08] time from [sS12]; H = SHA256

AES256(A‖B,gateID) ⊕ C 0.12s

[shelatShen12]

AES(const,K ) ⊕ K ⊕ C 0.0003s

where K = 2A ⊕ 4B ⊕ gateID[BellareHoangKeelveedhiRogaway13]

Computational cost of garbling

2 hash� 1 hash � 1 block cipher

� 1 block cipher w/o key schedule

EA,B (C): cost to garble AES

PRF(A,gateID) ⊕ PRF(B,gateID) ⊕ C ∼6s [extrapolated]

[NaorPinkasSumner99] time from Fairplay [MNPS04]: PRF = SHA256

H(A‖B‖gateID) ⊕ C 0.15s

[LindellPinkasSmart08] time from [sS12]; H = SHA256

AES256(A‖B,gateID) ⊕ C 0.12s

[shelatShen12]

AES(const,K ) ⊕ K ⊕ C 0.0003s

where K = 2A ⊕ 4B ⊕ gateID[BellareHoangKeelveedhiRogaway13]

Computational cost of garbling

2 hash� 1 hash � 1 block cipher � 1 block cipher w/o key schedule

EA,B (C): cost to garble AES

PRF(A,gateID) ⊕ PRF(B,gateID) ⊕ C ∼6s [extrapolated]

[NaorPinkasSumner99] time from Fairplay [MNPS04]: PRF = SHA256

H(A‖B‖gateID) ⊕ C 0.15s

[LindellPinkasSmart08] time from [sS12]; H = SHA256

AES256(A‖B,gateID) ⊕ C 0.12s

[shelatShen12]

AES(const,K ) ⊕ K ⊕ C 0.0003s

where K = 2A ⊕ 4B ⊕ gateID[BellareHoangKeelveedhiRogaway13]

Scoreboard

size (×λ) garble cost eval cost assumption

Classical large? 8 5 PKE

P&P 4 4/8 1/2 hash/PRF

Garbled Row Reduction [NaorPinkasSumner99]

A•0,A•

1

B•0B•1

C•0C•1

C0 ← {0,1}n

C1 ← {0,1}n

•• EA0,B1 (C•1)

•• EA0,B0 (C•0)

•• EA1,B1 (C•0)

•• EA1,B0 (C•0)

I What wire label will be payload of 1st (••) ciphertext?

I Choose that label so that 1st ciphertext is 0n

I No need to include 1st ciphertext in garbled gate

I Evaluate as before, but imagine ciphertext 0nif you got ••.

Garbled Row Reduction [NaorPinkasSumner99]

A•0,A•

1

B•0B•1

C•0C•1

C0 ← {0,1}n

C1 ← {0,1}n

•• EA0,B1 (C•1)

•• EA0,B0 (C•0)

•• EA1,B1 (C•0)

•• EA1,B0 (C•0)

I What wire label will be payload of 1st (••) ciphertext?

I Choose that label so that 1st ciphertext is 0n

I No need to include 1st ciphertext in garbled gate

I Evaluate as before, but imagine ciphertext 0nif you got ••.

Garbled Row Reduction [NaorPinkasSumner99]

A•0,A•

1

B•0B•1

C•0C•1

C0 ← {0,1}n

C1 ← {0,1}n

•• EA0,B1 (C•1)

•• EA0,B0 (C•0)

•• EA1,B1 (C•0)

•• EA1,B0 (C•0)

I What wire label will be payload of 1st (••) ciphertext?

I Choose that label so that 1st ciphertext is 0n

I No need to include 1st ciphertext in garbled gate

I Evaluate as before, but imagine ciphertext 0nif you got ••.

Garbled Row Reduction [NaorPinkasSumner99]

A•0,A•

1

B•0B•1

C•0C•1

C0 ← {0,1}n

C1 = E−1A0,B1

(0n)

•• EA0,B1 (C•1)

•• EA0,B0 (C•0)

•• EA1,B1 (C•0)

•• EA1,B0 (C•0)

I What wire label will be payload of 1st (••) ciphertext?

I Choose that label so that 1st ciphertext is 0n

I No need to include 1st ciphertext in garbled gate

I Evaluate as before, but imagine ciphertext 0nif you got ••.

Garbled Row Reduction [NaorPinkasSumner99]

A•0,A•

1

B•0B•1

C•0C•1

C0 ← {0,1}n

C1 = E−1A0,B1

(0n)

•• 0n

•• EA0,B0 (C•0)

•• EA1,B1 (C•0)

•• EA1,B0 (C•0)

I What wire label will be payload of 1st (••) ciphertext?

I Choose that label so that 1st ciphertext is 0n

I No need to include 1st ciphertext in garbled gate

I Evaluate as before, but imagine ciphertext 0nif you got ••.

Garbled Row Reduction [NaorPinkasSumner99]

A•0,A•

1

B•0B•1

C•0C•1

C0 ← {0,1}n

C1 = E−1A0,B1

(0n)

•• EA0,B0 (C•0)

•• EA1,B1 (C•0)

•• EA1,B0 (C•0)

I What wire label will be payload of 1st (••) ciphertext?

I Choose that label so that 1st ciphertext is 0n

I No need to include 1st ciphertext in garbled gate

I Evaluate as before, but imagine ciphertext 0nif you got ••.

Garbled Row Reduction [NaorPinkasSumner99]

A•0,A•

1

B•0B•1

C•0C•1

C0 ← {0,1}n

C1 = E−1A0,B1

(0n)

•• EA0,B0 (C•0)

•• EA1,B1 (C•0)

•• EA1,B0 (C•0)

I What wire label will be payload of 1st (••) ciphertext?

I Choose that label so that 1st ciphertext is 0n

I No need to include 1st ciphertext in garbled gate

I Evaluate as before, but imagine ciphertext 0nif you got ••.

Scoreboard

size (×λ) garble cost eval cost assumption

Classical large? 8 5 PKE

P&P 4 4/8 1/2 hash/PRF

GRR3 3 4/8 1/2 hash/PRF

Free XOR [KolesnikovSchneider08]

A0,A1

B0,B1

C0,C1

C ← {0,1}n

A︸︷︷︸false

⊕ B︸︷︷︸false

= A ⊕ B︸ ︷︷ ︸false

I Wire’s o�set ≡ XOR of its two labels

I Choose all wires to have same (secret) o�set ∆

I Choose false output = false input ⊕ false input

I Evaluate by xoring input wire labels (no crypto)

Free XOR [KolesnikovSchneider08]

A,A ⊕ ∆A

B,B ⊕ ∆B

C,C ⊕ ∆C

C ← {0,1}n

A︸︷︷︸false

⊕ B︸︷︷︸false

= A ⊕ B︸ ︷︷ ︸false

I Wire’s o�set ≡ XOR of its two labels

I Choose all wires to have same (secret) o�set ∆

I Choose false output = false input ⊕ false input

I Evaluate by xoring input wire labels (no crypto)

Free XOR [KolesnikovSchneider08]

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

A︸︷︷︸false

⊕ B︸︷︷︸false

= A ⊕ B︸ ︷︷ ︸false

I Wire’s o�set ≡ XOR of its two labels

I Choose all wires to have same (secret) o�set ∆

I Choose false output = false input ⊕ false input

I Evaluate by xoring input wire labels (no crypto)

Free XOR [KolesnikovSchneider08]

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

A︸︷︷︸false

⊕ B︸︷︷︸false

= A ⊕ B︸ ︷︷ ︸false

I Wire’s o�set ≡ XOR of its two labels

I Choose all wires to have same (secret) o�set ∆

I Choose false output = false input ⊕ false input

I Evaluate by xoring input wire labels (no crypto)

Free XOR [KolesnikovSchneider08]

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := A ⊕ B

A︸︷︷︸false

⊕ B︸︷︷︸false

= A ⊕ B︸ ︷︷ ︸false

I Wire’s o�set ≡ XOR of its two labels

I Choose all wires to have same (secret) o�set ∆

I Choose false output = false input ⊕ false input

I Evaluate by xoring input wire labels (no crypto)

Free XOR [KolesnikovSchneider08]

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := A ⊕ B

A︸︷︷︸false

⊕ B ⊕ ∆︸︷︷︸true

= A ⊕ B ⊕ ∆︸ ︷︷ ︸true

I Wire’s o�set ≡ XOR of its two labels

I Choose all wires to have same (secret) o�set ∆

I Choose false output = false input ⊕ false input

I Evaluate by xoring input wire labels (no crypto)

Free XOR [KolesnikovSchneider08]

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := A ⊕ B

A ⊕ ∆︸︷︷︸true

⊕ B︸︷︷︸false

= A ⊕ B ⊕ ∆︸ ︷︷ ︸true

I Wire’s o�set ≡ XOR of its two labels

I Choose all wires to have same (secret) o�set ∆

I Choose false output = false input ⊕ false input

I Evaluate by xoring input wire labels (no crypto)

Free XOR [KolesnikovSchneider08]

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := A ⊕ B

A ⊕ ∆︸︷︷︸true

⊕ B ⊕ ∆︸︷︷︸true

= A ⊕ B︸ ︷︷ ︸false

I Wire’s o�set ≡ XOR of its two labels

I Choose all wires to have same (secret) o�set ∆

I Choose false output = false input ⊕ false input

I Evaluate by xoring input wire labels (no crypto)

Freedom at a cost. . .

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EA ,B (C )EA ,B⊕∆ (C ⊕ ∆)EA⊕∆,B (C )EA⊕∆,B⊕∆ (C )

I Still need to garble and gates

I Compatible with garbled row-reduction

I Secret ∆ used in key and payload of ciphertexts!

I Requires related-key + circularity assumption [ChoiKatzKumaresanZhou12]

Freedom at a cost. . .

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EA ,B (C )EA ,B⊕∆ (C ⊕ ∆)EA⊕∆,B (C )EA⊕∆,B⊕∆ (C )

I Still need to garble and gates

I Compatible with garbled row-reduction

I Secret ∆ used in key and payload of ciphertexts!

I Requires related-key + circularity assumption [ChoiKatzKumaresanZhou12]

Freedom at a cost. . .

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := E−1A,B (0n)

EA ,B (C )EA ,B⊕∆ (C ⊕ ∆)EA⊕∆,B (C )EA⊕∆,B⊕∆ (C )

I Still need to garble and gates

I Compatible with garbled row-reduction

I Secret ∆ used in key and payload of ciphertexts!

I Requires related-key + circularity assumption [ChoiKatzKumaresanZhou12]

Freedom at a cost. . .

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := E−1A,B (0n)

EA ,B (C )EA ,B⊕∆ (C ⊕ ∆)EA⊕∆,B (C )EA⊕∆,B⊕∆ (C )

I Still need to garble and gates

I Compatible with garbled row-reduction

I Secret ∆ used in key and payload of ciphertexts!

I Requires related-key + circularity assumption [ChoiKatzKumaresanZhou12]

Freedom at a cost. . .

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := E−1A,B (0n)

EA ,B (C )EA ,B⊕∆ (C ⊕ ∆)EA⊕∆,B (C )EA⊕∆,B⊕∆ (C )

I Still need to garble and gates

I Compatible with garbled row-reduction

I Secret ∆ used in key and payload of ciphertexts!

I Requires related-key + circularity assumption [ChoiKatzKumaresanZhou12]

Scoreboard

size (×λ) garble cost eval cost assumption

XOR AND XOR AND XOR AND

Classical large? 8 5 PKE

P&P 4 4 4/8 4/8 1/2 1/2 PRF/hash

GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash

Free XOR 0 3 0 4 0 1 circ. hash

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

n)

{ learn C0

K2 = E−1A0,B1 (0

n)

{ learn C1

K3 = E−1A1,B0 (0

n)

{ learn C0

K4 = E−1A1,B1 (0

n)

{ learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

A0,A1

B0,B1

C0,C1

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

P (5)

P (6)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

n)

{ learn C0

K2 = E−1A0,B1 (0

n)

{ learn C1

K3 = E−1A1,B0 (0

n)

{ learn C0

K4 = E−1A1,B1 (0

n)

{ learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

A0,A1

B0,B1

C0,C1

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

P (5)

P (6)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

A0,A1

B0,B1

C0,C1

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

P (5)

P (6)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

A0,A1

B0,B1

C0,C1

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0)

(1, K1)

(2, K2)

(3, K3)

(4, K4)

P (5)

P (6)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

A0,A1

B0,B1

C0,C1

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0)

(1, K1)

(2, K2)

(3, K3)

(4, K4)

P (5)

P (6)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

A0,A1

B0,B1

C0,C1

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

P (5)

P (6)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

A0,A1

B0,B1

C0,C1

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

P (5)

P (6)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

A0,A1

B0,B1

C0,C1

C0 = P (0);C1 = Q (0)

P (5)P (6)

P (0)

Q (0)

(1, K1)

(2, K2)

(3, K3)

(4, K4)

P (5)

P (6)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

A0,A1

B0,B1

C0,C1

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0)

(1, K1)

(2, K2)

(3, K3)

(4, K4)

P (5)

P (6)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)

I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

A0,A1

B0,B1

C0,C1

C0 = P (0);C1 = Q (0)

P (5)P (6)

P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

P (5)

P (6)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)

I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

A0,A1

B0,B1

C0,C1

C0 = P (0);C1 = Q (0)

P (5)P (6)

P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

P (5)

P (6)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)

I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

A0,A1

B0,B1

C0,C1

C0 = P (0);C1 = Q (0)

P (5)P (6)

P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

P (5)

P (6)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)

I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

A0,A1

B0,B1

C0,C1

C0 = P (0);C1 = Q (0)

P (5)P (6)

P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

P (5)

P (6)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)

I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

A0,A1

B0,B1

C0,C1

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

P (5)

P (6)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)

I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

A0,A1

B0,B1

C0,C1

C0 = P (0);C1 = Q (0)

P (5)P (6)

P (0)

Q (0)

(1, K1)

(2, K2)

(3, K3)

(4, K4)

P (5)

P (6)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

A0,A1

B0,B1

C0,C1

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

P (5)

P (6)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

Scoreboard

size (×λ) garble cost eval cost assumption

XOR AND XOR AND XOR AND

Classical large? 8 5 PKE

P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF

GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash

Free XOR 0 3 0 4 0 1 circ. hash

GRR2 2 2 4/8 4/8 1/2 1/2 PRF/hash

FleXOR [KolesnikovMohasselRosulek14]

A,A ⊕ ∆1

A∗,A∗ ⊕ ∆2

∆1→ ∆

2

A∗ ← {0,1}n

I Translate to a new wire o�set

(unary a 7→ a gate)

FleXOR [KolesnikovMohasselRosulek14]

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

2

A∗ ← {0,1}n

I Translate to a new wire o�set

(unary a 7→ a gate)

FleXOR [KolesnikovMohasselRosulek14]

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

2

0 0

1 1

A∗ ← {0,1}n

I Translate to a new wire o�set (unary a 7→ a gate)

FleXOR [KolesnikovMohasselRosulek14]

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

2

A A∗

A ⊕ ∆1 A∗ ⊕ ∆2

A∗ ← {0,1}n

I Translate to a new wire o�set (unary a 7→ a gate)

FleXOR [KolesnikovMohasselRosulek14]

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

2

EA (A∗ )EA⊕∆1

(A∗ ⊕ ∆2)

A∗ ← {0,1}n

I Translate to a new wire o�set (unary a 7→ a gate)

FleXOR [KolesnikovMohasselRosulek14]

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

2

EA (A∗ )EA⊕∆1

(A∗ ⊕ ∆2)

A∗ ← {0,1}n

I Translate to a new wire o�set (unary a 7→ a gate)

FleXOR [KolesnikovMohasselRosulek14]

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

2

EA (A∗ )EA⊕∆1

(A∗ ⊕ ∆2)

A∗ := E−1A (0n)

I Translate to a new wire o�set (unary a 7→ a gate)

FleXOR [KolesnikovMohasselRosulek14]

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

2

0n

EA⊕∆1(A∗ ⊕ ∆2)

A∗ := E−1A (0n)

I Translate to a new wire o�set (unary a 7→ a gate)

FleXOR [KolesnikovMohasselRosulek14]

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

2

EA⊕∆1(A∗ ⊕ ∆2)

A∗ := E−1A (0n)

I Translate to a new wire o�set (unary a 7→ a gate) using 1 ciphertext

FleXOR [KolesnikovMohasselRosulek14]

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

2

EA⊕∆1(A∗ ⊕ ∆2)

A∗ := E−1A (0n)

I Translate to a new wire o�set (unary a 7→ a gate) using 1 ciphertext

FleXOR [KolesnikovMohasselRosulek14]

A,A ⊕ ∆A

B,B ⊕ ∆B

C,C ⊕ ∆C

∆A → ∆C

∆B → ∆C

I Adjust inputs to target o�set ∆C (1 ciphertext each)

, then XOR is free

I If input wire already suitable, no need to adjust

I Total cost: 0, 1 or 2 depending on how many {∆A,∆B,∆C } distinct.

Combinatorial optimization problem: Choose an o�set for each wire,

minimizing total cost of XOR gates

I Subj. to compatibility with 2-ciphertext row-reduction of AND gates

I (or) Subj. to removing circularity property of free-XOR

FleXOR [KolesnikovMohasselRosulek14]

A,A ⊕ ∆A

B,B ⊕ ∆B

C,C ⊕ ∆C∆A → ∆C

∆B → ∆C

I Adjust inputs to target o�set ∆C (1 ciphertext each)

, then XOR is free

I If input wire already suitable, no need to adjust

I Total cost: 0, 1 or 2 depending on how many {∆A,∆B,∆C } distinct.

Combinatorial optimization problem: Choose an o�set for each wire,

minimizing total cost of XOR gates

I Subj. to compatibility with 2-ciphertext row-reduction of AND gates

I (or) Subj. to removing circularity property of free-XOR

FleXOR [KolesnikovMohasselRosulek14]

free

A,A ⊕ ∆A

B,B ⊕ ∆B

C,C ⊕ ∆C∆A → ∆C

∆B → ∆C

I Adjust inputs to target o�set ∆C (1 ciphertext each), then XOR is free

I If input wire already suitable, no need to adjust

I Total cost: 0, 1 or 2 depending on how many {∆A,∆B,∆C } distinct.

Combinatorial optimization problem: Choose an o�set for each wire,

minimizing total cost of XOR gates

I Subj. to compatibility with 2-ciphertext row-reduction of AND gates

I (or) Subj. to removing circularity property of free-XOR

FleXOR [KolesnikovMohasselRosulek14]

free

A,A ⊕ ∆A

B,B ⊕ ∆C

C,C ⊕ ∆C∆A → ∆C

∆B → ∆C

I Adjust inputs to target o�set ∆C (1 ciphertext each), then XOR is free

I If input wire already suitable, no need to adjust

I Total cost: 0, 1 or 2 depending on how many {∆A,∆B,∆C } distinct.

Combinatorial optimization problem: Choose an o�set for each wire,

minimizing total cost of XOR gates

I Subj. to compatibility with 2-ciphertext row-reduction of AND gates

I (or) Subj. to removing circularity property of free-XOR

FleXOR [KolesnikovMohasselRosulek14]

free

A,A ⊕ ∆A

B,B ⊕ ∆C

C,C ⊕ ∆C∆A → ∆C

∆B → ∆C

I Adjust inputs to target o�set ∆C (1 ciphertext each), then XOR is free

I If input wire already suitable, no need to adjust

I Total cost: 0, 1 or 2 depending on how many {∆A,∆B,∆C } distinct.

Combinatorial optimization problem: Choose an o�set for each wire,

minimizing total cost of XOR gates

I Subj. to compatibility with 2-ciphertext row-reduction of AND gates

I (or) Subj. to removing circularity property of free-XOR

FleXOR [KolesnikovMohasselRosulek14]

free

A,A ⊕ ∆A

B,B ⊕ ∆C

C,C ⊕ ∆C∆A → ∆C

∆B → ∆C

I Adjust inputs to target o�set ∆C (1 ciphertext each), then XOR is free

I If input wire already suitable, no need to adjust

I Total cost: 0, 1 or 2 depending on how many {∆A,∆B,∆C } distinct.

Combinatorial optimization problem: Choose an o�set for each wire,

minimizing total cost of XOR gates

I Subj. to compatibility with 2-ciphertext row-reduction of AND gates

I (or) Subj. to removing circularity property of free-XOR

Scoreboard

size (×λ) garble cost eval cost assumption

XOR AND XOR AND XOR AND

Classical large? 8 5 PKE

P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF

GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash

Free XOR 0 3 0 4 0 1 circ. hash

GRR2 2 2 4/8 4/8 1/2 1/2 PRF/hash

FleXOR {0,1,2} 2 {0,1,2} 4 {0,1,2} 1 circ. hash

Half Gates [ZahurRosulekEvans15]

What if garbler knows in advance the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

if a = 0:

unary gate b 7→ 0

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

Fine print: permute ciphertexts with permute-and-point.

Half Gates [ZahurRosulekEvans15]

What if garbler knows in advance the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

if a = 0:

unary gate b 7→ 0

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

Fine print: permute ciphertexts with permute-and-point.

Half Gates [ZahurRosulekEvans15]

What if garbler knows in advance the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

0 0

1 0

if a = 0:

unary gate b 7→ 0

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

Fine print: permute ciphertexts with permute-and-point.

Half Gates [ZahurRosulekEvans15]

What if garbler knows in advance the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

B CB ⊕ ∆ C

if a = 0:

unary gate b 7→ 0

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

Fine print: permute ciphertexts with permute-and-point.

Half Gates [ZahurRosulekEvans15]

What if garbler knows in advance the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

Fine print: permute ciphertexts with permute-and-point.

Half Gates [ZahurRosulekEvans15]

What if garbler knows in advance the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

Fine print: permute ciphertexts with permute-and-point.

Half Gates [ZahurRosulekEvans15]

What if garbler knows in advance the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

0 0

1 1

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

Fine print: permute ciphertexts with permute-and-point.

Half Gates [ZahurRosulekEvans15]

What if garbler knows in advance the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

B CB ⊕ ∆ C ⊕ ∆

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

Fine print: permute ciphertexts with permute-and-point.

Half Gates [ZahurRosulekEvans15]

What if garbler knows in advance the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

EB (C )EB⊕∆ (C ⊕ ∆)

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

Fine print: permute ciphertexts with permute-and-point.

Half Gates [ZahurRosulekEvans15]

What if garbler knows in advance the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

EB (C )EB⊕∆ (C ⊕ ∆)

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

Fine print: permute ciphertexts with permute-and-point.

Half Gates [ZahurRosulekEvans15]

What if garbler knows in advance the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

EB (C )EB⊕∆ (C ⊕ ∆)

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

Fine print: permute ciphertexts with permute-and-point.

Half Gates [ZahurRosulekEvans15]

What if garbler knows in advance the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

EB (C )EB⊕∆ (C ⊕ ∆)

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

Fine print: permute ciphertexts with permute-and-point.

Half Gates [ZahurRosulekEvans15]

What if garbler knows in advance the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := E−1B (0n)

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

EB (C )EB⊕∆ (C ⊕ ∆)

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

Fine print: permute ciphertexts with permute-and-point.

Half Gates [ZahurRosulekEvans15]

What if garbler knows in advance the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := E−1B (0n)

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

EB (C )EB⊕∆ (C ⊕ ∆)

if a = 1:

unary gate b 7→ b

0n

EB⊕∆ (C ⊕ a∆)

Fine print: permute ciphertexts with permute-and-point.

Half Gates [ZahurRosulekEvans15]

What if garbler knows in advance the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := E−1B (0n)

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

EB (C )EB⊕∆ (C ⊕ ∆)

if a = 1:

unary gate b 7→ b

EB⊕∆ (C ⊕ a∆)

Fine print: permute ciphertexts with permute-and-point.

Half Gates [ZahurRosulekEvans15]

What if evaluator knows the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C)

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n

Evaluator has B (knows false):

⇒ should obtain C (false)

Evaluator has B ⊕ ∆ (knows true):

⇒ should be able to transfer truthvalue from “a” wire to “c” wire

I Su�ices to learn A ⊕ C

Fine print: no need for permute-and-point here

Half Gates [ZahurRosulekEvans15]

What if evaluator knows the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C)

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n

Evaluator has B (knows false):

⇒ should obtain C (false)

Evaluator has B ⊕ ∆ (knows true):

⇒ should be able to transfer truthvalue from “a” wire to “c” wire

I Su�ices to learn A ⊕ C

Fine print: no need for permute-and-point here

Half Gates [ZahurRosulekEvans15]

What if evaluator knows the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C)

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n

Evaluator has B (knows false):

⇒ should obtain C (false)

Evaluator has B ⊕ ∆ (knows true):

⇒ should be able to transfer truthvalue from “a” wire to “c” wire

I Su�ices to learn A ⊕ C

Fine print: no need for permute-and-point here

Half Gates [ZahurRosulekEvans15]

What if evaluator knows the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C)

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n

Evaluator has B (knows false):

⇒ should obtain C (false)

Evaluator has B ⊕ ∆ (knows true):

⇒ should be able to transfer truthvalue from “a” wire to “c” wire

I Su�ices to learn A ⊕ C

Fine print: no need for permute-and-point here

Half Gates [ZahurRosulekEvans15]

What if evaluator knows the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C)

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n

Evaluator has B (knows false):

⇒ should obtain C (false)

Evaluator has B ⊕ ∆ (knows true):

⇒ should be able to transfer truthvalue from “a” wire to “c” wire

I Su�ices to learn A ⊕ C

Fine print: no need for permute-and-point here

Half Gates [ZahurRosulekEvans15]

What if evaluator knows the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C)

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n

Evaluator has B (knows false):

⇒ should obtain C (false)

Evaluator has B ⊕ ∆ (knows true):

⇒ should be able to transfer truthvalue from “a” wire to “c” wire

I Su�ices to learn A ⊕ C

Fine print: no need for permute-and-point here

Half Gates [ZahurRosulekEvans15]

What if evaluator knows the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C )EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n

Evaluator has B (knows false):

⇒ should obtain C (false)

Evaluator has B ⊕ ∆ (knows true):

⇒ should be able to transfer truthvalue from “a” wire to “c” wire

I Su�ices to learn A ⊕ C

Fine print: no need for permute-and-point here

Half Gates [ZahurRosulekEvans15]

What if evaluator knows the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C )EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n

Evaluator has B (knows false):

⇒ should obtain C (false)

Evaluator has B ⊕ ∆ (knows true):

⇒ should be able to transfer truthvalue from “a” wire to “c” wire

I Su�ices to learn A ⊕ C

Fine print: no need for permute-and-point here

Half Gates [ZahurRosulekEvans15]

What if evaluator knows the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C )EB⊕∆ (A ⊕ C)

⊕ A ⊕ C

⊕ A ⊕ CC ← {0,1}n

Evaluator has B (knows false):

⇒ should obtain C (false)

Evaluator has B ⊕ ∆ (knows true):

⇒ should be able to transfer truthvalue from “a” wire to “c” wire

I Su�ices to learn A ⊕ C

Fine print: no need for permute-and-point here

Half Gates [ZahurRosulekEvans15]

What if evaluator knows the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C )EB⊕∆ (A ⊕ C)

⊕ A ⊕ C

⊕ A ⊕ C

C ← {0,1}n

Evaluator has B (knows false):

⇒ should obtain C (false)

Evaluator has B ⊕ ∆ (knows true):

⇒ should be able to transfer truthvalue from “a” wire to “c” wire

I Su�ices to learn A ⊕ C

Fine print: no need for permute-and-point here

Half Gates [ZahurRosulekEvans15]

What if evaluator knows the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C )EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ C

C ← {0,1}n

Evaluator has B (knows false):

⇒ should obtain C (false)

Evaluator has B ⊕ ∆ (knows true):

⇒ should be able to transfer truthvalue from “a” wire to “c” wire

I Su�ices to learn A ⊕ C

Fine print: no need for permute-and-point here

Half Gates [ZahurRosulekEvans15]

What if evaluator knows the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C )EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ C

C := E−1B (0n)

Evaluator has B (knows false):

⇒ should obtain C (false)

Evaluator has B ⊕ ∆ (knows true):

⇒ should be able to transfer truthvalue from “a” wire to “c” wire

I Su�ices to learn A ⊕ C

Fine print: no need for permute-and-point here

Half Gates [ZahurRosulekEvans15]

What if evaluator knows the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

0n

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ C

C := E−1B (0n)

Evaluator has B (knows false):

⇒ should obtain C (false)

Evaluator has B ⊕ ∆ (knows true):

⇒ should be able to transfer truthvalue from “a” wire to “c” wire

I Su�ices to learn A ⊕ C

Fine print: no need for permute-and-point here

Half Gates [ZahurRosulekEvans15]

What if evaluator knows the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ C

C := E−1B (0n)

Evaluator has B (knows false):

⇒ should obtain C (false)

Evaluator has B ⊕ ∆ (knows true):

⇒ should be able to transfer truthvalue from “a” wire to “c” wire

I Su�ices to learn A ⊕ C

Fine print: no need for permute-and-point here

Half Gates [ZahurRosulekEvans15]

What if evaluator knows the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ C

C := E−1B (0n)

Evaluator has B (knows false):

⇒ should obtain C (false)

Evaluator has B ⊕ ∆ (knows true):

⇒ should be able to transfer truthvalue from “a” wire to “c” wire

I Su�ices to learn A ⊕ C

Fine print: no need for permute-and-point here

Two halves make a whole!

a ∧ b

= (a ⊕ r ⊕ r ) ∧ b= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]= [(a ⊕ r ) ∧ b]︸ ︷︷ ︸one input known to evaluator

⊕[r ∧ b]= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸ ︷︷ ︸one input known to garbler

I Garbler chooses random bit r

I r = color bit of false wire label A

I Arrange for evaluator to learn a ⊕ r in the clear

I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)

I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts

Two halves make a whole!

a ∧ b = (a ⊕ r ⊕ r ) ∧ b

= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]= [(a ⊕ r ) ∧ b]︸ ︷︷ ︸one input known to evaluator

⊕[r ∧ b]= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸ ︷︷ ︸one input known to garbler

I Garbler chooses random bit r

I r = color bit of false wire label AI Arrange for evaluator to learn a ⊕ r in the clear

I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)

I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts

Two halves make a whole!

a ∧ b = (a ⊕ r ⊕ r ) ∧ b= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]

= [(a ⊕ r ) ∧ b]︸ ︷︷ ︸one input known to evaluator

⊕[r ∧ b]= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸ ︷︷ ︸one input known to garbler

I Garbler chooses random bit r

I r = color bit of false wire label AI Arrange for evaluator to learn a ⊕ r in the clear

I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)

I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts

Two halves make a whole!

a ∧ b = (a ⊕ r ⊕ r ) ∧ b= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]

= [(a ⊕ r ) ∧ b]︸ ︷︷ ︸one input known to evaluator

⊕[r ∧ b]= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸ ︷︷ ︸one input known to garbler

I Garbler chooses random bit r

I r = color bit of false wire label A

I Arrange for evaluator to learn a ⊕ r in the clear

I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)

I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts

Two halves make a whole!

a ∧ b = (a ⊕ r ⊕ r ) ∧ b

= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]

= [(a ⊕ r ) ∧ b]︸ ︷︷ ︸one input known to evaluator

⊕[r ∧ b]

= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸ ︷︷ ︸one input known to garbler

I Garbler chooses random bit r

I r = color bit of false wire label A

I Arrange for evaluator to learn a ⊕ r in the clear

I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)

I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts

Two halves make a whole!

a ∧ b = (a ⊕ r ⊕ r ) ∧ b

= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]= [(a ⊕ r ) ∧ b]︸ ︷︷ ︸one input known to evaluator

⊕[r ∧ b]

= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸ ︷︷ ︸one input known to garbler

I Garbler chooses random bit r

I r = color bit of false wire label A

I Arrange for evaluator to learn a ⊕ r in the clear

I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)

I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts

Two halves make a whole!

a ∧ b = (a ⊕ r ⊕ r ) ∧ b

= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]= [(a ⊕ r ) ∧ b]︸ ︷︷ ︸one input known to evaluator

⊕[r ∧ b]

= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸ ︷︷ ︸one input known to garbler

I Garbler chooses random bit r

I r = color bit of false wire label A

I Arrange for evaluator to learn a ⊕ r in the clear

I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)

I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts

Two halves make a whole!

a ∧ b = (a ⊕ r ⊕ r ) ∧ b

= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]= [(a ⊕ r ) ∧ b]︸ ︷︷ ︸one input known to evaluator

⊕[r ∧ b]

= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸ ︷︷ ︸one input known to garbler

I Garbler chooses random bit rI r = color bit of false wire label A

I Arrange for evaluator to learn a ⊕ r in the clear

I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)

I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts

Scoreboard

size (×λ) garble cost eval cost assumption

XOR AND XOR AND XOR AND

Classical large? 8 5 PKE

P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF

GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash

Free XOR 0 3 0 4 0 1 circ. hash

GRR2 2 2 4/8 4/8 1/2 1/2 PRF/hash

FleXOR {0,1,2} 2 {0,1,2} 4 {0,1,2} 1 circ. symm

HalfGates 0 2 0 4 0 2 circ. hash

[XYZ26]? 0 < 2? ? ? ? ? ?

Scoreboard

size (×λ) garble cost eval cost assumption

XOR AND XOR AND XOR AND

Classical large? 8 5 PKE

P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF

GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash

Free XOR 0 3 0 4 0 1 circ. hash

GRR2 2 2 4/8 4/8 1/2 1/2 PRF/hash

FleXOR {0,1,2} 2 {0,1,2} 4 {0,1,2} 1 circ. symm

HalfGates 0 2 0 4 0 2 circ. hash[XYZ26]? 0 < 2? ? ? ? ? ?

Optimality

Every practical garbling scheme is combination of:

I Calls to symmetric primitive (can be modeled as random oracle)

I GF (2λ )-linear operations (xor, polynomial interpolation)

�eorem ([ZahurRosulekEvans15])Garbling a single and gate requires 2 ciphertexts (2λ bits), if garbling schemeis “linear” in this sense.

Half-gates construction is size-optimal among schemes that:

. . . use “known techniques”

. . . work gate-by-gate in {xor,and,not} basis

Optimality

Every practical garbling scheme is combination of:

I Calls to symmetric primitive (can be modeled as random oracle)

I GF (2λ )-linear operations (xor, polynomial interpolation)

�eorem ([ZahurRosulekEvans15])Garbling a single and gate requires 2 ciphertexts (2λ bits), if garbling schemeis “linear” in this sense.

Half-gates construction is size-optimal among schemes that:

. . . use “known techniques”

. . . work gate-by-gate in {xor,and,not} basis

Optimality

Every practical garbling scheme is combination of:

I Calls to symmetric primitive (can be modeled as random oracle)

I GF (2λ )-linear operations (xor, polynomial interpolation)

�eorem ([ZahurRosulekEvans15])Garbling a single and gate requires 2 ciphertexts (2λ bits), if garbling schemeis “linear” in this sense.

Half-gates construction is size-optimal among schemes that:

. . . use “known techniques”

. . . work gate-by-gate in {xor,and,not} basis

Ways forward?

1:Consider larger “chunks” of circuit, beyond {xor,and,not} basis?

2:Discover some clever non-linear approach to garbling?

3:Wait for break-even point for asymptotically superior methods?

4:Use weaker security when situation calls for it.

Ways forward?

1:Consider larger “chunks” of circuit, beyond {xor,and,not} basis?

2:Discover some clever non-linear approach to garbling?

3:Wait for break-even point for asymptotically superior methods?

4:Use weaker security when situation calls for it.

Ways forward?

1:Consider larger “chunks” of circuit, beyond {xor,and,not} basis?

2:Discover some clever non-linear approach to garbling?

3:Wait for break-even point for asymptotically superior methods?

4:Use weaker security when situation calls for it.

Ways forward?

1:Consider larger “chunks” of circuit, beyond {xor,and,not} basis?

2:Discover some clever non-linear approach to garbling?

3:Wait for break-even point for asymptotically superior methods?

4:Use weaker security when situation calls for it.

ZK via garbled circuits [JawurekKerschbaumOrlandi13]

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

OT

input

wire labels

w

garbled w

commit(garbled output)contains true wire label

⇒ prover knows valid wopen garbled circuit

correct GC⇒ garbled

output leaks nothing

about w open garbled output

Prover knows entire input to garbled circuit!

ZK via garbled circuits [JawurekKerschbaumOrlandi13]

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

OT

input

wire labels

w

garbled w

commit(garbled output)contains true wire label

⇒ prover knows valid wopen garbled circuit

correct GC⇒ garbled

output leaks nothing

about w open garbled output

Prover knows entire input to garbled circuit!

ZK via garbled circuits [JawurekKerschbaumOrlandi13]

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

OT

input

wire labels

w

garbled w

commit(garbled output)contains true wire label

⇒ prover knows valid wopen garbled circuit

correct GC⇒ garbled

output leaks nothing

about w open garbled output

Prover knows entire input to garbled circuit!

ZK via garbled circuits [JawurekKerschbaumOrlandi13]

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

OT

input

wire labels

w

garbled w

commit(garbled output)

contains true wire label

⇒ prover knows valid wopen garbled circuit

correct GC⇒ garbled

output leaks nothing

about w open garbled output

Prover knows entire input to garbled circuit!

ZK via garbled circuits [JawurekKerschbaumOrlandi13]

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

OT

input

wire labels

w

garbled w

commit(garbled output)contains true wire label

⇒ prover knows valid w

open garbled circuitcorrect GC⇒ garbled

output leaks nothing

about w open garbled output

Prover knows entire input to garbled circuit!

ZK via garbled circuits [JawurekKerschbaumOrlandi13]

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

OT

input

wire labels

w

garbled w

commit(garbled output)contains true wire label

⇒ prover knows valid wopen garbled circuit

correct GC⇒ garbled

output leaks nothing

about w open garbled output

Prover knows entire input to garbled circuit!

ZK via garbled circuits [JawurekKerschbaumOrlandi13]

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

OT

input

wire labels

w

garbled w

commit(garbled output)contains true wire label

⇒ prover knows valid wopen garbled circuit

correct GC⇒ garbled

output leaks nothing

about w

open garbled output

Prover knows entire input to garbled circuit!

ZK via garbled circuits [JawurekKerschbaumOrlandi13]

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

OT

input

wire labels

w

garbled w

commit(garbled output)contains true wire label

⇒ prover knows valid wopen garbled circuit

correct GC⇒ garbled

output leaks nothing

about w open garbled output

Prover knows entire input to garbled circuit!

ZK via garbled circuits [JawurekKerschbaumOrlandi13]

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

OT

input

wire labels

w

garbled w

commit(garbled output)contains true wire label

⇒ prover knows valid wopen garbled circuit

correct GC⇒ garbled

output leaks nothing

about w open garbled output

Prover knows entire input to garbled circuit!

Privacy-free garbling [FrederiksenNielsenOrlandi15]

For this ZK protocol, garbled circuit does not require privacy property

I Only authenticity is needed

I Garbled circuits can be significantly smaller in this case

size (×λ) garble cost eval cost assumption

XOR AND XOR AND XOR AND

Classical large? 8 5 PKE

P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF

GRR3 3 3 4/8 4/8 1/2 1/2 hash/PRF

Free XOR 0 3 0 4 0 1 circ. hash

GRR2 2 2 4/8 4/8 1/2 1/2 hash/PRF

FleXOR {0,1,2} 2 {0,1,2} 4 {0,1,2} 1 circ. hash

HalfGates 0 2 0 4 0 2 circ. hash

PrivFree * 0 1 0 2 0 1 circ. hash

Privacy-free garbling [FrederiksenNielsenOrlandi15]

For this ZK protocol, garbled circuit does not require privacy property

I Only authenticity is needed

I Garbled circuits can be significantly smaller in this case

size (×λ) garble cost eval cost assumption

XOR AND XOR AND XOR AND

Classical large? 8 5 PKE

P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF

GRR3 3 3 4/8 4/8 1/2 1/2 hash/PRF

Free XOR 0 3 0 4 0 1 circ. hash

GRR2 2 2 4/8 4/8 1/2 1/2 hash/PRF

FleXOR {0,1,2} 2 {0,1,2} 4 {0,1,2} 1 circ. hash

HalfGates 0 2 0 4 0 2 circ. hash

PrivFree * 0 1 0 2 0 1 circ. hash

A success story!

1λ

2λ

3λ

4λ

5λ

1986 1990 1999 2008 2009 2014 2015

DES

AES

SHA1

SHA256

I Reduction in size by 10x

I Reduction in computation by 10000x

the end!