Post on 26-Sep-2020
transcript
Practical Garbled Circuit Optimizations
Mike Rosulek
Collaborators: David Evans / Vlad Kolesnikov / Payman Mohassel / Samee Zahur
Garbled circuit framework [Yao86]
A0,A1
B0,B1
C0,C1
D0,D1
E0,E1
F0,F1
G0,G1
H0,H1
I0, I1
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 1
A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0
A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0
C0 D0 G0
C0 D1 G1
C1 D0 G0
C1 D1 G0
F0 G0 H0
F0 G1 H1
F1 G0 H0
F1 G1 H0
E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1
EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)
EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)
EC0,D0(G0)
EC0,D1(G1)
EC1,D0(G0)
EC1,D1(G0)
EF0,G0(H0)
EF0,G1(H1)
EF1,G0(H0)
EF1,G1(H0)
EE0,H0(I0)
EE0,H1(I1)
EE1,H0(I1)
EE1,H1(I1)
Garbling a circuit:
I Pick random labelsW0,W1 on each wire
I “Encrypt” truth table of each gate
I Garbled circuit ≡ all encrypted gates
I Garbled encoding ≡ one label per wire
Garbled evaluation:
I Only one ciphertext per
gate is decryptable
I Result of decryption =
value on outgoing wire
Garbled circuit framework [Yao86]
A0,A1
B0,B1
C0,C1
D0,D1
E0,E1
F0,F1
G0,G1
H0,H1
I0, I1
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 1
A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0
A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0
C0 D0 G0
C0 D1 G1
C1 D0 G0
C1 D1 G0
F0 G0 H0
F0 G1 H1
F1 G0 H0
F1 G1 H0
E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1
EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)
EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)
EC0,D0(G0)
EC0,D1(G1)
EC1,D0(G0)
EC1,D1(G0)
EF0,G0(H0)
EF0,G1(H1)
EF1,G0(H0)
EF1,G1(H0)
EE0,H0(I0)
EE0,H1(I1)
EE1,H0(I1)
EE1,H1(I1)
Garbling a circuit:
I Pick random labelsW0,W1 on each wire
I “Encrypt” truth table of each gate
I Garbled circuit ≡ all encrypted gates
I Garbled encoding ≡ one label per wire
Garbled evaluation:
I Only one ciphertext per
gate is decryptable
I Result of decryption =
value on outgoing wire
Garbled circuit framework [Yao86]
A0,A1
B0,B1
C0,C1
D0,D1
E0,E1
F0,F1
G0,G1
H0,H1
I0, I1
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 1
A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0
A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0
C0 D0 G0
C0 D1 G1
C1 D0 G0
C1 D1 G0
F0 G0 H0
F0 G1 H1
F1 G0 H0
F1 G1 H0
E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1
EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)
EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)
EC0,D0(G0)
EC0,D1(G1)
EC1,D0(G0)
EC1,D1(G0)
EF0,G0(H0)
EF0,G1(H1)
EF1,G0(H0)
EF1,G1(H0)
EE0,H0(I0)
EE0,H1(I1)
EE1,H0(I1)
EE1,H1(I1)
Garbling a circuit:
I Pick random labelsW0,W1 on each wire
I “Encrypt” truth table of each gate
I Garbled circuit ≡ all encrypted gates
I Garbled encoding ≡ one label per wire
Garbled evaluation:
I Only one ciphertext per
gate is decryptable
I Result of decryption =
value on outgoing wire
Garbled circuit framework [Yao86]
A0,A1
B0,B1
C0,C1
D0,D1
E0,E1
F0,F1
G0,G1
H0,H1
I0, I1
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 1
A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0
A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0
C0 D0 G0
C0 D1 G1
C1 D0 G0
C1 D1 G0
F0 G0 H0
F0 G1 H1
F1 G0 H0
F1 G1 H0
E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1
EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)
EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)
EC0,D0(G0)
EC0,D1(G1)
EC1,D0(G0)
EC1,D1(G0)
EF0,G0(H0)
EF0,G1(H1)
EF1,G0(H0)
EF1,G1(H0)
EE0,H0(I0)
EE0,H1(I1)
EE1,H0(I1)
EE1,H1(I1)
Garbling a circuit:
I Pick random labelsW0,W1 on each wire
I “Encrypt” truth table of each gate
I Garbled circuit ≡ all encrypted gates
I Garbled encoding ≡ one label per wire
Garbled evaluation:
I Only one ciphertext per
gate is decryptable
I Result of decryption =
value on outgoing wire
Garbled circuit framework [Yao86]
A0,A1
B0,B1
C0,C1
D0,D1
E0,E1
F0,F1
G0,G1
H0,H1
I0, I1
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 1
A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0
A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0
C0 D0 G0
C0 D1 G1
C1 D0 G0
C1 D1 G0
F0 G0 H0
F0 G1 H1
F1 G0 H0
F1 G1 H0
E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1
EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)
EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)
EC0,D0(G0)
EC0,D1(G1)
EC1,D0(G0)
EC1,D1(G0)
EF0,G0(H0)
EF0,G1(H1)
EF1,G0(H0)
EF1,G1(H0)
EE0,H0(I0)
EE0,H1(I1)
EE1,H0(I1)
EE1,H1(I1)
Garbling a circuit:
I Pick random labelsW0,W1 on each wire
I “Encrypt” truth table of each gate
I Garbled circuit ≡ all encrypted gates
I Garbled encoding ≡ one label per wire
Garbled evaluation:
I Only one ciphertext per
gate is decryptable
I Result of decryption =
value on outgoing wire
Garbled circuit framework [Yao86]
A0,A1
B0,B1
C0,C1
D0,D1
E0,E1
F0,F1
G0,G1
H0,H1
I0, I1
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 1
A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0
A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0
C0 D0 G0
C0 D1 G1
C1 D0 G0
C1 D1 G0
F0 G0 H0
F0 G1 H1
F1 G0 H0
F1 G1 H0
E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1
EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)
EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)
EC0,D0(G0)
EC0,D1(G1)
EC1,D0(G0)
EC1,D1(G0)
EF0,G0(H0)
EF0,G1(H1)
EF1,G0(H0)
EF1,G1(H0)
EE0,H0(I0)
EE0,H1(I1)
EE1,H0(I1)
EE1,H1(I1)
Garbling a circuit:
I Pick random labelsW0,W1 on each wire
I “Encrypt” truth table of each gate
I Garbled circuit ≡ all encrypted gates
I Garbled encoding ≡ one label per wire
Garbled evaluation:
I Only one ciphertext per
gate is decryptable
I Result of decryption =
value on outgoing wire
Garbled circuit framework [Yao86]
A0,A1
B0,B1
C0,C1
D0,D1
E0,E1
F0,F1
G0,G1
H0,H1
I0, I1
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 1
A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0
A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0
C0 D0 G0
C0 D1 G1
C1 D0 G0
C1 D1 G0
F0 G0 H0
F0 G1 H1
F1 G0 H0
F1 G1 H0
E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1
EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)
EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)
EC0,D0(G0)
EC0,D1(G1)
EC1,D0(G0)
EC1,D1(G0)
EF0,G0(H0)
EF0,G1(H1)
EF1,G0(H0)
EF1,G1(H0)
EE0,H0(I0)
EE0,H1(I1)
EE1,H0(I1)
EE1,H1(I1)
Garbling a circuit:
I Pick random labelsW0,W1 on each wire
I “Encrypt” truth table of each gate
I Garbled circuit ≡ all encrypted gates
I Garbled encoding ≡ one label per wire
Garbled evaluation:
I Only one ciphertext per
gate is decryptable
I Result of decryption =
value on outgoing wire
Garbled circuit framework [Yao86]
A0,A1
B0,B1
C0,C1
D0,D1
E0,E1
F0,F1
G0,G1
H0,H1
I0, I1
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 1
A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0
A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0
C0 D0 G0
C0 D1 G1
C1 D0 G0
C1 D1 G0
F0 G0 H0
F0 G1 H1
F1 G0 H0
F1 G1 H0
E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1
EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)
EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)
EC0,D0(G0)
EC0,D1(G1)
EC1,D0(G0)
EC1,D1(G0)
EF0,G0(H0)
EF0,G1(H1)
EF1,G0(H0)
EF1,G1(H0)
EE0,H0(I0)
EE0,H1(I1)
EE1,H0(I1)
EE1,H1(I1)
Garbling a circuit:
I Pick random labelsW0,W1 on each wire
I “Encrypt” truth table of each gate
I Garbled circuit ≡ all encrypted gates
I Garbled encoding ≡ one label per wire
Garbled evaluation:
I Only one ciphertext per
gate is decryptable
I Result of decryption =
value on outgoing wire
Garbled circuit framework [Yao86]
A0,A1
B0,B1
C0,C1
D0,D1
E0,E1
F0,F1
G0,G1
H0,H1
I0, I1
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 1
A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0
A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0
C0 D0 G0
C0 D1 G1
C1 D0 G0
C1 D1 G0
F0 G0 H0
F0 G1 H1
F1 G0 H0
F1 G1 H0
E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1
EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)
EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)
EC0,D0(G0)
EC0,D1(G1)
EC1,D0(G0)
EC1,D1(G0)
EF0,G0(H0)
EF0,G1(H1)
EF1,G0(H0)
EF1,G1(H0)
EE0,H0(I0)
EE0,H1(I1)
EE1,H0(I1)
EE1,H1(I1)
Garbling a circuit:
I Pick random labelsW0,W1 on each wire
I “Encrypt” truth table of each gate
I Garbled circuit ≡ all encrypted gates
I Garbled encoding ≡ one label per wire
Garbled evaluation:
I Only one ciphertext per
gate is decryptable
I Result of decryption =
value on outgoing wire
Garbled circuit framework [Yao86]
A0,A1
B0,B1
C0,C1
D0,D1
E0,E1
F0,F1
G0,G1
H0,H1
I0, I1
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 1
A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0
A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0
C0 D0 G0
C0 D1 G1
C1 D0 G0
C1 D1 G0
F0 G0 H0
F0 G1 H1
F1 G0 H0
F1 G1 H0
E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1
EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)
EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)
EC0,D0(G0)
EC0,D1(G1)
EC1,D0(G0)
EC1,D1(G0)
EF0,G0(H0)
EF0,G1(H1)
EF1,G0(H0)
EF1,G1(H0)
EE0,H0(I0)
EE0,H1(I1)
EE1,H0(I1)
EE1,H1(I1)
Garbling a circuit:
I Pick random labelsW0,W1 on each wire
I “Encrypt” truth table of each gate
I Garbled circuit ≡ all encrypted gates
I Garbled encoding ≡ one label per wire
Garbled evaluation:
I Only one ciphertext per
gate is decryptable
I Result of decryption =
value on outgoing wire
Garbled circuit framework [Yao86]
A0,A1
B0,B1
C0,C1
D0,D1
E0,E1
F0,F1
G0,G1
H0,H1
I0, I1
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 1
A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0
A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0
C0 D0 G0
C0 D1 G1
C1 D0 G0
C1 D1 G0
F0 G0 H0
F0 G1 H1
F1 G0 H0
F1 G1 H0
E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1
EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)
EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)
EC0,D0(G0)
EC0,D1(G1)
EC1,D0(G0)
EC1,D1(G0)
EF0,G0(H0)
EF0,G1(H1)
EF1,G0(H0)
EF1,G1(H0)
EE0,H0(I0)
EE0,H1(I1)
EE1,H0(I1)
EE1,H1(I1)
Garbling a circuit:
I Pick random labelsW0,W1 on each wire
I “Encrypt” truth table of each gate
I Garbled circuit ≡ all encrypted gates
I Garbled encoding ≡ one label per wire
Garbled evaluation:
I Only one ciphertext per
gate is decryptable
I Result of decryption =
value on outgoing wire
Garbled circuit framework [Yao86]
A0,A1
B0,B1
C0,C1
D0,D1
E0,E1
F0,F1
G0,G1
H0,H1
I0, I1
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 0
1 1 0
0 0 0
0 1 1
1 0 1
1 1 1
A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0
A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0
C0 D0 G0
C0 D1 G1
C1 D0 G0
C1 D1 G0
F0 G0 H0
F0 G1 H1
F1 G0 H0
F1 G1 H0
E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1
EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)
EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)
EC0,D0(G0)
EC0,D1(G1)
EC1,D0(G0)
EC1,D1(G0)
EF0,G0(H0)
EF0,G1(H1)
EF1,G0(H0)
EF1,G1(H0)
EE0,H0(I0)
EE0,H1(I1)
EE1,H0(I1)
EE1,H1(I1)
Garbling a circuit:
I Pick random labelsW0,W1 on each wire
I “Encrypt” truth table of each gate
I Garbled circuit ≡ all encrypted gates
I Garbled encoding ≡ one label per wire
Garbled evaluation:
I Only one ciphertext per
gate is decryptable
I Result of decryption =
value on outgoing wire
Applications: 2PC and more
x y
garbled circuit f
garbled input x ,output wire labels
OT
input
wire labels
y
garbled y
f (x ,y )
Private function evaluation, zero-knowledge proofs, encryption with
key-dependent message security, randomized encodings, secure
outsourcing, one-time programs, . . .
Garbling is a fundamental primitive [BellareHoangRogaway12]
Applications: 2PC and more
x y
garbled circuit f
garbled input x ,output wire labels
OT
input
wire labels
y
garbled y
f (x ,y )
Private function evaluation, zero-knowledge proofs, encryption with
key-dependent message security, randomized encodings, secure
outsourcing, one-time programs, . . .
Garbling is a fundamental primitive [BellareHoangRogaway12]
Applications: 2PC and more
x y
garbled circuit f
garbled input x ,output wire labels
OT
input
wire labels
y
garbled y
f (x ,y )
Private function evaluation, zero-knowledge proofs, encryption with
key-dependent message security, randomized encodings, secure
outsourcing, one-time programs, . . .
Garbling is a fundamental primitive [BellareHoangRogaway12]
Applications: 2PC and more
x y
garbled circuit f
garbled input x ,output wire labels
OT
input
wire labels
y
garbled y
f (x ,y )
Private function evaluation, zero-knowledge proofs, encryption with
key-dependent message security, randomized encodings, secure
outsourcing, one-time programs, . . .
Garbling is a fundamental primitive [BellareHoangRogaway12]
Applications: 2PC and more
x y
garbled circuit f
garbled input x ,output wire labels
OT
input
wire labels
y
garbled y
f (x ,y )
Private function evaluation, zero-knowledge proofs, encryption with
key-dependent message security, randomized encodings, secure
outsourcing, one-time programs, . . .
Garbling is a fundamental primitive [BellareHoangRogaway12]
Applications: 2PC and more
x y
garbled circuit f
garbled input x ,output wire labels
OT
input
wire labels
y
garbled y
f (x ,y )
Private function evaluation, zero-knowledge proofs, encryption with
key-dependent message security, randomized encodings, secure
outsourcing, one-time programs, . . .
Garbling is a fundamental primitive [BellareHoangRogaway12]
Syntax [BellareHoangRogaway12]
Garble Encode
Eval
Decode
f
garbled circuit
decoding info
garbled
input
garbled
output
encoding
info
x f (x )
Security properties:
Privacy: (F ,X ,d ) reveals nothing beyond f (x )
Obliviousness: (F ,X ) reveals nothing
Authenticity: given (F ,X ), hard to find Y that decodes < {f (x ),⊥}
Syntax [BellareHoangRogaway12]
Garble Encode
Eval
Decode
f
garbled circuit F
decoding info d
garbled
input X
garbled
output Y
encoding
info e
x f (x )
Security properties:
Privacy: (F ,X ,d ) reveals nothing beyond f (x )
Obliviousness: (F ,X ) reveals nothing
Authenticity: given (F ,X ), hard to find Y that decodes < {f (x ),⊥}
Syntax [BellareHoangRogaway12]
Garble Encode
Eval
Decode
f
garbled circuit F
decoding info d
garbled
input X
garbled
output Y
encoding
info e
x f (x )
Security properties:
Privacy: (F ,X ,d ) reveals nothing beyond f (x )
Obliviousness: (F ,X ) reveals nothing
Authenticity: given (F ,X ), hard to find Y that decodes < {f (x ),⊥}
Parameters to optimize
computation
size
hardness assumption
Parameters to optimize
computation
size
hardness assumption
Average bits per garbled gate
1λ
2λ
3λ
4λ
5λ
1986 1990 1999 2008 2009 2014 2015
[BeaverMicaliRogaway]
[NaorPinkasSumner]
[KolesnikovSchneider]
[PinkasSchneiderSmartWilliams]
[KolesnikovMohasselRosulek]
[ZahurRosulekEvans]
[Yao,GoldreichMicaliWigderson]
DES
AES
SHA1
SHA256
Prediction: by 2026, all garbled circuits will have zero size.
Average bits per garbled gate
1λ
2λ
3λ
4λ
5λ
1986 1990 1999 2008 2009 2014 2015
[BeaverMicaliRogaway]
[NaorPinkasSumner]
[KolesnikovSchneider]
[PinkasSchneiderSmartWilliams]
[KolesnikovMohasselRosulek]
[ZahurRosulekEvans]
[Yao,GoldreichMicaliWigderson]
DES
AES
SHA1
SHA256
Prediction: by 2026, all garbled circuits will have zero size.
Average bits per garbled gate
1λ
2λ
3λ
4λ
5λ
1986 1990 1999 2008 2009 2014 2015
[BeaverMicaliRogaway]
[NaorPinkasSumner]
[KolesnikovSchneider]
[PinkasSchneiderSmartWilliams]
[KolesnikovMohasselRosulek]
[ZahurRosulekEvans]
[Yao,GoldreichMicaliWigderson]
DES
AES
SHA1
SHA256
Prediction: by 2026, all garbled circuits will have zero size.
Murky beginnings [Yao86]
A0,A1
B0,B1
C0,C1
EA0,B0 (C0)EA0,B1 (C1)EA1,B0 (C0)EA1,B1 (C0)
I Position in this list leaks semantic value
=⇒ permute ciphertexts
I Need to detect [in]correct decryptionI (Apparently) no one knows exactly what Yao had in mind:
I EK0,K1(M) = 〈E (K0,S0),E (K1,S1)〉 where S0 ⊕ S1 = M
[GoldreichMicaliWigderson87]
I EK0,K1(M) = E (K1,E (K0,M)) [LindellPinkas09]
Murky beginnings [Yao86]
A0,A1
B0,B1
C0,C1
EA0,B0 (C0)EA0,B1 (C1)EA1,B0 (C0)EA1,B1 (C0)
I Position in this list leaks semantic value
=⇒ permute ciphertexts
I Need to detect [in]correct decryptionI (Apparently) no one knows exactly what Yao had in mind:
I EK0,K1(M) = 〈E (K0,S0),E (K1,S1)〉 where S0 ⊕ S1 = M
[GoldreichMicaliWigderson87]
I EK0,K1(M) = E (K1,E (K0,M)) [LindellPinkas09]
Murky beginnings [Yao86]
A0,A1
B0,B1
C0,C1
EA0,B0 (C0)EA0,B1 (C1)EA1,B0 (C0)EA1,B1 (C0)
I Position in this list leaks semantic value =⇒ permute ciphertexts
I Need to detect [in]correct decryptionI (Apparently) no one knows exactly what Yao had in mind:
I EK0,K1(M) = 〈E (K0,S0),E (K1,S1)〉 where S0 ⊕ S1 = M
[GoldreichMicaliWigderson87]
I EK0,K1(M) = E (K1,E (K0,M)) [LindellPinkas09]
Murky beginnings [Yao86]
A0,A1
B0,B1
C0,C1
EA0,B0 (C0)EA0,B1 (C1)EA1,B0 (C0)EA1,B1 (C0)
I Position in this list leaks semantic value =⇒ permute ciphertexts
I Need to detect [in]correct decryption
I (Apparently) no one knows exactly what Yao had in mind:
I EK0,K1(M) = 〈E (K0,S0),E (K1,S1)〉 where S0 ⊕ S1 = M
[GoldreichMicaliWigderson87]
I EK0,K1(M) = E (K1,E (K0,M)) [LindellPinkas09]
Murky beginnings [Yao86]
A0,A1
B0,B1
C0,C1
EA0,B0 (C0)EA0,B1 (C1)EA1,B0 (C0)EA1,B1 (C0)
I Position in this list leaks semantic value =⇒ permute ciphertexts
I Need to detect [in]correct decryptionI (Apparently) no one knows exactly what Yao had in mind:
I EK0,K1(M) = 〈E (K0,S0),E (K1,S1)〉 where S0 ⊕ S1 = M
[GoldreichMicaliWigderson87]
I EK0,K1(M) = E (K1,E (K0,M)) [LindellPinkas09]
Permute-and-Point [BeaverMicaliRogaway90]
A
•
0,A
•
1
B
•
0,B
•
1
C
•
0,C
•
1
••
EA
•
0,B
•
0
(C
•
0)
••
EA
•
0,B
•
1
(C
•
1)
••
EA
•
1,B
•
0
(C
•
0)
••
EA
•
1,B
•
1
(C
•
0)
•• EA
•
0,B
•
1
(C
•
1)
•• EA
•
0,B
•
0
(C
•
0)
•• EA
•
1,B
•
1
(C
•
0)
•• EA
•
1,B
•
0
(C
•
0)
I Randomly assign (•,•) or (•,•)to each pair of wire labels
I Include color in the wire label
(e.g., as last bit)
I Order the 4 ciphertexts
canonically, by color of keys
I Evaluate by decrypting
ciphertext indexed by your
colors
Can use one-time-secure symmetric encryption!
Permute-and-Point [BeaverMicaliRogaway90]
A•0,A•
1
B•0,B•
1
C•0,C•
1
••
EA•0,B•
0
(C•0)
••
EA•0,B•
1
(C•1)
••
EA•1,B•
0
(C•0)
••
EA•1,B•
1
(C•0)
•• EA•0,B•
1
(C•1)
•• EA•0,B•
0
(C•0)
•• EA•1,B•
1
(C•0)
•• EA•1,B•
0
(C•0)
I Randomly assign (•,•) or (•,•)to each pair of wire labels
I Include color in the wire label
(e.g., as last bit)
I Order the 4 ciphertexts
canonically, by color of keys
I Evaluate by decrypting
ciphertext indexed by your
colors
Can use one-time-secure symmetric encryption!
Permute-and-Point [BeaverMicaliRogaway90]
A•0,A•
1
B•0,B•
1
C•0,C•
1
•• EA
•
0,B
•
0
(C•0)
•• EA
•
0,B
•
1
(C•1)
•• EA
•
1,B
•
0
(C•0)
•• EA
•
1,B
•
1
(C•0)
•• EA
•
0,B
•
1
(C•1)
•• EA
•
0,B
•
0
(C•0)
•• EA
•
1,B
•
1
(C•0)
•• EA
•
1,B
•
0
(C•0)
I Randomly assign (•,•) or (•,•)to each pair of wire labels
I Include color in the wire label
(e.g., as last bit)
I Order the 4 ciphertexts
canonically, by color of keys
I Evaluate by decrypting
ciphertext indexed by your
colors
Can use one-time-secure symmetric encryption!
Permute-and-Point [BeaverMicaliRogaway90]
A•0,A•
1
B•0,B•
1
C•0,C•
1
•• EA
•
0,B
•
0
(C•0)
•• EA
•
0,B
•
1
(C•1)
•• EA
•
1,B
•
0
(C•0)
•• EA
•
1,B
•
1
(C•0)
•• EA
•
0,B
•
1
(C•1)
•• EA
•
0,B
•
0
(C•0)
•• EA
•
1,B
•
1
(C•0)
•• EA
•
1,B
•
0
(C•0)
I Randomly assign (•,•) or (•,•)to each pair of wire labels
I Include color in the wire label
(e.g., as last bit)
I Order the 4 ciphertexts
canonically, by color of keys
I Evaluate by decrypting
ciphertext indexed by your
colors
Can use one-time-secure symmetric encryption!
Permute-and-Point [BeaverMicaliRogaway90]
A
•
0,A•
1
B
•
0,B•
1
C
•
0,C
•
1
•• EA
•
0,B
•
0
(C•0)
•• EA
•
0,B
•
1
(C•1)
•• EA
•
1,B
•
0
(C•0)
•• EA
•
1,B
•
1
(C•0)
•• EA
•
0,B
•
1
(C
•
1)
•• EA
•
0,B
•
0
(C
•
0)
•• EA
•
1,B
•
1
(C
•
0)
•• EA
•
1,B
•
0
(C
•
0)
I Randomly assign (•,•) or (•,•)to each pair of wire labels
I Include color in the wire label
(e.g., as last bit)
I Order the 4 ciphertexts
canonically, by color of keys
I Evaluate by decrypting
ciphertext indexed by your
colors
Can use one-time-secure symmetric encryption!
Permute-and-Point [BeaverMicaliRogaway90]
A
•
0,A•
1
B
•
0,B•
1
C•0,C
•
1
•• EA
•
0,B
•
0
(C•0)
•• EA
•
0,B
•
1
(C•1)
•• EA
•
1,B
•
0
(C•0)
•• EA
•
1,B
•
1
(C•0)
•• EA
•
0,B
•
1
(C
•
1)
•• EA
•
0,B
•
0
(C
•
0)
•• EA
•
1,B
•
1
(C•0)
•• EA
•
1,B
•
0
(C
•
0)
I Randomly assign (•,•) or (•,•)to each pair of wire labels
I Include color in the wire label
(e.g., as last bit)
I Order the 4 ciphertexts
canonically, by color of keys
I Evaluate by decrypting
ciphertext indexed by your
colors
Can use one-time-secure symmetric encryption!
Permute-and-Point [BeaverMicaliRogaway90]
A
•
0,A•
1
B
•
0,B•
1
C•0,C
•
1
•• EA
•
0,B
•
0
(C•0)
•• EA
•
0,B
•
1
(C•1)
•• EA
•
1,B
•
0
(C•0)
•• EA
•
1,B
•
1
(C•0)
•• EA
•
0,B
•
1
(C
•
1)
•• EA
•
0,B
•
0
(C
•
0)
•• EA
•
1,B
•
1
(C•0)
•• EA
•
1,B
•
0
(C
•
0)
I Randomly assign (•,•) or (•,•)to each pair of wire labels
I Include color in the wire label
(e.g., as last bit)
I Order the 4 ciphertexts
canonically, by color of keys
I Evaluate by decrypting
ciphertext indexed by your
colors
Can use one-time-secure symmetric encryption!
Computational cost of garbling
2 hash� 1 hash � 1 block cipher � 1 block cipher w/o key schedule
EA,B (C): cost to garble AES
PRF(A,gateID) ⊕ PRF(B,gateID) ⊕ C ∼6s [extrapolated]
[NaorPinkasSumner99] time from Fairplay [MNPS04]: PRF = SHA256
H(A‖B‖gateID) ⊕ C 0.15s
[LindellPinkasSmart08] time from [sS12]; H = SHA256
AES256(A‖B,gateID) ⊕ C 0.12s
[shelatShen12]
AES(const,K ) ⊕ K ⊕ C 0.0003s
where K = 2A ⊕ 4B ⊕ gateID[BellareHoangKeelveedhiRogaway13]
Computational cost of garbling
2 hash� 1 hash
� 1 block cipher � 1 block cipher w/o key schedule
EA,B (C): cost to garble AES
PRF(A,gateID) ⊕ PRF(B,gateID) ⊕ C ∼6s [extrapolated]
[NaorPinkasSumner99] time from Fairplay [MNPS04]: PRF = SHA256
H(A‖B‖gateID) ⊕ C 0.15s
[LindellPinkasSmart08] time from [sS12]; H = SHA256
AES256(A‖B,gateID) ⊕ C 0.12s
[shelatShen12]
AES(const,K ) ⊕ K ⊕ C 0.0003s
where K = 2A ⊕ 4B ⊕ gateID[BellareHoangKeelveedhiRogaway13]
Computational cost of garbling
2 hash� 1 hash � 1 block cipher
� 1 block cipher w/o key schedule
EA,B (C): cost to garble AES
PRF(A,gateID) ⊕ PRF(B,gateID) ⊕ C ∼6s [extrapolated]
[NaorPinkasSumner99] time from Fairplay [MNPS04]: PRF = SHA256
H(A‖B‖gateID) ⊕ C 0.15s
[LindellPinkasSmart08] time from [sS12]; H = SHA256
AES256(A‖B,gateID) ⊕ C 0.12s
[shelatShen12]
AES(const,K ) ⊕ K ⊕ C 0.0003s
where K = 2A ⊕ 4B ⊕ gateID[BellareHoangKeelveedhiRogaway13]
Computational cost of garbling
2 hash� 1 hash � 1 block cipher � 1 block cipher w/o key schedule
EA,B (C): cost to garble AES
PRF(A,gateID) ⊕ PRF(B,gateID) ⊕ C ∼6s [extrapolated]
[NaorPinkasSumner99] time from Fairplay [MNPS04]: PRF = SHA256
H(A‖B‖gateID) ⊕ C 0.15s
[LindellPinkasSmart08] time from [sS12]; H = SHA256
AES256(A‖B,gateID) ⊕ C 0.12s
[shelatShen12]
AES(const,K ) ⊕ K ⊕ C 0.0003s
where K = 2A ⊕ 4B ⊕ gateID[BellareHoangKeelveedhiRogaway13]
Scoreboard
size (×λ) garble cost eval cost assumption
Classical large? 8 5 PKE
P&P 4 4/8 1/2 hash/PRF
Garbled Row Reduction [NaorPinkasSumner99]
A•0,A•
1
B•0B•1
C•0C•1
C0 ← {0,1}n
C1 ← {0,1}n
•• EA0,B1 (C•1)
•• EA0,B0 (C•0)
•• EA1,B1 (C•0)
•• EA1,B0 (C•0)
I What wire label will be payload of 1st (••) ciphertext?
I Choose that label so that 1st ciphertext is 0n
I No need to include 1st ciphertext in garbled gate
I Evaluate as before, but imagine ciphertext 0nif you got ••.
Garbled Row Reduction [NaorPinkasSumner99]
A•0,A•
1
B•0B•1
C•0C•1
C0 ← {0,1}n
C1 ← {0,1}n
•• EA0,B1 (C•1)
•• EA0,B0 (C•0)
•• EA1,B1 (C•0)
•• EA1,B0 (C•0)
I What wire label will be payload of 1st (••) ciphertext?
I Choose that label so that 1st ciphertext is 0n
I No need to include 1st ciphertext in garbled gate
I Evaluate as before, but imagine ciphertext 0nif you got ••.
Garbled Row Reduction [NaorPinkasSumner99]
A•0,A•
1
B•0B•1
C•0C•1
C0 ← {0,1}n
C1 ← {0,1}n
•• EA0,B1 (C•1)
•• EA0,B0 (C•0)
•• EA1,B1 (C•0)
•• EA1,B0 (C•0)
I What wire label will be payload of 1st (••) ciphertext?
I Choose that label so that 1st ciphertext is 0n
I No need to include 1st ciphertext in garbled gate
I Evaluate as before, but imagine ciphertext 0nif you got ••.
Garbled Row Reduction [NaorPinkasSumner99]
A•0,A•
1
B•0B•1
C•0C•1
C0 ← {0,1}n
C1 = E−1A0,B1
(0n)
•• EA0,B1 (C•1)
•• EA0,B0 (C•0)
•• EA1,B1 (C•0)
•• EA1,B0 (C•0)
I What wire label will be payload of 1st (••) ciphertext?
I Choose that label so that 1st ciphertext is 0n
I No need to include 1st ciphertext in garbled gate
I Evaluate as before, but imagine ciphertext 0nif you got ••.
Garbled Row Reduction [NaorPinkasSumner99]
A•0,A•
1
B•0B•1
C•0C•1
C0 ← {0,1}n
C1 = E−1A0,B1
(0n)
•• 0n
•• EA0,B0 (C•0)
•• EA1,B1 (C•0)
•• EA1,B0 (C•0)
I What wire label will be payload of 1st (••) ciphertext?
I Choose that label so that 1st ciphertext is 0n
I No need to include 1st ciphertext in garbled gate
I Evaluate as before, but imagine ciphertext 0nif you got ••.
Garbled Row Reduction [NaorPinkasSumner99]
A•0,A•
1
B•0B•1
C•0C•1
C0 ← {0,1}n
C1 = E−1A0,B1
(0n)
•• EA0,B0 (C•0)
•• EA1,B1 (C•0)
•• EA1,B0 (C•0)
I What wire label will be payload of 1st (••) ciphertext?
I Choose that label so that 1st ciphertext is 0n
I No need to include 1st ciphertext in garbled gate
I Evaluate as before, but imagine ciphertext 0nif you got ••.
Garbled Row Reduction [NaorPinkasSumner99]
A•0,A•
1
B•0B•1
C•0C•1
C0 ← {0,1}n
C1 = E−1A0,B1
(0n)
•• EA0,B0 (C•0)
•• EA1,B1 (C•0)
•• EA1,B0 (C•0)
I What wire label will be payload of 1st (••) ciphertext?
I Choose that label so that 1st ciphertext is 0n
I No need to include 1st ciphertext in garbled gate
I Evaluate as before, but imagine ciphertext 0nif you got ••.
Scoreboard
size (×λ) garble cost eval cost assumption
Classical large? 8 5 PKE
P&P 4 4/8 1/2 hash/PRF
GRR3 3 4/8 1/2 hash/PRF
Free XOR [KolesnikovSchneider08]
A0,A1
B0,B1
C0,C1
C ← {0,1}n
A︸︷︷︸false
⊕ B︸︷︷︸false
= A ⊕ B︸ ︷︷ ︸false
I Wire’s o�set ≡ XOR of its two labels
I Choose all wires to have same (secret) o�set ∆
I Choose false output = false input ⊕ false input
I Evaluate by xoring input wire labels (no crypto)
Free XOR [KolesnikovSchneider08]
A,A ⊕ ∆A
B,B ⊕ ∆B
C,C ⊕ ∆C
C ← {0,1}n
A︸︷︷︸false
⊕ B︸︷︷︸false
= A ⊕ B︸ ︷︷ ︸false
I Wire’s o�set ≡ XOR of its two labels
I Choose all wires to have same (secret) o�set ∆
I Choose false output = false input ⊕ false input
I Evaluate by xoring input wire labels (no crypto)
Free XOR [KolesnikovSchneider08]
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C ← {0,1}n
A︸︷︷︸false
⊕ B︸︷︷︸false
= A ⊕ B︸ ︷︷ ︸false
I Wire’s o�set ≡ XOR of its two labels
I Choose all wires to have same (secret) o�set ∆
I Choose false output = false input ⊕ false input
I Evaluate by xoring input wire labels (no crypto)
Free XOR [KolesnikovSchneider08]
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C ← {0,1}n
A︸︷︷︸false
⊕ B︸︷︷︸false
= A ⊕ B︸ ︷︷ ︸false
I Wire’s o�set ≡ XOR of its two labels
I Choose all wires to have same (secret) o�set ∆
I Choose false output = false input ⊕ false input
I Evaluate by xoring input wire labels (no crypto)
Free XOR [KolesnikovSchneider08]
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C := A ⊕ B
A︸︷︷︸false
⊕ B︸︷︷︸false
= A ⊕ B︸ ︷︷ ︸false
I Wire’s o�set ≡ XOR of its two labels
I Choose all wires to have same (secret) o�set ∆
I Choose false output = false input ⊕ false input
I Evaluate by xoring input wire labels (no crypto)
Free XOR [KolesnikovSchneider08]
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C := A ⊕ B
A︸︷︷︸false
⊕ B ⊕ ∆︸︷︷︸true
= A ⊕ B ⊕ ∆︸ ︷︷ ︸true
I Wire’s o�set ≡ XOR of its two labels
I Choose all wires to have same (secret) o�set ∆
I Choose false output = false input ⊕ false input
I Evaluate by xoring input wire labels (no crypto)
Free XOR [KolesnikovSchneider08]
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C := A ⊕ B
A ⊕ ∆︸︷︷︸true
⊕ B︸︷︷︸false
= A ⊕ B ⊕ ∆︸ ︷︷ ︸true
I Wire’s o�set ≡ XOR of its two labels
I Choose all wires to have same (secret) o�set ∆
I Choose false output = false input ⊕ false input
I Evaluate by xoring input wire labels (no crypto)
Free XOR [KolesnikovSchneider08]
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C := A ⊕ B
A ⊕ ∆︸︷︷︸true
⊕ B ⊕ ∆︸︷︷︸true
= A ⊕ B︸ ︷︷ ︸false
I Wire’s o�set ≡ XOR of its two labels
I Choose all wires to have same (secret) o�set ∆
I Choose false output = false input ⊕ false input
I Evaluate by xoring input wire labels (no crypto)
Freedom at a cost. . .
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C ← {0,1}n
EA ,B (C )EA ,B⊕∆ (C ⊕ ∆)EA⊕∆,B (C )EA⊕∆,B⊕∆ (C )
I Still need to garble and gates
I Compatible with garbled row-reduction
I Secret ∆ used in key and payload of ciphertexts!
I Requires related-key + circularity assumption [ChoiKatzKumaresanZhou12]
Freedom at a cost. . .
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C ← {0,1}n
EA ,B (C )EA ,B⊕∆ (C ⊕ ∆)EA⊕∆,B (C )EA⊕∆,B⊕∆ (C )
I Still need to garble and gates
I Compatible with garbled row-reduction
I Secret ∆ used in key and payload of ciphertexts!
I Requires related-key + circularity assumption [ChoiKatzKumaresanZhou12]
Freedom at a cost. . .
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C := E−1A,B (0n)
EA ,B (C )EA ,B⊕∆ (C ⊕ ∆)EA⊕∆,B (C )EA⊕∆,B⊕∆ (C )
I Still need to garble and gates
I Compatible with garbled row-reduction
I Secret ∆ used in key and payload of ciphertexts!
I Requires related-key + circularity assumption [ChoiKatzKumaresanZhou12]
Freedom at a cost. . .
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C := E−1A,B (0n)
EA ,B (C )EA ,B⊕∆ (C ⊕ ∆)EA⊕∆,B (C )EA⊕∆,B⊕∆ (C )
I Still need to garble and gates
I Compatible with garbled row-reduction
I Secret ∆ used in key and payload of ciphertexts!
I Requires related-key + circularity assumption [ChoiKatzKumaresanZhou12]
Freedom at a cost. . .
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C := E−1A,B (0n)
EA ,B (C )EA ,B⊕∆ (C ⊕ ∆)EA⊕∆,B (C )EA⊕∆,B⊕∆ (C )
I Still need to garble and gates
I Compatible with garbled row-reduction
I Secret ∆ used in key and payload of ciphertexts!
I Requires related-key + circularity assumption [ChoiKatzKumaresanZhou12]
Scoreboard
size (×λ) garble cost eval cost assumption
XOR AND XOR AND XOR AND
Classical large? 8 5 PKE
P&P 4 4 4/8 4/8 1/2 1/2 PRF/hash
GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash
Free XOR 0 3 0 4 0 1 circ. hash
Row reduction ++ [PinkasSchneiderSmartWilliams09]
Garbled gates with only 2 ciphertexts!
I Evaluator can know exactly one of:
K1 = E−1A0,B0 (0
n)
{ learn C0
K2 = E−1A0,B1 (0
n)
{ learn C1
K3 = E−1A1,B0 (0
n)
{ learn C0
K4 = E−1A1,B1 (0
n)
{ learn C0
I Evaluate by interpolating poly thru
Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t
ensure C0 ⊕ C1 = ∆
A0,A1
B0,B1
C0,C1
C0 = P (0);C1 = Q (0)
P (5)P (6)P (0)
Q (0) (1, K1)
(2, K2)
(3, K3)
(4, K4)
P (5)
P (6)
P = uniq deg-2 poly thru
(1,K1), (3,K3), (4,K4)
Q = uniq deg-2 poly thru
(2,K2), (5,P (5)), (6,P (6))
Row reduction ++ [PinkasSchneiderSmartWilliams09]
Garbled gates with only 2 ciphertexts!
I Evaluator can know exactly one of:
K1 = E−1A0,B0 (0
n)
{ learn C0
K2 = E−1A0,B1 (0
n)
{ learn C1
K3 = E−1A1,B0 (0
n)
{ learn C0
K4 = E−1A1,B1 (0
n)
{ learn C0
I Evaluate by interpolating poly thru
Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t
ensure C0 ⊕ C1 = ∆
A0,A1
B0,B1
C0,C1
C0 = P (0);C1 = Q (0)
P (5)P (6)P (0)
Q (0) (1, K1)
(2, K2)
(3, K3)
(4, K4)
P (5)
P (6)
P = uniq deg-2 poly thru
(1,K1), (3,K3), (4,K4)
Q = uniq deg-2 poly thru
(2,K2), (5,P (5)), (6,P (6))
Row reduction ++ [PinkasSchneiderSmartWilliams09]
Garbled gates with only 2 ciphertexts!
I Evaluator can know exactly one of:
K1 = E−1A0,B0 (0
n) { learn C0
K2 = E−1A0,B1 (0
n) { learn C1
K3 = E−1A1,B0 (0
n) { learn C0
K4 = E−1A1,B1 (0
n) { learn C0
I Evaluate by interpolating poly thru
Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t
ensure C0 ⊕ C1 = ∆
A0,A1
B0,B1
C0,C1
C0 = P (0);C1 = Q (0)
P (5)P (6)P (0)
Q (0) (1, K1)
(2, K2)
(3, K3)
(4, K4)
P (5)
P (6)
P = uniq deg-2 poly thru
(1,K1), (3,K3), (4,K4)
Q = uniq deg-2 poly thru
(2,K2), (5,P (5)), (6,P (6))
Row reduction ++ [PinkasSchneiderSmartWilliams09]
Garbled gates with only 2 ciphertexts!
I Evaluator can know exactly one of:
K1 = E−1A0,B0 (0
n) { learn C0
K2 = E−1A0,B1 (0
n) { learn C1
K3 = E−1A1,B0 (0
n) { learn C0
K4 = E−1A1,B1 (0
n) { learn C0
I Evaluate by interpolating poly thru
Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t
ensure C0 ⊕ C1 = ∆
A0,A1
B0,B1
C0,C1
C0 = P (0);C1 = Q (0)
P (5)P (6)P (0)
Q (0)
(1, K1)
(2, K2)
(3, K3)
(4, K4)
P (5)
P (6)
P = uniq deg-2 poly thru
(1,K1), (3,K3), (4,K4)
Q = uniq deg-2 poly thru
(2,K2), (5,P (5)), (6,P (6))
Row reduction ++ [PinkasSchneiderSmartWilliams09]
Garbled gates with only 2 ciphertexts!
I Evaluator can know exactly one of:
K1 = E−1A0,B0 (0
n) { learn C0
K2 = E−1A0,B1 (0
n) { learn C1
K3 = E−1A1,B0 (0
n) { learn C0
K4 = E−1A1,B1 (0
n) { learn C0
I Evaluate by interpolating poly thru
Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t
ensure C0 ⊕ C1 = ∆
A0,A1
B0,B1
C0,C1
C0 = P (0);C1 = Q (0)
P (5)P (6)P (0)
Q (0)
(1, K1)
(2, K2)
(3, K3)
(4, K4)
P (5)
P (6)
P = uniq deg-2 poly thru
(1,K1), (3,K3), (4,K4)
Q = uniq deg-2 poly thru
(2,K2), (5,P (5)), (6,P (6))
Row reduction ++ [PinkasSchneiderSmartWilliams09]
Garbled gates with only 2 ciphertexts!
I Evaluator can know exactly one of:
K1 = E−1A0,B0 (0
n) { learn C0
K2 = E−1A0,B1 (0
n) { learn C1
K3 = E−1A1,B0 (0
n) { learn C0
K4 = E−1A1,B1 (0
n) { learn C0
I Evaluate by interpolating poly thru
Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t
ensure C0 ⊕ C1 = ∆
A0,A1
B0,B1
C0,C1
C0 = P (0);C1 = Q (0)
P (5)P (6)P (0)
Q (0) (1, K1)
(2, K2)
(3, K3)
(4, K4)
P (5)
P (6)
P = uniq deg-2 poly thru
(1,K1), (3,K3), (4,K4)
Q = uniq deg-2 poly thru
(2,K2), (5,P (5)), (6,P (6))
Row reduction ++ [PinkasSchneiderSmartWilliams09]
Garbled gates with only 2 ciphertexts!
I Evaluator can know exactly one of:
K1 = E−1A0,B0 (0
n) { learn C0
K2 = E−1A0,B1 (0
n) { learn C1
K3 = E−1A1,B0 (0
n) { learn C0
K4 = E−1A1,B1 (0
n) { learn C0
I Evaluate by interpolating poly thru
Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t
ensure C0 ⊕ C1 = ∆
A0,A1
B0,B1
C0,C1
C0 = P (0);C1 = Q (0)
P (5)P (6)P (0)
Q (0) (1, K1)
(2, K2)
(3, K3)
(4, K4)
P (5)
P (6)
P = uniq deg-2 poly thru
(1,K1), (3,K3), (4,K4)
Q = uniq deg-2 poly thru
(2,K2), (5,P (5)), (6,P (6))
Row reduction ++ [PinkasSchneiderSmartWilliams09]
Garbled gates with only 2 ciphertexts!
I Evaluator can know exactly one of:
K1 = E−1A0,B0 (0
n) { learn C0
K2 = E−1A0,B1 (0
n) { learn C1
K3 = E−1A1,B0 (0
n) { learn C0
K4 = E−1A1,B1 (0
n) { learn C0
I Evaluate by interpolating poly thru
Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t
ensure C0 ⊕ C1 = ∆
A0,A1
B0,B1
C0,C1
C0 = P (0);C1 = Q (0)
P (5)P (6)
P (0)
Q (0)
(1, K1)
(2, K2)
(3, K3)
(4, K4)
P (5)
P (6)
P = uniq deg-2 poly thru
(1,K1), (3,K3), (4,K4)
Q = uniq deg-2 poly thru
(2,K2), (5,P (5)), (6,P (6))
Row reduction ++ [PinkasSchneiderSmartWilliams09]
Garbled gates with only 2 ciphertexts!
I Evaluator can know exactly one of:
K1 = E−1A0,B0 (0
n) { learn C0
K2 = E−1A0,B1 (0
n) { learn C1
K3 = E−1A1,B0 (0
n) { learn C0
K4 = E−1A1,B1 (0
n) { learn C0
I Evaluate by interpolating poly thru
Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t
ensure C0 ⊕ C1 = ∆
A0,A1
B0,B1
C0,C1
C0 = P (0);C1 = Q (0)
P (5)P (6)P (0)
Q (0)
(1, K1)
(2, K2)
(3, K3)
(4, K4)
P (5)
P (6)
P = uniq deg-2 poly thru
(1,K1), (3,K3), (4,K4)
Q = uniq deg-2 poly thru
(2,K2), (5,P (5)), (6,P (6))
Row reduction ++ [PinkasSchneiderSmartWilliams09]
Garbled gates with only 2 ciphertexts!
I Evaluator can know exactly one of:
K1 = E−1A0,B0 (0
n) { learn C0
K2 = E−1A0,B1 (0
n) { learn C1
K3 = E−1A1,B0 (0
n) { learn C0
K4 = E−1A1,B1 (0
n) { learn C0
I Evaluate by interpolating poly thru
Ki , P (5) and P (6)
I Incompatible with Free-XOR: can’t
ensure C0 ⊕ C1 = ∆
A0,A1
B0,B1
C0,C1
C0 = P (0);C1 = Q (0)
P (5)P (6)
P (0)
Q (0) (1, K1)
(2, K2)
(3, K3)
(4, K4)
P (5)
P (6)
P = uniq deg-2 poly thru
(1,K1), (3,K3), (4,K4)
Q = uniq deg-2 poly thru
(2,K2), (5,P (5)), (6,P (6))
Row reduction ++ [PinkasSchneiderSmartWilliams09]
Garbled gates with only 2 ciphertexts!
I Evaluator can know exactly one of:
K1 = E−1A0,B0 (0
n) { learn C0
K2 = E−1A0,B1 (0
n) { learn C1
K3 = E−1A1,B0 (0
n) { learn C0
K4 = E−1A1,B1 (0
n) { learn C0
I Evaluate by interpolating poly thru
Ki , P (5) and P (6)
I Incompatible with Free-XOR: can’t
ensure C0 ⊕ C1 = ∆
A0,A1
B0,B1
C0,C1
C0 = P (0);C1 = Q (0)
P (5)P (6)
P (0)
Q (0) (1, K1)
(2, K2)
(3, K3)
(4, K4)
P (5)
P (6)
P = uniq deg-2 poly thru
(1,K1), (3,K3), (4,K4)
Q = uniq deg-2 poly thru
(2,K2), (5,P (5)), (6,P (6))
Row reduction ++ [PinkasSchneiderSmartWilliams09]
Garbled gates with only 2 ciphertexts!
I Evaluator can know exactly one of:
K1 = E−1A0,B0 (0
n) { learn C0
K2 = E−1A0,B1 (0
n) { learn C1
K3 = E−1A1,B0 (0
n) { learn C0
K4 = E−1A1,B1 (0
n) { learn C0
I Evaluate by interpolating poly thru
Ki , P (5) and P (6)
I Incompatible with Free-XOR: can’t
ensure C0 ⊕ C1 = ∆
A0,A1
B0,B1
C0,C1
C0 = P (0);C1 = Q (0)
P (5)P (6)
P (0)
Q (0) (1, K1)
(2, K2)
(3, K3)
(4, K4)
P (5)
P (6)
P = uniq deg-2 poly thru
(1,K1), (3,K3), (4,K4)
Q = uniq deg-2 poly thru
(2,K2), (5,P (5)), (6,P (6))
Row reduction ++ [PinkasSchneiderSmartWilliams09]
Garbled gates with only 2 ciphertexts!
I Evaluator can know exactly one of:
K1 = E−1A0,B0 (0
n) { learn C0
K2 = E−1A0,B1 (0
n) { learn C1
K3 = E−1A1,B0 (0
n) { learn C0
K4 = E−1A1,B1 (0
n) { learn C0
I Evaluate by interpolating poly thru
Ki , P (5) and P (6)
I Incompatible with Free-XOR: can’t
ensure C0 ⊕ C1 = ∆
A0,A1
B0,B1
C0,C1
C0 = P (0);C1 = Q (0)
P (5)P (6)
P (0)
Q (0) (1, K1)
(2, K2)
(3, K3)
(4, K4)
P (5)
P (6)
P = uniq deg-2 poly thru
(1,K1), (3,K3), (4,K4)
Q = uniq deg-2 poly thru
(2,K2), (5,P (5)), (6,P (6))
Row reduction ++ [PinkasSchneiderSmartWilliams09]
Garbled gates with only 2 ciphertexts!
I Evaluator can know exactly one of:
K1 = E−1A0,B0 (0
n) { learn C0
K2 = E−1A0,B1 (0
n) { learn C1
K3 = E−1A1,B0 (0
n) { learn C0
K4 = E−1A1,B1 (0
n) { learn C0
I Evaluate by interpolating poly thru
Ki , P (5) and P (6)
I Incompatible with Free-XOR: can’t
ensure C0 ⊕ C1 = ∆
A0,A1
B0,B1
C0,C1
C0 = P (0);C1 = Q (0)
P (5)P (6)P (0)
Q (0) (1, K1)
(2, K2)
(3, K3)
(4, K4)
P (5)
P (6)
P = uniq deg-2 poly thru
(1,K1), (3,K3), (4,K4)
Q = uniq deg-2 poly thru
(2,K2), (5,P (5)), (6,P (6))
Row reduction ++ [PinkasSchneiderSmartWilliams09]
Garbled gates with only 2 ciphertexts!
I Evaluator can know exactly one of:
K1 = E−1A0,B0 (0
n) { learn C0
K2 = E−1A0,B1 (0
n) { learn C1
K3 = E−1A1,B0 (0
n) { learn C0
K4 = E−1A1,B1 (0
n) { learn C0
I Evaluate by interpolating poly thru
Ki , P (5) and P (6)
I Incompatible with Free-XOR: can’t
ensure C0 ⊕ C1 = ∆
A0,A1
B0,B1
C0,C1
C0 = P (0);C1 = Q (0)
P (5)P (6)
P (0)
Q (0)
(1, K1)
(2, K2)
(3, K3)
(4, K4)
P (5)
P (6)
P = uniq deg-2 poly thru
(1,K1), (3,K3), (4,K4)
Q = uniq deg-2 poly thru
(2,K2), (5,P (5)), (6,P (6))
Row reduction ++ [PinkasSchneiderSmartWilliams09]
Garbled gates with only 2 ciphertexts!
I Evaluator can know exactly one of:
K1 = E−1A0,B0 (0
n) { learn C0
K2 = E−1A0,B1 (0
n) { learn C1
K3 = E−1A1,B0 (0
n) { learn C0
K4 = E−1A1,B1 (0
n) { learn C0
I Evaluate by interpolating poly thru
Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t
ensure C0 ⊕ C1 = ∆
A0,A1
B0,B1
C0,C1
C0 = P (0);C1 = Q (0)
P (5)P (6)P (0)
Q (0) (1, K1)
(2, K2)
(3, K3)
(4, K4)
P (5)
P (6)
P = uniq deg-2 poly thru
(1,K1), (3,K3), (4,K4)
Q = uniq deg-2 poly thru
(2,K2), (5,P (5)), (6,P (6))
Scoreboard
size (×λ) garble cost eval cost assumption
XOR AND XOR AND XOR AND
Classical large? 8 5 PKE
P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF
GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash
Free XOR 0 3 0 4 0 1 circ. hash
GRR2 2 2 4/8 4/8 1/2 1/2 PRF/hash
FleXOR [KolesnikovMohasselRosulek14]
A,A ⊕ ∆1
A∗,A∗ ⊕ ∆2
∆1→ ∆
2
A∗ ← {0,1}n
I Translate to a new wire o�set
(unary a 7→ a gate)
FleXOR [KolesnikovMohasselRosulek14]
A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2
∆1→ ∆
2
A∗ ← {0,1}n
I Translate to a new wire o�set
(unary a 7→ a gate)
FleXOR [KolesnikovMohasselRosulek14]
A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2
∆1→ ∆
2
0 0
1 1
A∗ ← {0,1}n
I Translate to a new wire o�set (unary a 7→ a gate)
FleXOR [KolesnikovMohasselRosulek14]
A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2
∆1→ ∆
2
A A∗
A ⊕ ∆1 A∗ ⊕ ∆2
A∗ ← {0,1}n
I Translate to a new wire o�set (unary a 7→ a gate)
FleXOR [KolesnikovMohasselRosulek14]
A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2
∆1→ ∆
2
EA (A∗ )EA⊕∆1
(A∗ ⊕ ∆2)
A∗ ← {0,1}n
I Translate to a new wire o�set (unary a 7→ a gate)
FleXOR [KolesnikovMohasselRosulek14]
A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2
∆1→ ∆
2
EA (A∗ )EA⊕∆1
(A∗ ⊕ ∆2)
A∗ ← {0,1}n
I Translate to a new wire o�set (unary a 7→ a gate)
FleXOR [KolesnikovMohasselRosulek14]
A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2
∆1→ ∆
2
EA (A∗ )EA⊕∆1
(A∗ ⊕ ∆2)
A∗ := E−1A (0n)
I Translate to a new wire o�set (unary a 7→ a gate)
FleXOR [KolesnikovMohasselRosulek14]
A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2
∆1→ ∆
2
0n
EA⊕∆1(A∗ ⊕ ∆2)
A∗ := E−1A (0n)
I Translate to a new wire o�set (unary a 7→ a gate)
FleXOR [KolesnikovMohasselRosulek14]
A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2
∆1→ ∆
2
EA⊕∆1(A∗ ⊕ ∆2)
A∗ := E−1A (0n)
I Translate to a new wire o�set (unary a 7→ a gate) using 1 ciphertext
FleXOR [KolesnikovMohasselRosulek14]
A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2
∆1→ ∆
2
EA⊕∆1(A∗ ⊕ ∆2)
A∗ := E−1A (0n)
I Translate to a new wire o�set (unary a 7→ a gate) using 1 ciphertext
FleXOR [KolesnikovMohasselRosulek14]
A,A ⊕ ∆A
B,B ⊕ ∆B
C,C ⊕ ∆C
∆A → ∆C
∆B → ∆C
I Adjust inputs to target o�set ∆C (1 ciphertext each)
, then XOR is free
I If input wire already suitable, no need to adjust
I Total cost: 0, 1 or 2 depending on how many {∆A,∆B,∆C } distinct.
Combinatorial optimization problem: Choose an o�set for each wire,
minimizing total cost of XOR gates
I Subj. to compatibility with 2-ciphertext row-reduction of AND gates
I (or) Subj. to removing circularity property of free-XOR
FleXOR [KolesnikovMohasselRosulek14]
A,A ⊕ ∆A
B,B ⊕ ∆B
C,C ⊕ ∆C∆A → ∆C
∆B → ∆C
I Adjust inputs to target o�set ∆C (1 ciphertext each)
, then XOR is free
I If input wire already suitable, no need to adjust
I Total cost: 0, 1 or 2 depending on how many {∆A,∆B,∆C } distinct.
Combinatorial optimization problem: Choose an o�set for each wire,
minimizing total cost of XOR gates
I Subj. to compatibility with 2-ciphertext row-reduction of AND gates
I (or) Subj. to removing circularity property of free-XOR
FleXOR [KolesnikovMohasselRosulek14]
free
A,A ⊕ ∆A
B,B ⊕ ∆B
C,C ⊕ ∆C∆A → ∆C
∆B → ∆C
I Adjust inputs to target o�set ∆C (1 ciphertext each), then XOR is free
I If input wire already suitable, no need to adjust
I Total cost: 0, 1 or 2 depending on how many {∆A,∆B,∆C } distinct.
Combinatorial optimization problem: Choose an o�set for each wire,
minimizing total cost of XOR gates
I Subj. to compatibility with 2-ciphertext row-reduction of AND gates
I (or) Subj. to removing circularity property of free-XOR
FleXOR [KolesnikovMohasselRosulek14]
free
A,A ⊕ ∆A
B,B ⊕ ∆C
C,C ⊕ ∆C∆A → ∆C
∆B → ∆C
I Adjust inputs to target o�set ∆C (1 ciphertext each), then XOR is free
I If input wire already suitable, no need to adjust
I Total cost: 0, 1 or 2 depending on how many {∆A,∆B,∆C } distinct.
Combinatorial optimization problem: Choose an o�set for each wire,
minimizing total cost of XOR gates
I Subj. to compatibility with 2-ciphertext row-reduction of AND gates
I (or) Subj. to removing circularity property of free-XOR
FleXOR [KolesnikovMohasselRosulek14]
free
A,A ⊕ ∆A
B,B ⊕ ∆C
C,C ⊕ ∆C∆A → ∆C
∆B → ∆C
I Adjust inputs to target o�set ∆C (1 ciphertext each), then XOR is free
I If input wire already suitable, no need to adjust
I Total cost: 0, 1 or 2 depending on how many {∆A,∆B,∆C } distinct.
Combinatorial optimization problem: Choose an o�set for each wire,
minimizing total cost of XOR gates
I Subj. to compatibility with 2-ciphertext row-reduction of AND gates
I (or) Subj. to removing circularity property of free-XOR
FleXOR [KolesnikovMohasselRosulek14]
free
A,A ⊕ ∆A
B,B ⊕ ∆C
C,C ⊕ ∆C∆A → ∆C
∆B → ∆C
I Adjust inputs to target o�set ∆C (1 ciphertext each), then XOR is free
I If input wire already suitable, no need to adjust
I Total cost: 0, 1 or 2 depending on how many {∆A,∆B,∆C } distinct.
Combinatorial optimization problem: Choose an o�set for each wire,
minimizing total cost of XOR gates
I Subj. to compatibility with 2-ciphertext row-reduction of AND gates
I (or) Subj. to removing circularity property of free-XOR
Scoreboard
size (×λ) garble cost eval cost assumption
XOR AND XOR AND XOR AND
Classical large? 8 5 PKE
P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF
GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash
Free XOR 0 3 0 4 0 1 circ. hash
GRR2 2 2 4/8 4/8 1/2 1/2 PRF/hash
FleXOR {0,1,2} 2 {0,1,2} 4 {0,1,2} 1 circ. hash
Half Gates [ZahurRosulekEvans15]
What if garbler knows in advance the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C ← {0,1}n
if a = 0:
unary gate b 7→ 0
if a = 1:
unary gate b 7→ b
EB (C )EB⊕∆ (C ⊕ a∆)
Fine print: permute ciphertexts with permute-and-point.
Half Gates [ZahurRosulekEvans15]
What if garbler knows in advance the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C ← {0,1}n
if a = 0:
unary gate b 7→ 0
if a = 1:
unary gate b 7→ b
EB (C )EB⊕∆ (C ⊕ a∆)
Fine print: permute ciphertexts with permute-and-point.
Half Gates [ZahurRosulekEvans15]
What if garbler knows in advance the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C ← {0,1}n
0 0
1 0
if a = 0:
unary gate b 7→ 0
if a = 1:
unary gate b 7→ b
EB (C )EB⊕∆ (C ⊕ a∆)
Fine print: permute ciphertexts with permute-and-point.
Half Gates [ZahurRosulekEvans15]
What if garbler knows in advance the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C ← {0,1}n
B CB ⊕ ∆ C
if a = 0:
unary gate b 7→ 0
if a = 1:
unary gate b 7→ b
EB (C )EB⊕∆ (C ⊕ a∆)
Fine print: permute ciphertexts with permute-and-point.
Half Gates [ZahurRosulekEvans15]
What if garbler knows in advance the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C ← {0,1}n
EB (C)EB⊕∆ (C)
if a = 0:
unary gate b 7→ 0
if a = 1:
unary gate b 7→ b
EB (C )EB⊕∆ (C ⊕ a∆)
Fine print: permute ciphertexts with permute-and-point.
Half Gates [ZahurRosulekEvans15]
What if garbler knows in advance the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C ← {0,1}n
EB (C)EB⊕∆ (C)
if a = 0:
unary gate b 7→ 0
if a = 1:
unary gate b 7→ b
EB (C )EB⊕∆ (C ⊕ a∆)
Fine print: permute ciphertexts with permute-and-point.
Half Gates [ZahurRosulekEvans15]
What if garbler knows in advance the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C ← {0,1}n
EB (C)EB⊕∆ (C)
if a = 0:
unary gate b 7→ 0
0 0
1 1
if a = 1:
unary gate b 7→ b
EB (C )EB⊕∆ (C ⊕ a∆)
Fine print: permute ciphertexts with permute-and-point.
Half Gates [ZahurRosulekEvans15]
What if garbler knows in advance the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C ← {0,1}n
EB (C)EB⊕∆ (C)
if a = 0:
unary gate b 7→ 0
B CB ⊕ ∆ C ⊕ ∆
if a = 1:
unary gate b 7→ b
EB (C )EB⊕∆ (C ⊕ a∆)
Fine print: permute ciphertexts with permute-and-point.
Half Gates [ZahurRosulekEvans15]
What if garbler knows in advance the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C ← {0,1}n
EB (C)EB⊕∆ (C)
if a = 0:
unary gate b 7→ 0
EB (C )EB⊕∆ (C ⊕ ∆)
if a = 1:
unary gate b 7→ b
EB (C )EB⊕∆ (C ⊕ a∆)
Fine print: permute ciphertexts with permute-and-point.
Half Gates [ZahurRosulekEvans15]
What if garbler knows in advance the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C ← {0,1}n
EB (C)EB⊕∆ (C)
if a = 0:
unary gate b 7→ 0
EB (C )EB⊕∆ (C ⊕ ∆)
if a = 1:
unary gate b 7→ b
EB (C )EB⊕∆ (C ⊕ a∆)
Fine print: permute ciphertexts with permute-and-point.
Half Gates [ZahurRosulekEvans15]
What if garbler knows in advance the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C ← {0,1}n
EB (C)EB⊕∆ (C)
if a = 0:
unary gate b 7→ 0
EB (C )EB⊕∆ (C ⊕ ∆)
if a = 1:
unary gate b 7→ b
EB (C )EB⊕∆ (C ⊕ a∆)
Fine print: permute ciphertexts with permute-and-point.
Half Gates [ZahurRosulekEvans15]
What if garbler knows in advance the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C ← {0,1}n
EB (C)EB⊕∆ (C)
if a = 0:
unary gate b 7→ 0
EB (C )EB⊕∆ (C ⊕ ∆)
if a = 1:
unary gate b 7→ b
EB (C )EB⊕∆ (C ⊕ a∆)
Fine print: permute ciphertexts with permute-and-point.
Half Gates [ZahurRosulekEvans15]
What if garbler knows in advance the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C := E−1B (0n)
EB (C)EB⊕∆ (C)
if a = 0:
unary gate b 7→ 0
EB (C )EB⊕∆ (C ⊕ ∆)
if a = 1:
unary gate b 7→ b
EB (C )EB⊕∆ (C ⊕ a∆)
Fine print: permute ciphertexts with permute-and-point.
Half Gates [ZahurRosulekEvans15]
What if garbler knows in advance the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C := E−1B (0n)
EB (C)EB⊕∆ (C)
if a = 0:
unary gate b 7→ 0
EB (C )EB⊕∆ (C ⊕ ∆)
if a = 1:
unary gate b 7→ b
0n
EB⊕∆ (C ⊕ a∆)
Fine print: permute ciphertexts with permute-and-point.
Half Gates [ZahurRosulekEvans15]
What if garbler knows in advance the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
C := E−1B (0n)
EB (C)EB⊕∆ (C)
if a = 0:
unary gate b 7→ 0
EB (C )EB⊕∆ (C ⊕ ∆)
if a = 1:
unary gate b 7→ b
EB⊕∆ (C ⊕ a∆)
Fine print: permute ciphertexts with permute-and-point.
Half Gates [ZahurRosulekEvans15]
What if evaluator knows the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
EB (C)
EB⊕∆ (A ⊕ C)
⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n
Evaluator has B (knows false):
⇒ should obtain C (false)
Evaluator has B ⊕ ∆ (knows true):
⇒ should be able to transfer truthvalue from “a” wire to “c” wire
I Su�ices to learn A ⊕ C
Fine print: no need for permute-and-point here
Half Gates [ZahurRosulekEvans15]
What if evaluator knows the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
EB (C)
EB⊕∆ (A ⊕ C)
⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n
Evaluator has B (knows false):
⇒ should obtain C (false)
Evaluator has B ⊕ ∆ (knows true):
⇒ should be able to transfer truthvalue from “a” wire to “c” wire
I Su�ices to learn A ⊕ C
Fine print: no need for permute-and-point here
Half Gates [ZahurRosulekEvans15]
What if evaluator knows the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
EB (C)
EB⊕∆ (A ⊕ C)
⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n
Evaluator has B (knows false):
⇒ should obtain C (false)
Evaluator has B ⊕ ∆ (knows true):
⇒ should be able to transfer truthvalue from “a” wire to “c” wire
I Su�ices to learn A ⊕ C
Fine print: no need for permute-and-point here
Half Gates [ZahurRosulekEvans15]
What if evaluator knows the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
EB (C)
EB⊕∆ (A ⊕ C)
⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n
Evaluator has B (knows false):
⇒ should obtain C (false)
Evaluator has B ⊕ ∆ (knows true):
⇒ should be able to transfer truthvalue from “a” wire to “c” wire
I Su�ices to learn A ⊕ C
Fine print: no need for permute-and-point here
Half Gates [ZahurRosulekEvans15]
What if evaluator knows the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
EB (C)
EB⊕∆ (A ⊕ C)
⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n
Evaluator has B (knows false):
⇒ should obtain C (false)
Evaluator has B ⊕ ∆ (knows true):
⇒ should be able to transfer truthvalue from “a” wire to “c” wire
I Su�ices to learn A ⊕ C
Fine print: no need for permute-and-point here
Half Gates [ZahurRosulekEvans15]
What if evaluator knows the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
EB (C)
EB⊕∆ (A ⊕ C)
⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n
Evaluator has B (knows false):
⇒ should obtain C (false)
Evaluator has B ⊕ ∆ (knows true):
⇒ should be able to transfer truthvalue from “a” wire to “c” wire
I Su�ices to learn A ⊕ C
Fine print: no need for permute-and-point here
Half Gates [ZahurRosulekEvans15]
What if evaluator knows the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
EB (C )EB⊕∆ (A ⊕ C)
⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n
Evaluator has B (knows false):
⇒ should obtain C (false)
Evaluator has B ⊕ ∆ (knows true):
⇒ should be able to transfer truthvalue from “a” wire to “c” wire
I Su�ices to learn A ⊕ C
Fine print: no need for permute-and-point here
Half Gates [ZahurRosulekEvans15]
What if evaluator knows the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
EB (C )EB⊕∆ (A ⊕ C)
⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n
Evaluator has B (knows false):
⇒ should obtain C (false)
Evaluator has B ⊕ ∆ (knows true):
⇒ should be able to transfer truthvalue from “a” wire to “c” wire
I Su�ices to learn A ⊕ C
Fine print: no need for permute-and-point here
Half Gates [ZahurRosulekEvans15]
What if evaluator knows the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
EB (C )EB⊕∆ (A ⊕ C)
⊕ A ⊕ C
⊕ A ⊕ CC ← {0,1}n
Evaluator has B (knows false):
⇒ should obtain C (false)
Evaluator has B ⊕ ∆ (knows true):
⇒ should be able to transfer truthvalue from “a” wire to “c” wire
I Su�ices to learn A ⊕ C
Fine print: no need for permute-and-point here
Half Gates [ZahurRosulekEvans15]
What if evaluator knows the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
EB (C )EB⊕∆ (A ⊕ C)
⊕ A ⊕ C
⊕ A ⊕ C
C ← {0,1}n
Evaluator has B (knows false):
⇒ should obtain C (false)
Evaluator has B ⊕ ∆ (knows true):
⇒ should be able to transfer truthvalue from “a” wire to “c” wire
I Su�ices to learn A ⊕ C
Fine print: no need for permute-and-point here
Half Gates [ZahurRosulekEvans15]
What if evaluator knows the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
EB (C )EB⊕∆ (A ⊕ C)
⊕ A ⊕ C⊕ A ⊕ C
C ← {0,1}n
Evaluator has B (knows false):
⇒ should obtain C (false)
Evaluator has B ⊕ ∆ (knows true):
⇒ should be able to transfer truthvalue from “a” wire to “c” wire
I Su�ices to learn A ⊕ C
Fine print: no need for permute-and-point here
Half Gates [ZahurRosulekEvans15]
What if evaluator knows the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
EB (C )EB⊕∆ (A ⊕ C)
⊕ A ⊕ C⊕ A ⊕ C
C := E−1B (0n)
Evaluator has B (knows false):
⇒ should obtain C (false)
Evaluator has B ⊕ ∆ (knows true):
⇒ should be able to transfer truthvalue from “a” wire to “c” wire
I Su�ices to learn A ⊕ C
Fine print: no need for permute-and-point here
Half Gates [ZahurRosulekEvans15]
What if evaluator knows the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
0n
EB⊕∆ (A ⊕ C)
⊕ A ⊕ C⊕ A ⊕ C
C := E−1B (0n)
Evaluator has B (knows false):
⇒ should obtain C (false)
Evaluator has B ⊕ ∆ (knows true):
⇒ should be able to transfer truthvalue from “a” wire to “c” wire
I Su�ices to learn A ⊕ C
Fine print: no need for permute-and-point here
Half Gates [ZahurRosulekEvans15]
What if evaluator knows the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
EB⊕∆ (A ⊕ C)
⊕ A ⊕ C⊕ A ⊕ C
C := E−1B (0n)
Evaluator has B (knows false):
⇒ should obtain C (false)
Evaluator has B ⊕ ∆ (knows true):
⇒ should be able to transfer truthvalue from “a” wire to “c” wire
I Su�ices to learn A ⊕ C
Fine print: no need for permute-and-point here
Half Gates [ZahurRosulekEvans15]
What if evaluator knows the truth value on one input wire?
A,A ⊕ ∆
B,B ⊕ ∆
C,C ⊕ ∆
EB⊕∆ (A ⊕ C)
⊕ A ⊕ C⊕ A ⊕ C
C := E−1B (0n)
Evaluator has B (knows false):
⇒ should obtain C (false)
Evaluator has B ⊕ ∆ (knows true):
⇒ should be able to transfer truthvalue from “a” wire to “c” wire
I Su�ices to learn A ⊕ C
Fine print: no need for permute-and-point here
Two halves make a whole!
a ∧ b
= (a ⊕ r ⊕ r ) ∧ b= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]= [(a ⊕ r ) ∧ b]︸ ︷︷ ︸one input known to evaluator
⊕[r ∧ b]= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸ ︷︷ ︸one input known to garbler
I Garbler chooses random bit r
I r = color bit of false wire label A
I Arrange for evaluator to learn a ⊕ r in the clear
I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)
I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts
Two halves make a whole!
a ∧ b = (a ⊕ r ⊕ r ) ∧ b
= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]= [(a ⊕ r ) ∧ b]︸ ︷︷ ︸one input known to evaluator
⊕[r ∧ b]= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸ ︷︷ ︸one input known to garbler
I Garbler chooses random bit r
I r = color bit of false wire label AI Arrange for evaluator to learn a ⊕ r in the clear
I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)
I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts
Two halves make a whole!
a ∧ b = (a ⊕ r ⊕ r ) ∧ b= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]
= [(a ⊕ r ) ∧ b]︸ ︷︷ ︸one input known to evaluator
⊕[r ∧ b]= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸ ︷︷ ︸one input known to garbler
I Garbler chooses random bit r
I r = color bit of false wire label AI Arrange for evaluator to learn a ⊕ r in the clear
I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)
I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts
Two halves make a whole!
a ∧ b = (a ⊕ r ⊕ r ) ∧ b= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]
= [(a ⊕ r ) ∧ b]︸ ︷︷ ︸one input known to evaluator
⊕[r ∧ b]= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸ ︷︷ ︸one input known to garbler
I Garbler chooses random bit r
I r = color bit of false wire label A
I Arrange for evaluator to learn a ⊕ r in the clear
I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)
I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts
Two halves make a whole!
a ∧ b = (a ⊕ r ⊕ r ) ∧ b
= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]
= [(a ⊕ r ) ∧ b]︸ ︷︷ ︸one input known to evaluator
⊕[r ∧ b]
= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸ ︷︷ ︸one input known to garbler
I Garbler chooses random bit r
I r = color bit of false wire label A
I Arrange for evaluator to learn a ⊕ r in the clear
I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)
I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts
Two halves make a whole!
a ∧ b = (a ⊕ r ⊕ r ) ∧ b
= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]= [(a ⊕ r ) ∧ b]︸ ︷︷ ︸one input known to evaluator
⊕[r ∧ b]
= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸ ︷︷ ︸one input known to garbler
I Garbler chooses random bit r
I r = color bit of false wire label A
I Arrange for evaluator to learn a ⊕ r in the clear
I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)
I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts
Two halves make a whole!
a ∧ b = (a ⊕ r ⊕ r ) ∧ b
= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]= [(a ⊕ r ) ∧ b]︸ ︷︷ ︸one input known to evaluator
⊕[r ∧ b]
= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸ ︷︷ ︸one input known to garbler
I Garbler chooses random bit r
I r = color bit of false wire label A
I Arrange for evaluator to learn a ⊕ r in the clear
I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)
I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts
Two halves make a whole!
a ∧ b = (a ⊕ r ⊕ r ) ∧ b
= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]= [(a ⊕ r ) ∧ b]︸ ︷︷ ︸one input known to evaluator
⊕[r ∧ b]
= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸ ︷︷ ︸one input known to garbler
I Garbler chooses random bit rI r = color bit of false wire label A
I Arrange for evaluator to learn a ⊕ r in the clear
I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)
I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts
Scoreboard
size (×λ) garble cost eval cost assumption
XOR AND XOR AND XOR AND
Classical large? 8 5 PKE
P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF
GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash
Free XOR 0 3 0 4 0 1 circ. hash
GRR2 2 2 4/8 4/8 1/2 1/2 PRF/hash
FleXOR {0,1,2} 2 {0,1,2} 4 {0,1,2} 1 circ. symm
HalfGates 0 2 0 4 0 2 circ. hash
[XYZ26]? 0 < 2? ? ? ? ? ?
Scoreboard
size (×λ) garble cost eval cost assumption
XOR AND XOR AND XOR AND
Classical large? 8 5 PKE
P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF
GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash
Free XOR 0 3 0 4 0 1 circ. hash
GRR2 2 2 4/8 4/8 1/2 1/2 PRF/hash
FleXOR {0,1,2} 2 {0,1,2} 4 {0,1,2} 1 circ. symm
HalfGates 0 2 0 4 0 2 circ. hash[XYZ26]? 0 < 2? ? ? ? ? ?
Optimality
Every practical garbling scheme is combination of:
I Calls to symmetric primitive (can be modeled as random oracle)
I GF (2λ )-linear operations (xor, polynomial interpolation)
�eorem ([ZahurRosulekEvans15])Garbling a single and gate requires 2 ciphertexts (2λ bits), if garbling schemeis “linear” in this sense.
Half-gates construction is size-optimal among schemes that:
. . . use “known techniques”
. . . work gate-by-gate in {xor,and,not} basis
Optimality
Every practical garbling scheme is combination of:
I Calls to symmetric primitive (can be modeled as random oracle)
I GF (2λ )-linear operations (xor, polynomial interpolation)
�eorem ([ZahurRosulekEvans15])Garbling a single and gate requires 2 ciphertexts (2λ bits), if garbling schemeis “linear” in this sense.
Half-gates construction is size-optimal among schemes that:
. . . use “known techniques”
. . . work gate-by-gate in {xor,and,not} basis
Optimality
Every practical garbling scheme is combination of:
I Calls to symmetric primitive (can be modeled as random oracle)
I GF (2λ )-linear operations (xor, polynomial interpolation)
�eorem ([ZahurRosulekEvans15])Garbling a single and gate requires 2 ciphertexts (2λ bits), if garbling schemeis “linear” in this sense.
Half-gates construction is size-optimal among schemes that:
. . . use “known techniques”
. . . work gate-by-gate in {xor,and,not} basis
Ways forward?
1:Consider larger “chunks” of circuit, beyond {xor,and,not} basis?
2:Discover some clever non-linear approach to garbling?
3:Wait for break-even point for asymptotically superior methods?
4:Use weaker security when situation calls for it.
Ways forward?
1:Consider larger “chunks” of circuit, beyond {xor,and,not} basis?
2:Discover some clever non-linear approach to garbling?
3:Wait for break-even point for asymptotically superior methods?
4:Use weaker security when situation calls for it.
Ways forward?
1:Consider larger “chunks” of circuit, beyond {xor,and,not} basis?
2:Discover some clever non-linear approach to garbling?
3:Wait for break-even point for asymptotically superior methods?
4:Use weaker security when situation calls for it.
Ways forward?
1:Consider larger “chunks” of circuit, beyond {xor,and,not} basis?
2:Discover some clever non-linear approach to garbling?
3:Wait for break-even point for asymptotically superior methods?
4:Use weaker security when situation calls for it.
ZK via garbled circuits [JawurekKerschbaumOrlandi13]
x ,w x
“∃w : R(x ,w ) = 1 ”
garbled R(x , ·)
OT
input
wire labels
w
garbled w
commit(garbled output)contains true wire label
⇒ prover knows valid wopen garbled circuit
correct GC⇒ garbled
output leaks nothing
about w open garbled output
Prover knows entire input to garbled circuit!
ZK via garbled circuits [JawurekKerschbaumOrlandi13]
x ,w x
“∃w : R(x ,w ) = 1 ”
garbled R(x , ·)
OT
input
wire labels
w
garbled w
commit(garbled output)contains true wire label
⇒ prover knows valid wopen garbled circuit
correct GC⇒ garbled
output leaks nothing
about w open garbled output
Prover knows entire input to garbled circuit!
ZK via garbled circuits [JawurekKerschbaumOrlandi13]
x ,w x
“∃w : R(x ,w ) = 1 ”
garbled R(x , ·)
OT
input
wire labels
w
garbled w
commit(garbled output)contains true wire label
⇒ prover knows valid wopen garbled circuit
correct GC⇒ garbled
output leaks nothing
about w open garbled output
Prover knows entire input to garbled circuit!
ZK via garbled circuits [JawurekKerschbaumOrlandi13]
x ,w x
“∃w : R(x ,w ) = 1 ”
garbled R(x , ·)
OT
input
wire labels
w
garbled w
commit(garbled output)
contains true wire label
⇒ prover knows valid wopen garbled circuit
correct GC⇒ garbled
output leaks nothing
about w open garbled output
Prover knows entire input to garbled circuit!
ZK via garbled circuits [JawurekKerschbaumOrlandi13]
x ,w x
“∃w : R(x ,w ) = 1 ”
garbled R(x , ·)
OT
input
wire labels
w
garbled w
commit(garbled output)contains true wire label
⇒ prover knows valid w
open garbled circuitcorrect GC⇒ garbled
output leaks nothing
about w open garbled output
Prover knows entire input to garbled circuit!
ZK via garbled circuits [JawurekKerschbaumOrlandi13]
x ,w x
“∃w : R(x ,w ) = 1 ”
garbled R(x , ·)
OT
input
wire labels
w
garbled w
commit(garbled output)contains true wire label
⇒ prover knows valid wopen garbled circuit
correct GC⇒ garbled
output leaks nothing
about w open garbled output
Prover knows entire input to garbled circuit!
ZK via garbled circuits [JawurekKerschbaumOrlandi13]
x ,w x
“∃w : R(x ,w ) = 1 ”
garbled R(x , ·)
OT
input
wire labels
w
garbled w
commit(garbled output)contains true wire label
⇒ prover knows valid wopen garbled circuit
correct GC⇒ garbled
output leaks nothing
about w
open garbled output
Prover knows entire input to garbled circuit!
ZK via garbled circuits [JawurekKerschbaumOrlandi13]
x ,w x
“∃w : R(x ,w ) = 1 ”
garbled R(x , ·)
OT
input
wire labels
w
garbled w
commit(garbled output)contains true wire label
⇒ prover knows valid wopen garbled circuit
correct GC⇒ garbled
output leaks nothing
about w open garbled output
Prover knows entire input to garbled circuit!
ZK via garbled circuits [JawurekKerschbaumOrlandi13]
x ,w x
“∃w : R(x ,w ) = 1 ”
garbled R(x , ·)
OT
input
wire labels
w
garbled w
commit(garbled output)contains true wire label
⇒ prover knows valid wopen garbled circuit
correct GC⇒ garbled
output leaks nothing
about w open garbled output
Prover knows entire input to garbled circuit!
Privacy-free garbling [FrederiksenNielsenOrlandi15]
For this ZK protocol, garbled circuit does not require privacy property
I Only authenticity is needed
I Garbled circuits can be significantly smaller in this case
size (×λ) garble cost eval cost assumption
XOR AND XOR AND XOR AND
Classical large? 8 5 PKE
P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF
GRR3 3 3 4/8 4/8 1/2 1/2 hash/PRF
Free XOR 0 3 0 4 0 1 circ. hash
GRR2 2 2 4/8 4/8 1/2 1/2 hash/PRF
FleXOR {0,1,2} 2 {0,1,2} 4 {0,1,2} 1 circ. hash
HalfGates 0 2 0 4 0 2 circ. hash
PrivFree * 0 1 0 2 0 1 circ. hash
Privacy-free garbling [FrederiksenNielsenOrlandi15]
For this ZK protocol, garbled circuit does not require privacy property
I Only authenticity is needed
I Garbled circuits can be significantly smaller in this case
size (×λ) garble cost eval cost assumption
XOR AND XOR AND XOR AND
Classical large? 8 5 PKE
P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF
GRR3 3 3 4/8 4/8 1/2 1/2 hash/PRF
Free XOR 0 3 0 4 0 1 circ. hash
GRR2 2 2 4/8 4/8 1/2 1/2 hash/PRF
FleXOR {0,1,2} 2 {0,1,2} 4 {0,1,2} 1 circ. hash
HalfGates 0 2 0 4 0 2 circ. hash
PrivFree * 0 1 0 2 0 1 circ. hash
A success story!
1λ
2λ
3λ
4λ
5λ
1986 1990 1999 2008 2009 2014 2015
DES
AES
SHA1
SHA256
I Reduction in size by 10x
I Reduction in computation by 10000x
the end!