1 Introduction

1.1 Background – Three-Valued Logic

In classical (Boolean) propositional logic, statements are assigned a “truth-value” that can be either \(\mathsf {True}\) or \(\mathsf {False}\), but not both. Logical operators are used to make up a complex statement out of other, one or more, simpler statements such that the truth value of the complex statement is derived from the simpler ones and the logical operators that connects them. For instance, given that the statement A is \(\mathsf {True}\) and the statement B is \(\mathsf {True}\) we infer that the statement \(C=\)A and B” (denoted by \(C=A\wedge B\)) is \(\mathsf {True}\) as well.

Another branch of propositional logic is the multivalent logic system. Multivalent logic systems consider more than two truth-values, that is, they may admit anything from three to an infinite number of possible truth-values. Among those, the simplest and most studied sort is the three-valued logic (or ternary logic), which is a system that admits three truth-values, e.g., “truth”, “falsity” and “indeterminancy”. Such a system seems to suit many real life situations, for instance, statements about the future or paradoxical statements like “this statement is not correct”, which must have an indeterminate truth-value. Note that in different applications, the third truth-value could be interpreted differently, hence, different inference rules are derivedFootnote 1. The most common three-valued logic system is Kleene’s Logic [6], in which statements are assigned with either \(\mathsf {True}\), \(\mathsf {False}\) or \(\mathsf {Unknown}\). For clarity, whenever we use the term three-valued logic or 3VL we actually refer to Kleene’s Logic. We remark that although other three-valued logic system exist, in this paper we focus only on Kleene’s logic since its use in real life is the most prevalent; see the application example in Sect. 1.2.

The admission of \(\mathsf {Unknown}\) requires one to expand the set of inference rules, to enable the computation of the truth-value of a complex statement from simpler statements, even if one or more of them are \(\mathsf {Unknown}\). In Kleene’s logic, the inference process complies with the way we usually make conclusions: It yields \(\mathsf {Unknown}\) whenever at least one statement that is necessary for deciding \(\mathsf {True}\) or \(\mathsf {False}\) is assigned with \(\mathsf {Unknown}\). For example, the AND of \(\mathsf {True}\) and \(\mathsf {Unknown}\) is \(\mathsf {Unknown}\) since if the \(\mathsf {Unknown}\) were \(\mathsf {False}\) then the result would be false. However, the OR of \(\mathsf {True}\) and \(\mathsf {Unknown}\) is \(\mathsf {True}\) since it equals \(\mathsf {True}\) irrespective of the \(\mathsf {Unknown}\) variable’s value.

Table 1. Definition of the functions \(\wedge _3\) (AND), \(\vee _3\) (OR), \(\oplus _3\) (XOR) and \(\lnot _3\) (NOT) using truth tables. Note these functions are symmetric, that is, the order of the inputs makes no difference.
Full size table

The 3VL inference rules are presented in Table 1 in the form of truth tables. In the rest of the paper whenever we refer to the Boolean version of AND, OR, XOR and NOT we use the usual notation \(\wedge ,\vee ,\oplus ,\lnot \) and when we use their 3VL version we subscript it with the number 3, e.g. \(\wedge _3,\vee _3,\oplus _3,\lnot _3\). We denote by TF and U, the 3VL values \(\mathsf {True}\), \(\mathsf {False}\) and \(\mathsf {Unknown}\), respectively.

1.2 Applications in SQL

In SQL specifications [5] the \(\mathtt{NULL}\) marker indicates the absence of a value, or alternatively, that the value is neither \(\mathsf {True}\) nor \(\mathsf {False}\), but \(\mathsf {Unknown}\). Because of this, comparisons with \(\mathtt{NULL}\) never result in either \(\mathsf {True}\) or \(\mathsf {False}\), but always in the third logical value: \(\mathsf {Unknown}\). For example, the statement “\(\mathtt{SELECT\ 10=NULL}\)” results in \(\mathsf {Unknown}\). However, certain operations on \(\mathsf {Unknown}\) can return values if the absent value is not relevant to the outcome of the operation. Consider the following example:

$$ \mathtt{SELECT\ *\ FROM\ T1\ WHERE\ (age\> 30\ \ OR\ \ height\ <\ 140)\ AND\ weight\ >\ 110} $$

Now, consider an entry where the person’s age is missing. In this case, if the person’s height is 150 then the \(\mathtt{OR}\) subexpression evaluates to \(\mathsf {Unknown}\) and so the entire result is \(\mathsf {Unknown}\), hence, this entry is not retrieved. In contrast, if the person’s height is 120, then the \(\mathtt{OR}\) subexpression evaluates to \(\mathsf {True}\), and so the result is \(\mathsf {True}\) if \(\mathtt{weight > 110}\), and \(\mathsf {False}\) if \(\mathtt{weight \le 110}\).

We remark that the main SQL implementations [2, 9, 10] (Oracle, Microsoft and MySQL) conform to the Kleene’s three-valued logic described above. As such, if secure computation is to be used to carry out secure SQL on distributed (or shared) databases, then efficient solutions for dealing with three-valued logic need to be developed.

1.3 Naively Garbling a 3VL Gate

We begin by describing the straightforward (naive) approach to garbling a 3VL gate. Let \(g_3\) be a 3VL gate with input wires xy and output wire z, where each wire takes one of 3 values, denoted T, F and U. The basic garbling scheme of Yao [8, 13] works by associating a random key with each possible value on each wire, and then encrypting each possible output value under all combinations of input values that map to that output value. Specifically, for each wire \(\alpha \in \{x,y,z\}\), choose random keys \(k_\alpha ^T,k_\alpha ^F,k_\alpha ^U\). Then, for every combination of \(\beta _x,\beta _y\in \{T,F,U\}\), encrypt \(k_z^{g(\beta _x,\beta _y)}\) using keys \(k_x^{\beta _x},k_y^{\beta _y}\) and define the garbled table to be a random permutation of the ciphertexts. See Fig. 1 for a definition of such a garbled gate.Footnote 2

Fig. 1.
figure 1

Garbling a 3VL gate directly using 9 rows.

Full size image

This approach yields a garbled gate of 9 entries. Using the standard garbled row reduction technique [11], it is possible to reduce the size of the gate to 8 entries. This means that 8 ciphertexts need to be communicated for each gate in the circuit. However, this garbling scheme requires four times more bandwidth for three-valued logic gates than the state-of-the-art for their Boolean \(\wedge \) counterparts [12]. Furthermore, using the free-XOR paradigm [7] (as is also utilized in [12]), XOR gates are free in the Boolean case but require significant bandwidth and computation in the three-valued logic case. (We remark that [7, 12] do require non-standard assumptions; however, these techniques do not translate to the 3VL case and so cannot be used, even under these assumptions.)

Before proceeding, we note that another natural way of working is to translate each variable in the 3VL circuit into two Boolean variables: the first variable takes values TF (true/false), and the second variable takes values KU (known/unknown). This method fits into our general paradigm for solving the problem and so will be described later; as we will show, this specific method is not very efficient.

1.4 Our Results

The aim of this paper is to find ways of garbling three-valued logic functions that are significantly more efficient than the naive method described in Sect. 1.3. Our methods all involve first encoding a 3VL function as a Boolean function and then utilizing the state-of-the-art garbling schemes for Boolean functions. These schemes have the property that AND gates are garbled using two ciphertexts, and XOR gates are garbled for free [7, 12]. Thus, our aim is to find Boolean encodings of 3VL functions that can be computed using few AND gates (and potentially many XOR gates).

In order to achieve our aim, we begin by formalizing the notion of a 3VL-Boolean encoding which includes a way of encoding 3VL-input into Boolean values, and a way of computing the 3VL function using a Boolean circuit applied to the encoded input. Such an encoding reduces the problem of evaluating 3VL functions to the problem of evaluating Boolean functions. Our formalization is general, and can be used to model other multivalent logic systems, like that used in fuzzy logic.

Next, we construct efficient 3VL-Boolean encodings, where by efficient, we mean encodings that can be computed using few Boolean AND gates. Interestingly, we show that the way that 3VL-variables are encoded as Boolean variables has a great influence on the efficiency of the Boolean computation. We describe three different encodings: The first encoding is the natural one, and it works by defining two Boolean variables \(x_T\) and \(x_U\) for every 3VL-variable x such that \(x_U=1\) if and only if \(x=U\), and \(x_T=1\) if \(x=T\) and \(x_T=0\) if \(x=F\). This is “natural” in the sense that one Boolean variable is used to indicate whether the 3VL-value is known or not, and the other variable is used to indicate whether the 3VL-value is true or false in the case that it is known. We show that under this encoding, 3VL-AND gates can be computed at the cost of 6 Boolean AND gates, and 3VL-XOR gates can be computed at the cost of 1 Boolean AND gate. We then proceed to present two alternative encodings; the first achieves a cost of 4 Boolean AND gates for every 3VL-AND gate and 1 Boolean AND gate for every 3VL-XOR gate, whereas the second achieves a cost of 2 Boolean AND gates both for every 3VL-AND gate and every 3VL-XOR gate. These encodings differ in their cost tradeoff, and the choice of which to use depends on the number of AND gates and XOR gates in the 3VL-circuit.

Given these encodings, we show how any protocol for securely computing Boolean circuits, for semi-honest or malicious adversaries, can be used to securely compute 3VL circuits, at almost the same cost. Our construction is black-box in the underlying protocol, and is very simple.

Finally, observe that all our encodings have the property that 3VL-XOR gates are computed using at least 1 Boolean AND-gate. This means that none of our encodings enjoy the free-XOR optimization [7] which is extremely important in practice. We show that this is actually somewhat inherent. In particular, we show that it is possible to garble a Boolean AND gate at the same cost of garbling a 3VL XOR gate. Thus, free-3VL-XOR would imply free-Boolean-AND, which would be a breakthrough for Boolean garbling. Formally, we show that free-3VL-XOR is impossible in the linear garbling model of [12].

Brute-force search for encodings. It is theoretically possible to search for efficient 3VL-Boolean encodings by simply trying all functions with a small number of AND gates, for every possible encoding. Indeed, for up to one AND gate it is possible since the search space is approximately \(2^{20}\) possibilites. However, if up to two AND gates are allowed, then the search space already exceeds \(2^{50}\) possibilities. We ran a brute-force search for up to one AND gate, and rediscovered our 3VL-XOR computation that uses a single AND gate (in fact, we found multiple ways of doing this). However, our search showed that there does not exist a way of computing 3VL-AND using a single AND gate, for any encoding. See Appendix A for more details on the brute-force search algorithm that we used.

2 Encoding 3VL Functions as Boolean Functions

2.1 Notation

We denote by TVU the 3VL values \(\mathsf {True},\mathsf {False}\) and \(\mathsf {Unknown}\), respectively, and by 1, 0 the Boolean values \(\mathsf {True}\) and \(\mathsf {False}\). We denote by \(\mathsf {F_3}\) the set of all 3VL functions (i.e. all functions of the form \(\{T,F,U\}^*\rightarrow \{T,F,U\}^*\)) and by \(\mathsf {F_2}\) be the set of all Boolean functions (i.e. all functions of the form \(\{0,1\}^*\rightarrow \{0,1\}^*\)). In addition, we denote by \(\mathsf {F_3}(\ell ,m)\) and \(\mathsf {F_2}(\ell ,m)\) the set of all 3VL and Boolean functions, respectively, that are given \(\ell \) inputs and produce m outputs. We denote by \(x_i\) the ith element in x both for \(x\in \{T,F,U\}^*\) and \(x\in \{0,1\}^*\).

2.2 3VL-Boolean Encoding

As we have mentioned, in order to utilize the efficiency of modern garbling techniques, we reduce the problem of garbling 3VL circuits to the problem of garbling Boolean circuits, by encoding 3VL functions as Boolean functions. Informally speaking, a 3VL-Boolean encoding is a way of mapping 3VL inputs into Boolean inputs, computing a Boolean function on the mapped inputs, and mapping the Boolean outputs back to a 3VL output. This method is depicted in Fig. 2. The naive approach appears on the left and involves directly garbling a 3VL circuit, as described in Sect. 1.3. Our approach appears on the right and works by applying a transformation \(\mathsf {Tr}_{3\rightarrow 2}\) to map the 3VL input to a Boolean input, then computing an appropriately defined Boolean function, and finally applying a transformation \(\mathsf {Tr}_{2\rightarrow 3}\) to map the output back. The Boolean function is also defined by a transformation, so that a 3VL function \(f_3\) is transformed to a Boolean function \(f_2\) via the transformation \(\mathsf {Tr}_F\), that is, \(f_2=\mathsf {Tr}_F(f_3)\), and this is what is computed. As such, as we will see, it suffices to garble the Boolean function \(f_2\), and if this function has few AND gates then it will be efficient for this purpose.

Fig. 2.
figure 2

Naive approach on the left side and our new approach on the right side.

Full size image

Observe that since we map inputs from three-valued logic to Boolean logic, the set sizes of all possible inputs are different. Thus, we define encodings via relations and not via bijective mappings. Of course, the actual transformations \(\mathsf {Tr}_{3\rightarrow 2}\) and \(\mathsf {Tr}_{2\rightarrow 3}\) are functions. However, the mapping between inputs and outputs may be expressed as relations; e.g., when mapping a single 3VL variable to two Boolean variables, it may be the case that one of the 3VL variables can be expressed as two possible Boolean pairs. This enables more generality, and can help in computation, as we will see below.

Although one could define a very general encoding from 3VL to Boolean values, we will specifically consider encodings that map every single 3VL variable to exactly two Boolean variables. We consider this specific case since it simplifies our definitions, and all our encodings have this property.

The formal definition. Let \(f:\{T,F,U\}^m\rightarrow \{T,F,U\}^n\) be a 3VL function. We begin by defining the appropriate relations and transformations.

  1. 1.

    A value encoding is a relation \(R_{3\rightarrow 2}\subseteq \{T,F,U\} \times \{0,1\}^2\) that is left-total and injective.Footnote 3 For \(\ell \in \mathbb {N}\), let \(R_{3\rightarrow 2}^\ell \subseteq \{T,F,U\}^\ell \times \{0,1\}^{2\ell }\) be the relation defined by extending \(R_{3\rightarrow 2}\) per coordinate.Footnote 4

  2. 2.

    A valid input transformation is an injective function \(\mathsf {Tr}^m_{3\rightarrow 2}:\{T,F,U\}^m \rightarrow \{0,1\}^{2m}\) such that \(\mathsf {Tr}^m_{3\rightarrow 2}\subseteq R_{3\rightarrow 2}^m\). Note that since \(R_{3\rightarrow 2}\) is a relation, there may be multiple different input transformations.

  3. 3.

    A function transformation \(\mathsf {Tr}_F^{m,n}:\mathsf {F}_3(m,n)\rightarrow \mathsf {F}_2(2m,2n)\) is a function that converts 3VL functions to Boolean functions with appropriate input-output lengths.

  4. 4.

    The output transformation \(\mathsf {Tr}^n_{2\rightarrow 3}:\{0,1\}^{2n}\rightarrow \{T,F,U\}^n\) is the inverse of \(R_{3\rightarrow 2}\). That is, \(\mathsf {Tr}^1_{2\rightarrow 3}((b_1,b_2))=x\) for every \((x,(b_1,b_2))\in R_{3\rightarrow 2}\). Note that since \(R_{3\rightarrow 2}\) is injective, this transformation is unique.

Observe that \(R_{3\rightarrow 2}\) is required to be injective since otherwise a Boolean value y could represent two possible 3VL values xz, and so the output cannot be uniquely mapped back from a Boolean value to a 3VL value. Furthermore, note that by requiring \(\mathsf {Tr}^m_{3\rightarrow 2}\subseteq R^m_{3\rightarrow 2}\), we have that the transformation constitutes a valid encoding according to the relation.

Informally, a 3VL-Boolean encoding is such that the process of transforming the inputs, computing the transformed Boolean function, and transforming the outputs back, correctly computes the 3VL function. Our definition of an encoding includes the value encoding and function transformation only, and we require that it works correctly for all input transformations; we discuss why this is the case below.

Definition 2.1

Let \(m,n\in \mathbb {N}\); let \(R_{3\rightarrow 2}\) be a value encoding, and let \(\mathsf {Tr}^{m,n}_F\) be a function transformation. Then, the pair \((R_{3\rightarrow 2}^m,\mathsf {Tr}^{m,n}_F)\) is a 3VL-Boolean Encoding of \(\mathsf {F}_3(m,n)\) if for every \(f_3\in \mathsf {F}_3(m,n)\), every valid input transformation \(\mathsf {Tr}^m_{3\rightarrow 2}\), and every \(x\in \{T,F,U\}^m\):

$$\begin{aligned} \mathsf {Tr}_{2\rightarrow 3}^n \big ( f_2 \big ( \mathsf {Tr}_{3\rightarrow 2}^m( x ) \big ) \big ) = f_3(x) \end{aligned}$$
(1)

where \(f_2=\mathsf {Tr}_F^{m,n}(f_3)\).

The above definition simply states that computing via the transformations yields correct output. However, as we have mentioned, we require that this works for all input transformations and not just for a specific one. It may seem more natural to define a 3VL-Boolean encoding in which the input transformation \(\mathsf {Tr}_{3\rightarrow 2}^m\) is fixed, rather than requiring that Eq. (1) holds for every valid input transformation. However, in actuality, it is quite natural to require that the transformed function work for every input transformation since this means that it works for every possible mapping of three-valued inputs to their Boolean counterparts. More significantly, this property is essential for proving the composition theorem of Sect. 2.3 that enables us to compose different function encodings together. As we will see, this is important since it enables us to define independent encodings for different types of gates, and then compose them together to compute any function.

2.3 Composition of 3VL Functions

In this section, we prove that encodings can be composed together. Specifically, we prove that for any two 3VL functions \(g_3\) and \(f_3\) and any 3VL input x, computing \(g\circ f(x)\) yields the same value as when gfx are separately transformed into \(g',f',x'\) using any valid 3VL-Boolean encoding, and then the output of \(g'\circ f'(x')\) is transformed back to its 3VL representation. As we will see, this is very important since it enables us to define independent encodings on different types of gates, and then compose them together to compute any function. Formally:

Theorem 2.2

Let \(m,\ell ,n\) be natural numbers, and let \(R_{3\rightarrow 2}\) be a value encoding. Let \(\mathsf {E}_1=\left( R_{3\rightarrow 2},\mathsf {Tr}_F^{m,\ell }\right) \) and \(\mathsf {E}_2=\left( R_{3\rightarrow 2},\mathsf {Tr}_F^{\ell ,n}\right) \) be two 3VL-Boolean encodings (with the same relation \(R_{3\rightarrow 2}\)). Then, for every \(f_3\in \mathsf {F}_3(m,\ell )\), every \(g_3\in \mathsf {F}_3(\ell ,n)\), every input transformation \(\mathsf {Tr}^m_{3\rightarrow 2}\), and every \(x\in \{T,F,U\}^m\):

$$ \mathsf {Tr}_{2\rightarrow 3}^n \bigg ( g_2 \big ( f_2 \big ( \mathsf {Tr}_{3\rightarrow 2}^m(x) \big ) \big ) \bigg ) = g_3 ( f_3 (x)), $$

where \(f_2 = \mathsf {Tr}_F^{m,\ell }(f_3)\) and \(g_2 = \mathsf {Tr}_F^{\ell ,n}(g_3)\). Equivalently, \(\left( R_{3\rightarrow 2},\mathsf {Tr}_F^{\ell ,n}\circ \mathsf {Tr}_F^{m,\ell }\right) \) is a 3VL-Boolean encoding of \(\mathsf {F}_3(m,n)\).

Before proving the theorem, we present the following claim which simply express that if the output transformation of an encoding maps a Boolean value \(\tilde{Y}\) to some 3VL value y then there must exist a input transformation that maps y to \(\tilde{Y}\). Formally:

Claim 2.1

Let \(R_{3\rightarrow 2}\) be a valid value encoding and let \(\mathsf {Tr}_{3\rightarrow 2}, \mathsf {Tr}_{2\rightarrow 3}\) be a valid input and output transformations respectively such that for \(\tilde{Y}\in \{0,1\}^2\) it holds that \(\mathsf {Tr}_{2\rightarrow 3}(\tilde{Y})=y\) and \(\mathsf {Tr}_{3\rightarrow 2}(y)= Y\). Then there exists a valid input transformation \(\tilde{\mathsf {Tr}}_{3\rightarrow 2}\) (with respect to \(R_{3\rightarrow 2}\)) such that \(\tilde{\mathsf {Tr}}_{3\rightarrow 2}(y)= \tilde{Y}\).

Proof:

If \(Y=\tilde{Y}\) then there is nothing to prove, i.e. \(\tilde{\mathsf {Tr}}_{3\rightarrow 2}=\mathsf {Tr}_{3\rightarrow 2}\). Consider the case of \(Y\ne \tilde{Y}\): This means that \(R_{3\rightarrow 2}\) maps the 3VL value y to both Boolean pairs Y and \(\tilde{Y}\). Denote the other two 3VL values by \(y'\) and \(y''\) and similarly the remaining Boolean pairs by \(Y'\) and \(Y''\) such that \(R_{3\rightarrow 2}(y')=Y'\). It is immediate that the two valid transformations (with respect to \(R_{3\rightarrow 2}\)) are

$$\begin{aligned} \mathsf {Tr}_{3\rightarrow 2}= & {} \left\{ y'\mapsto Y', y''\mapsto Y'', y\mapsto Y \right\} ~~~\text {and}\\ \tilde{\mathsf {Tr}}_{3\rightarrow 2}= & {} \left\{ y'\mapsto Y', y''\mapsto Y'', y\mapsto \tilde{Y} \right\} \end{aligned}$$

   \(\blacksquare \)

Proof:

[of Theorem 2.2]. By the validity of encodings \(\mathsf {E}_1,\mathsf {E}_2\) (Definition 2.1) it follows that for value encoding \(R_{3\rightarrow 2}\) and every valid input transformations \(\mathsf {Tr}_{3\rightarrow 2}^\ell , \mathsf {Tr}_{3\rightarrow 2}^m\), every \(f_3\in \mathsf {F}_3(m,\ell )\), \(g_3\in \mathsf {F}_3(\ell ,n)\) and every \(x\in \{T,F,U\}^m\):

$$\begin{aligned} g_3\left( f_3\left( x\right) \right) = \mathsf {Tr}_{2\rightarrow 3}^n \left( g_2 \left( \mathsf {Tr}_{3\rightarrow 2}^\ell \left( \mathsf {Tr}_{2\rightarrow 3}^\ell \left( f_2 \left( \mathsf {Tr}_{3\rightarrow 2}^m \left( x\right) \right) \right) \right) \right) \right) \end{aligned}$$
(2)

where \(f_2 = \mathsf {Tr}_F^{m,\ell }(f_3)\) and \(g_2 = \mathsf {Tr}_F^{\ell ,n}(g_3)\). This is true due to the following: Let \(y_f = \mathsf {Tr}_{2\rightarrow 3}^\ell \left( f_2 \left( \mathsf {Tr}_{3\rightarrow 2}^m \left( x\right) \right) \right) \). By Definition 2.1 \(y_f\) is guaranteed to be equal to \(f_3(x)\) and \(y_g=\mathsf {Tr}_{2\rightarrow 3}^n \left( g_2 \left( \mathsf {Tr}_{3\rightarrow 2}^\ell \left( y_f \right) \right) \right) \) is guaranteed to be equal to \(g_3(y_f)\). Concluding that the right hand-side of Eq. 2 equals \(g_3(f_3(x))\). In the following we show that we can remove the two intermediate transformations \(\mathsf {Tr}_{3\rightarrow 2}^\ell , \mathsf {Tr}_{2\rightarrow 3}^\ell \) from the Eq. (2) and obtain the same result: Let

$$\begin{aligned} Y= & {} f_2 ( \mathsf {Tr}_{3\rightarrow 2}^m(x)) ~~~\text {and}\\ \hat{y}= & {} \mathsf {Tr}_{2\rightarrow 3}^\ell (Y) \end{aligned}$$

Let \(\hat{\mathsf {Tr}}_{3\rightarrow 2}^\ell \) be a valid input transformation (with respect to \(R_{3\rightarrow 2}\)) such that \(\hat{\mathsf {Tr}}_{3\rightarrow 2}^\ell (\hat{y})=Y\) (there must exist such a transformation from Claim 2.1). We get:

$$\begin{aligned} g_3 ( f_3 ( x) )= & {} \mathsf {Tr}_{2\rightarrow 3}^n \left( g_2 \left( \mathsf {Tr}_{3\rightarrow 2}^\ell \left( \mathsf {Tr}_{2\rightarrow 3}^\ell \left( f_2 \left( \mathsf {Tr}_{3\rightarrow 2}^m \left( x\right) \right) \right) \right) \right) \right) \\= & {} \mathsf {Tr}_{2\rightarrow 3}^n \left( g_2\left( \mathsf {Tr}_{3\rightarrow 2}^\ell \left( \mathsf {Tr}_{2\rightarrow 3}^\ell (Y)\right) \right) \right) \\= & {} \mathsf {Tr}_{2\rightarrow 3}^n \left( g_2\left( \mathsf {Tr}_{3\rightarrow 2}^\ell \left( \hat{y}\right) \right) \right) \\= & {} \mathsf {Tr}_{2\rightarrow 3}^n \left( g_2\left( \hat{\mathsf {Tr}}_{3\rightarrow 2}^\ell \left( \hat{y}\right) \right) \right) \\= & {} \mathsf {Tr}_{2\rightarrow 3}^n \left( g_2\left( Y\right) \right) \\= & {} \mathsf {Tr}_{2\rightarrow 3}^n \left( g_2\left( f_2 ( \mathsf {Tr}_{3\rightarrow 2}^m(x)) \right) \right) \\ \end{aligned}$$

as required. The 2nd equation follows from the definition of Y; the 3rd follows from definition of \(\hat{y}\); the 4th follows from the fact that \(E_2\) is a valid encoding and must work for every valid input transformation, in particular it must work with \(\hat{\mathsf {Tr}}_{3\rightarrow 2}^\ell \); the 5th follows from the way we chose \(\hat{\mathsf {Tr}}_{3\rightarrow 2}^\ell \), i.e. \(\hat{\mathsf {Tr}}_{3\rightarrow 2}^\ell (\hat{y})=Y\) and the 6th equation follows from the definition of Y. Concluding the correctness of the theorem.    \(\blacksquare \)

We remark that it is crucial that the two encodings in Theorem 2.2 be over the same relation and that the encodings be such that they work for all input transformations (as required in Definition 2.1). In order to see why, consider for a moment what could happen if the definition of an encoding considered a specific input transformation and was only guaranteed to work for this transformation. Next, assume that \(f_2\) outputs a Boolean pair that is not in the range of the input transformation specified for \(\mathsf {E}_2\). In this case, \(g_2\) may not work correctly and so the composition may fail. We remark that this exact case occurred in natural constructions that we considered in the process of this research. This explains why correctness is required for all possible input transformations in Definition 2.1.

Using Theorem 2.2 . This composition theorem is important since it means that we can construct separate encodings for each gate type and then these can be combined in the natural way. That is, it suffices to separately find (efficient) function transformations for the functions \(\wedge _3,\lnot _3\) and \(\oplus _3\) and then every 3VL function can be computed by combining the Boolean transformations of these gates. Note that since \(\lnot _3\) is typically free and De Morgan’s law holds for this three-valued logic as well, we do not need to separately transform \(\vee _3\).

2.4 More Generalized Encodings

In order to simplify notation, we have defined encodings to be of the form that every 3VL value \(x\in \{T,F,U\}\) is mapped to a pair of Boolean bits; indeed, all of our encodings in this paper are of this form. However, we stress that our formalization is general enough to allow other approaches as well. In particular, it is possible to generalize our definition to allow more general encodings from \(x\in \{T,F,U\}^m\) to \(y\in \{0,1\}^\ell \) that could result in \(\ell <2m\). In addition, it is conceivable that mapping \(x\in \{T,F,U\}\) to more than 2 bits may yield more efficient function transformations with respect to the number of Boolean gates required to compute them. These and other possible encodings can easily be captured by a straightforward generalization of our definition.

3 A Natural 3VL-Boolean Encoding

In this section we present our first 3VL-Boolean encoding which we call the “natural” encoding. This encoding is natural in the sense that a 3VL value x is simply transformed to a pair of 2 Boolean values \((x_U,x_T)\), such that \(x_U\) signals whether the value is known or unknown, and \(x_T\) signals whether the value is true or false (assuming that it is known). Formally, we define

$$ R_{3\rightarrow 2}= \big \{ \big (T, (0,1)\big ),~ \big (F, (0,0)\big ),~ \big (U, (1,0)\big ),~ \big (U, (1,1)\big ) \big \}, $$

and so U is associated with two possible values (1, 0), (1, 1), and T and F are each associated with a single value. Note that \(R_{3\rightarrow 2}\) is left-total and injective as required by the definition. We now define the input transformation function \(\mathsf {Tr}_{3\rightarrow 2}\) which is defined by mapping T and F to their unique images, and maps U to one of (1, 0) or (0, 1). For concreteness, we define:

$$ (x_U,x_T) = \mathsf {Tr}_{3\rightarrow 2}(x) = {\left\{ \begin{array}{ll} (0,1) &{} x=T \\ (0,0) &{} x=F \\ (1,0) &{} x=U \end{array}\right. } . $$

We proceed to define the function transformation \(\mathsf {Tr}_F\). As we have discussed, it is possible to define many such transformations, and our aim is to find an “efficient one” with as few AND gates as possible. Below, we present the most efficient transformations of \(\wedge _3,\oplus _3,\lnot _3\) that we have found for this encoding. As mentioned in Sect. 2.3, these suffice for computing any function (and \(\vee _3\) can be computed using \(\wedge _3\) and \(\lnot _3\) by De Morgan’s law).

Let \(x,y\in \{T,F,U\}\) be the input values, and let z be the output value. We denote \(\mathsf {Tr}_{3\rightarrow 2}(x)=(x_U,x_T)\) meaning that \((x_U,x_T)\) is the Boolean encoding of x; likewise for y and z. We define the transformations below. All of these transformations work by computing \(z_T\) as the standard logical operation over the \(x_T,y_T\) variables (since these indicate T/F), and compute the \(z_U\) based on the reasoning as to when the output is unknown. We have:

  1. 1.

    \(\mathsf {Tr}_F(\wedge _3)\) outputs the function \(\wedge _2(x_U,x_T,y_U,y_T) = (z_U,z_T)\), defined by

    $$ z_U = (x_U\wedge y_U )\vee (x_U\wedge y_T)\vee (x_T\wedge y_U) \quad \text{ and } \quad z_T = x_T\wedge y_T. $$

    As mentioned above, \(z_T=x_T\wedge y_T\) which gives the correct result and will determine the value if it is known. Regarding \(z_U\), observe that \(z_U=1\) if both x and y equal U or if one of them is U and the other is T (which are the exact cases that the result is unknown). Furthermore, if either of x or y equals F (and so the result should be known), then \(z_U=0\), as required.

  2. 2.

    \(\mathsf {Tr}_F(\oplus _3)\) outputs the function \(\oplus _2(x_U,x_T,y_U,y_T) = (z_U,z_T)\), defined by

    $$ z_U = x_U \vee y_U \quad \text{ and } \quad z_T = x_T\oplus y_T. $$

    Once again, \(z_T=x_T\oplus y_T\) which is correct if the value is known. Regarding \(z_U\), recall that for XOR, if either input is unknown then the result is unknown. Thus, \(z_U=x_U\vee y_U\).

  3. 3.

    \(\mathsf {Tr}_F(\lnot _3)\) outputs the function \(\lnot _2(x_U,x_T) = (z_U,z_T)\), defined by

    $$ z_U = x_U \quad \text{ and } \quad z_T = \lnot x_T, $$

    which is correct since \(z_T\) is computed as above, and \(z_U=x_U\) since the output of a negation gate is unknown if and only if the input is unknown.

Correctness. The formal proof that this is a valid encoding is demonstrated simply via the truth tables of each encoding. This can be found in Appendix C.1.

Efficiency. The transformations above have the following cost: \(\wedge _3\) can be computed at the cost of 6 Boolean \(\wedge \) and \(\vee \) gates (5 for computing \(z_U\) and one for computing \(z_T\)), \(\oplus _3\) can be computed at the cost of a single Boolean \(\vee \) and a single Boolean \(\oplus \) gate, and \(\lnot _3\) can be computed at the cost of a single Boolean \(\lnot \) gate. (We ignore \(\lnot \) gates from here on since they are free in all known garbling schemes.)

Concretely, when using the garbling scheme of [12] that incorporates free-XOR and requires two ciphertexts for \(\vee \) and \(\wedge \), we have that the cost of garbling \(\vee _3\) is 12 ciphertexts, and the cost of garbling \(\oplus _3\) is 2 ciphertexts. In comparison, recall that the naive garbling scheme of Sect. 1.3 required 8 ciphertexts for both \(\vee _3\) and \(\oplus _3\). In order to see which is better, let C be a 3VL circuit and denote by \(C_{\wedge }\) and \(C_{\oplus }\) the number of \(\wedge _3\) and \(\oplus _3\) gates in C, respectively. Then, the natural 3VL-Boolean encoding is better than the naive approach of Sect. 1.3 if and only if

$$ 12 \cdot C_\wedge + 2 \cdot C_\oplus < 8 \cdot C_\wedge + 8 \cdot C_\oplus , $$

which holds if and only if \(C_\wedge < 1.5 \cdot C_\oplus \). This provides a clear tradeoff between the methods. We now proceed to present encodings that are strictly more efficient than both the natural 3VL Boolean encoding and the naive garbling of Sect. 1.3.

4 A More Efficient Encoding Using a Functional Relation

In this section we present a 3VL-Boolean encoding, in which the relation \(R_{3\rightarrow 2}\) is functional.Footnote 5 Since \(R_{3\rightarrow 2}\) is already left-total and injective, this implies that \(R_{3\rightarrow 2}\) is in fact a 1-1 function. We define \( R_{3\rightarrow 2}= \big \{ \big (T, (1,1)\big ),~ \big (F, (0,0)\big ),~ \big (U, (1,0)\big ) \big \}. \) Since \(R_{3\rightarrow 2}\) is a 1-1 function, there is only one possible input transformation \((x_T,x_F) =\mathsf {Tr}_{3\rightarrow 2}=R_{3\rightarrow 2}^{-1}\). The intuition behind this encoding is as follows: The value \(x\in \{T,F,U\}\) is mapped to a pair \((x_T,x_F)\) so that if x is true or false then \(x_T=x_F\), appropriately (i.e., if \(x=T\) then \(x_T=x_F=1\), and if \(x=F\) then \(x_T=x_F=0\)). In contrast, if x is unknown, then \(x_T\) and \(x_F\) take different values of 1 and 0, respectively, representing an “unknown” state (both 1 and 0). We denote the Boolean values \(x_T\) and \(x_F\) because in case that \(x=U\) then \(x_T\) is assigned with \(\mathsf {True}\) and \(x_F\) is assigned with \(\mathsf {False}\).

As we will see, it is possible to compute \(\wedge _3\), \(\oplus _3\) and \(\lnot _3\) gates under this encoding at a cost that is strictly more efficient than the natural encoding of Sect. 3. In order to show this, in Sect. 4.1, we begin by presenting a simple transformation \(\mathsf {Tr}_F\) for \(\wedge _3\) and \(\lnot _3\) gates. These are clearly complete, and furthermore are the most common connectives used in the context of SQL (as above, \(\lnot _3\) is “free” and so \(\vee _3\) can be transformed at the same cost as \(\wedge _3\)). However, for the general case, an efficient transformation for \(\oplus _3\) gates is also desired since the naive method of computing \(\oplus \) from \(\wedge ,\vee ,\lnot \) is quite expensive. We therefore show how to also deal with \(\oplus _3\) gates in Sect. 4.2.

4.1 An Efficient Function Transformation for \(\wedge _3,\lnot _3\) Gates

We now show how to transform \(\wedge _3\) and \(\lnot _3\) gates into Boolean forms at a very low cost: \(\wedge _3\) gates can be transformed at the cost of just two Boolean \(\wedge \) gates, and \(\lnot _3\) gates can be transformed at the cost of two Boolean \(\lnot \) gates (which are free in all garbling schemes).

  1. 1.

    \(\mathsf {Tr}_F(\wedge _3)\) outputs the function \(\wedge _2(x_T,x_F,y_T,y_F) = (z_T,z_F)\), defined by

    $$ z_T = x_T\wedge y_T \quad \text{ and } \quad z_F = x_F\wedge y_F. $$
  2. 2.

    \(\mathsf {Tr}_F(\lnot _3)\) outputs the function \(\lnot _2(x_T,x_F) = (z_T,z_F)\), defined by

    $$ z_T = \lnot x_F \quad \text{ and } \quad z_F = \lnot x_T. $$

We now prove that these transformations are correct. We begin with \(\mathsf {Tr}_F(\wedge _3)\):

  1. 1.

    If \(x\wedge y=T\) then \(x=y=T\) and so \(x_T=x_F=y_T=y_F=1\). Thus, \(z_T=z_F=1\) which means that \(z=\mathsf {Tr}_{2\rightarrow 3}(z_T,z_F)=\mathsf {Tr}_{2\rightarrow 3}(1,1)=T\), as required.

  2. 2.

    If \(x\wedge y=F\), then either \(x=F\) which means that \(x_T=x_F=0\), or \(y=F\) which means that \(y_T=y_F=0\), or both. This implies that \(z_T=z_F=0\) and so \(z=\mathsf {Tr}_{2\rightarrow 3}(z_T,z_F)=\mathsf {Tr}_{2\rightarrow 3}(0,0)=F\), as required.

  3. 3.

    Finally, if \(x\wedge y=U\), then we have three possible cases:

    1. (a)

      Case 1: \(x=y=U\): In this case, \(x_T=y_T=1\) and \(x_F=y_F=0\), and thus \(z_T=1, z_F=0\) and \(z=\mathsf {Tr}_{2\rightarrow 3}(z_T,z_F)=\mathsf {Tr}_{2\rightarrow 3}(1,0)=U\), as required.

    2. (b)

      Case 2: \(x=T\) and \(y=U\): In this case, \(x_T=x_F=y_T=1\) and \(y_F=0\), and thus \(z_T=1\) and \(z_F=0\), implying that \(z=U\), as required.

    3. (c)

      Case 3: \(x=U\) and \(y=T\): This case is symmetric to the previous case and so also results in U, as required.

It remains to prove that \(\mathsf {Tr}_F(\lnot _3)\) is correct:

  1. 1.

    If \(x=T\), then \(x_T=x_F=1\) and so \(z_T=z_F=0\). Thus, \(z=\mathsf {Tr}_{2\rightarrow 3}(0,0)=F\), as required.

  2. 2.

    If \(x=F\), then \(x_T=x_F=0\) and so \(z_T=z_F=1\). Thus, \(z=\mathsf {Tr}_{2\rightarrow 3}(1,1)=T\), as required.

  3. 3.

    If \(x=U\), then \(x_T=1\) and \(x_F=0\) and so \(z_T=\lnot x_F=1\) and \(z_F=\lnot x_T =0\). Thus, \(z=\mathsf {Tr}_{2\rightarrow 3}(1,0)=U\), as required.

Efficiency. The transformations above are very efficient and require 2 Boolean AND gates for every 3VL-AND (or 3VL-OR) gate, and 2 Boolean NOT gates for each 3VL-NOT gate. Using the garbling scheme of [12], this means 4 ciphertext for each \(\wedge _3,\vee _3\) gate, and 0 ciphertexts for \(\lnot _3\) gates. This is far more efficient than any of the previous encodings. However, as we have mentioned above, we still need to show how to compute \(\oplus _3\) gates.

4.2 An Efficient Function Transformation for \(\oplus _3\) Gates

We now present the transformation for \(\oplus _3\) gates for the above functional relation. We begin by remarking that the method above for \(\wedge _3\) gates does not work for \(\oplus _3\) gates.

Fig. 3.
figure 3

The result of the transformation of \(\oplus _3\) by \((z_T,z_F)=(x_T\oplus y_T, x_F\oplus y_F)\)

Full size image

For example, if we define \(z_T=x_T\oplus y_T\) and \(z_F=x_F\oplus y_F\), then the result is correct as long as neither of x or y are unknown: If both are unknown then \(x=y\), and thus \(z_T=z_F=0\). The result of transforming \((z_T,z_F)=(0,0)\) back to a 3VL is F rather than U. If only one is unknown then \(x\ne y\), and thus \(z_T=0\) and \(z_F=1\)). The result of transforming \((z_T,z_F)=(0,1)\) is undefined since the pair (0, 1) is not in the range of \(R_{3\rightarrow 2}\). In general, the truth table for the transformation \(z_T=x_T\oplus y_T\) and \(z_F=x_F \oplus y_F\) appears in Fig. 3; the blue lines are where this transformation is incorrect.

Our transformation must therefore “fix” the incorrect rows in Fig. 3. We define \(\mathsf {Tr}_F(\oplus _3)\) that outputs the function \(\oplus _2(x_T,x_F,y_T,y_F) = (z_T,z_F)\) defined by

$$\begin{aligned} z_T'= & {} (x_T \oplus y_T) \oplus \big ( (x_T \oplus x_F) \wedge (y_T \oplus y_F) \big ) \quad \text{ and } \quad z_F' = x_F \oplus y_F \\ \mathsf {aux}= & {} \lnot z_T' \wedge z_F' \\ z_T= & {} z_T' \oplus \mathsf {aux}\quad \text{ and } \quad z_F = z_F' \oplus \mathsf {aux}\end{aligned}$$

Observe that the value \((z_T',z_F')\) is just the transformation in Fig. 3, with the addition that \(z_T'\) is adjusted so that it is flipped in the case that both \(x=y=U\) (since in that case \(x_T\ne x_F\) and \(y_T\ne y_F\)). This therefore fixes the 5th row in Fig. 3 (i.e., the input case of \(x=y=U\)). Note that it doesn’t affect any other input cases since \((x_T \oplus x_F) \wedge (y_T \oplus y_F)\) equals 0 in all other cases.

In order to fix the 6th and 8th rows in Fig. 3, it is necessary to adjust the output in the case that (0, 1) is received, and only in this case (note that this is only received in rows 6 and 8). Note that the \(\mathsf {aux}\) variable is assigned value 1 if and only if \(z'_T=0\) and \(z'_F=1\). Thus, defining \(z_T=z'_T\oplus \mathsf {aux}\) and \(z_F=z'_F\oplus \mathsf {aux}\) adjusts \((z'_T,z'_F)=(0,1)\) to \((z_T,z_F)=(1,0)\) which represents U as required. Furthermore, no other input cases are modified and so the resulting function is correct.

Correctness. The formal proof that this is a valid encoding is demonstrated simply via the truth tables of each encoding. This can be found in Appendix C.2.

Efficiency. The transformation of \(\oplus _3\) incurs a cost of two Boolean \(\wedge \) gates and 6 Boolean \(\oplus \) gates. Utilizing free-XOR and the garbling scheme of [12], we have that 4 ciphertexts are required for garbling \(\oplus _3\) gates.

Combining this with Sect. 4.1, we have a cost of 4 ciphertexts for \(\wedge _3\) and \(\oplus _3\) gates, and 0 ciphertexts for \(\lnot _3\) gates. This is far more efficient than the naive garbling of Sect. 1.3 for all gate types. Next, recall that the natural encoding of Sect. 3 required 12 ciphertexts for \(\wedge _3\) gates and 2 ciphertexts for \(\oplus _3\) gates. Thus, denoting by \(C_\wedge \) and \(C_\oplus \) the number of \(\wedge _3\) and \(\oplus _3\) gates, respectively, in a 3VL circuit C, we have that the scheme in this section is more efficient if and only if \( 4 \cdot C_\wedge + 4 \cdot C_\oplus < 12 \cdot C_\wedge + 2 \cdot C_\oplus , \) which holds if and only if \( C_\oplus < 4 \cdot C_\wedge . \) Thus, the natural encoding is only better if the number of \(\oplus _3\) gates is over four times the number of \(\wedge _3\) gates in the circuit. In Sect. 5, we present transformations that perform better in some of these cases.

5 Encoding Using a Non-functional Relation

In this section, we present an alternative encoding that is more expensive for \(\wedge _3\) gates but cheaper for \(\oplus _3\) gates, in comparison to the encoding of Sect. 4. The value encoding that we use in this section is the same as in Sect. 4, except that we also include (0, 1) in the range; thus the relation is no longer functional. Since the motivation regarding the relation is the same as in Sect. 4, we proceed directly to define the relation:

$$ R_{3\rightarrow 2}= \big \{ \big (T, (1,1)\big ),~ \big (F, (0,0)\big ),~ \big (U, (0,1)\big ),~ \big (U, (1,0)\big ) \big \}. $$

Thus, \(R_{3\rightarrow 2}\) maps the 3VL value U to both Boolean pairs (0, 1) and (1, 0). As such, there are two admissible input transformation functions \(\mathsf {Tr}_{3\rightarrow 2}\). Both of them map T to (1, 1) and map (0, 0) to F; one of them maps U to (1, 0) the other maps U to (0, 1). Recall that our function transformation needs to work for both, in order for the composition theorem to hold.

We use the same notation of \((x_T,x_F)\) as in Sect. 4 for the Boolean pairs in the range of \(R_{3\rightarrow 2}\). The motivation is the same as before; if \(x=T\) or \(x=F\) then both values are the same; if \(x=U\) then the “true” bit \(x_T\) is different from the “false” bit \(x_F\).

The transformation \(\mathsf {Tr}_F\) for each gate type is given below.

  1. 1.

    \(\mathsf {Tr}_F(\wedge _3)\) outputs the function \(\wedge _2(x_T,x_F,y_T,y_F) = (z_T,z_F)\), defined by:

    $$\begin{aligned} z_T= & {} x_T\wedge y_T \\ z_F= & {} (x_F\wedge y_F) \oplus \bigg ( (x_T\oplus x_F) \wedge (y_T\oplus y_F) \wedge \big (\lnot (x_F\oplus y_T) \big ) \bigg ) \end{aligned}$$

    Recall that in Sect. 4, it sufficed to define \(z_T=x_T\wedge y_T\) and \(z_F=x_F \wedge y_F\). However, this does not yield a correct result in this encoding in the case that x and y are both unknown, and x is encoded as (0, 1) and y is encoded as (1, 0). Specifically, in this case, z is computed as F instead of as U. We fix this case by changing the second bit of z (i.e., \(z_F\)) when the encodings are of this form. Observe that the expression \((x_T\oplus x_F) \wedge (y_T\oplus y_F) \wedge \left( \lnot (x_F\oplus y_T)\right) \) evaluates to 1 if and only if \(x_T\ne x_F\) and \(y_T\ne y_F\) and \(x_F = y_T\), which is exactly the case that one of the value is encoded as (1, 0) and the other is encoded as (0, 1).

  2. 2.

    \(\mathsf {Tr}_F(\oplus _3)\) outputs the function \(\oplus _2(x_T,x_F,y_T,y_F) = (z_T,z_F)\), defined by:

    $$\begin{aligned} z_T= & {} (x_T \oplus y_T) \oplus \big ( (x_T \oplus x_F) \wedge (y_T \oplus y_F) \big ) \\ z_F= & {} x_F \oplus y_F \end{aligned}$$

    This is the same transformation of \(\oplus _3\) described in Sect. 4.2 for the functional encoding of Sect. 4, except that here there is no need to switch the left and right bits of the result in the case that they are (0, 1). This is due to the fact that (0, 1) is a valid encoding of U under \(R_{3\rightarrow 2}\) used here.

  3. 3.

    \(\mathsf {Tr}_F(\lnot _3)\) outputs the function \(\vee _2(x_T,x_F) = (z_T,z_F)\), defined by:

    $$ z_T = \lnot x_T \quad \text{ and } \quad z_F = \lnot x_F $$

    This is almost the same as the transformation of \(\lnot _3\) in Sect. 4.1, excepts that we do not exchange the order of the bits. Again, this is due to the fact that both (1, 0) and (0, 1) are valid encodings of 0 and so the negation of U by just complementing both bits results in U and is correct.

Correctness. The formal proof that this is a valid encoding is demonstrated simply via the truth tables of each encoding. This can be found in Appendix C.3.

Efficiency. The Boolean function \(\mathsf {Tr}_F(\wedge _3)\) requires 4 AND gates, which translates to 8 ciphertexts using the garbling of [12]. The Boolean function \(\mathsf {Tr}_F(\oplus _3)\) requires only one AND gate, which translates to two ciphertexts using the garbling of [12]. Denote by \(C_\wedge \) and \(C_\oplus \) the number of \(\wedge _3\) and \(\oplus _3\) gates in the 3VL circuit, then the encoding of this section is better than that of Sect. 4 if and only if \( 8 \cdot C_\wedge + 2 \cdot C_\oplus < 4 \cdot C_\wedge + 4 \cdot C_\oplus \) which holds if and only if \(C_\oplus > 2 \cdot C_\wedge \). Observe also that the encoding in this section is always at least as good as the natural encoding of Sect. 3; in particular, it has the same cost for \(\oplus _3\) gates and is strictly cheaper for \(\wedge _3\) gates.

6 Efficiency Summary of the Different Methods

We have presented a naive garbling method and three different encodings. We summarize the efficiency of these different methods, as a function of the number of ciphertexts needed when garbling, in Table 2.

Table 2. A summary of the garbling efficiency of the different methods
Full size table

7 A Black-Box Protocol for Computing 3VL Circuits

In this section, we show how to securely compute 3VL circuits. Of course, one could design a protocol from scratch using a garbled 3VL circuit. However, our goal is to be able to use any protocol that can be used to securely evaluate a Boolean circuit, and to directly inherit its security properties. This approach is simpler, and allows us to leverage existing protocol optimizations for the Boolean case.

Before proceeding, we explain why there is an issue here. Seemingly, one could compile any 3VL-circuit into a Boolean circuit using our method above, and then run the secure computation protocol on the Boolean circuit to obtain the output. As we will see, this is actually not secure. Fortunately, however, it is very easy to fix. We now explain why this is not secure:

  1. 1.

    Output leakage: The first problem that arises is due to the fact that Definition 2.1 allows \(R_{3\rightarrow 2}\) to be a non-functional relation. This implies that a value \(x\in \{T,F,U\}\) might be mapped to two or more Boolean representations. Now, if a secure protocol is run on the Boolean circuit, this implies that a single 3VL output could be represented in more than one way. This could potentially leak information that is not revealed by the function itself. In Appendix B, we show a concrete scenario where this does actually reveal more information than allowed. We stress that this leakage can occur even if the parties are semi-honest.

    This leakage can be avoided by simply transforming y to a unique, predetermined Boolean value \(y^*\) at the end of the circuit computation and before outputs are revealed. This is done by incorporating an “output translation” gadget into the circuit for every output wire.

  2. 2.

    Insecurity due to malicious inputs. Recall that the relation \(R_{3\rightarrow 2}\) does not have to be defined over the entire range of \(\{0,1\}\times \{0,1\}\), and this is indeed the case for the relation that we use in Sect. 4. In such a case, if the malicious party inputs a Boolean input that is not legal (i.e., is not in the range of \(R_{3\rightarrow 2}\)), then this can result in an incorrect result (or worse).

    This cheating can be prevented by incorporating an “input translation” gadget for every input wire of the circuit that deterministically translates all possible Boolean inputs (even invalid ones) into valid inputs that appear in the range of \(R_{3\rightarrow 2}\). This prevents a malicious adversary from inputting incorrect values (to be more exact, it can input incorrect values but they will anyway be translated into valid ones).

The key observation from above is that the solutions to both problems involve modifications to the circuit only. Thus, any protocols that is secure for arbitrary Boolean circuits can be used to securely compute 3VL circuits. Furthermore, these input and output gadgets are very small (at least for all of our encodings) and thus do not add any significant overhead.

We have the following theoremFootnote 6:

Theorem 7.1

Let \(\pi \) be a protocol for securely computing any Boolean circuit, let \(f_3\) be a 3VL function with an associated 3VL circuit C, and let \(C'\) be a Boolean circuit that is derived from C via a valid 3VL-Boolean encoding. Then, Denote by \(C'_1\) the circuit obtained by adding output-translation gadgets to \(C'\), and denote by \(C'_2\) the circuit obtained by adding input-translation and output-translation gadget to \(C'\).

  1. 1.

    If \(\pi \) is secure in the presence of semi-honest adversaries, then protocol \(\pi \) with circuit \(C'_1\) securely computes the 3VL function \(f_3\) in the presence of semi-honest adversaries.

  2. 2.

    If \(\pi \) is secure in the presence of malicious (resp., covert) adversaries, then protocol \(\pi \) with circuit \(C'_2\) securely computes the 3VL function \(f_3\) in the presence of malicious (resp., covert) adversaries.

Secure computation. The above theorem holds for any protocol for secure computation. This includes protocols based on Yao and garbled circuits [8, 13], as well as other protocols like that of [4].

8 Lower Bounds

One of the most important optimizations of the past decade for garbled circuits is that of free-XOR [7]. Observe that none of the 3VL-Boolean encodings that we have presented have free-XOR, and the cheapest transformation of \(\oplus _3\) requires 2 ciphertexts. In this section, we ask the following question:

$$\begin{aligned} \begin{array}{c} \textit{Can free-XOR garbling be achieved for 3VL functions?} \end{array} \end{aligned}$$

We prove a negative answer for a linear garbling scheme, which is defined in the Linicrypt model of [1]. Our proof is based on a reduction from any garbling scheme for 3VL circuit to a garbling scheme for Boolean circuits. Specifically, we show that any garbling scheme for 3VL-XOR can be used to garble Boolean-AND gates at the exact same cost. Now, [12] proved that at least 2 ciphertexts are required for garbling AND gates using any linear garbling method. By reducing to this result, we will show that 3VL-XOR cannot be garbled with less than two ciphertexts using any linear garbling method. Thus, a significant breakthrough in garbling would be required to achieve free-XOR in the 3VL setting, or even to reduce the cost of 3VL-XOR to below two ciphertexts.

Reducing Boolean AND to 3VL XOR. It is actually very easy to compute a Boolean AND gate given a 3VL XOR gate. This is due to the fact that 3VL XOR actually contains an embedded AND; this is demonstrated in Fig. 4.

Fig. 4.
figure 4

Shows that \(\oplus _3\) embeds the truth table of both \(\wedge , \vee \) and \(\oplus \).

Full size image

This can be utilized in the following way. Let \(\tilde{g}\) be a garbled 3VL-XOR gate with input wires xy and output wire z. By definition, given keys \(k_x^\alpha \) and \(k_y^\beta \) on the input wires with \(\alpha ,\beta \in \{T,F,U\}\), the garbled gate can be used to compute the key \(k_z^\gamma \) on the output wire where \(\gamma =\alpha \oplus _3\beta \). Thus, in order to compute a Boolean AND gate, the following can be carried out. First, associate the 3VL-value F with the Boolean value 1 (\(\mathsf {True}\)), and associate the 3VL-value U with the Boolean value 0 (\(\mathsf {False}\)). Then, given any two of \(k_x^U,k_x^F\) and \(k_y^U,k_y^F\) the output of the garbled gate will be \(k_z^F\) if and only if \(x=y=F\), which is exactly a Boolean AND gate. (This is depicted in the shaded square in Fig. 4.) Observe that the 3VL-value T is not used in this computation and so is ignored. The fact that this method is a secure garbling of an AND gate follows directly from the security of the 3VL garbling scheme.

It follows that a (single) Boolean AND gate can be garbled at the same cost of a 3VL XOR gate. Thus, free-3VL-XOR would imply free-Boolean-AND, and even 3VL XOR with just a single ciphertext would imply a construction for garbling a Boolean AND gate at the cost of just one ciphertext. Both of these would be surprising results. We now formalize this more rigorously using the framework of linear garbling.

Impossibility for linear garbling. The notion of linear garbling was introduced by [12], who also showed that all known garbling schemes are linear. In their model, the garbling and evaluation algorithms use only linear operations, apart from queries to a random oracle (which may be instantiated by the garbling scheme) and choosing which linear operation to apply based on some select bits for a given wire. They prove that for every ideally secure linear garbling scheme (as defined in [12]), at least two ciphertexts must be communicated for every Boolean AND gate in the circuit. Combining [12, Theorem 3] with what we have shown above, we obtain the following theorem with regards to garbling schemes for 3VL circuits in the same model.

Theorem 8.1

Every ideally secure garbling scheme for 3VL-XOR gates, that is linear in the sense defined in [12], has the property that the garbled gate consists of at least 2n bits, where n is the security parameter.

This explains why we do not achieve free-XOR in our constructions in the three-valued logic setting.