# Privacy-Free Garbled Circuits with Applications to Efficient Zero-Knowledge Tore Kasper Frederiksen<sup>( $\boxtimes$ )</sup>, Jesper Buus Nielsen<sup>( $\boxtimes$ )</sup>, and Claudio Orlandi<sup>( $\boxtimes$ )</sup> Department of Computer Science, Aarhus University, Aarhus, Denmark {jot2re,jbn,orlandi}@cs.au.dk Abstract. In the last few years garbled circuits (GC) have been elevated from being merely a component in Yao's protocol for secure twoparty computation, to a cryptographic primitive in its own right, following the growing number of applications that use GCs. Zero-Knowledge (ZK) protocols is one of these examples: In a recent paper Jawurek et al. [JKO13] showed that GCs can be used to construct efficient ZK proofs for unstructured languages. In this work we show that due to the property of this particular scenario (i.e., one of the parties knows all the secret input bits, and therefore all intermediate values in the computation), we can construct more efficient garbling schemes specifically tailored to this goal. As a highlight of our result, in one of our constructions only one ciphertext per gate needs to be communicated and XOR gates never require any cryptographic operations. In addition to making a step forward towards more practical ZK, we believe that our contribution is also interesting from a conceptual point of view: in the terminology of Bellare et al. [BHR12] our garbling schemes achieve authenticity, but no privacy nor obliviousness, therefore representing the first natural separation between those notions. #### 1 Introduction A garbled circuit (GC) is a cryptographic tool that allows one to evaluate "encrypted" circuits on "encrypted" inputs. Garbled circuits were introduced by Yao in the 80's in the context of secure two-party computation [Yao86], and they owe their name to Beaver *et al.* [BMR90]. Since then, garbled circuits have been used in a number of different contexts such as two- and multi-party secure computation [Yao86, GMW87], verifiable Partially supported by the European Research Commission Starting Grant 279447 and the Danish National Research Foundation and The National Science Foundation of China (grant 61361136003) for the Sino-Danish Center for the Theory of Interactive Computation and from the Center for Research in Foundations of Electronic Markets (CFEM), supported by the Danish Strategic Research Council. Tore is supported by Danish Council for Independent Research Starting Grant 10-081612. The research leading to these results has received funding from the European Union Seventh Framework Programme ([FP7/2007-2013]) under grant agreement number ICT-609611 (PRACTICE). <sup>©</sup> International Association for Cryptologic Research 2015 E. Oswald and M. Fischlin (Eds.): EUROCRYPT 2015, Part II, LNCS 9057, pp. 191–219, 2015. DOI: $10.1007/978-3-662-46803-6\_7$ outsourcing of computation [GGP10], key-dependent message security [BHHI10], efficient zero-knowledge [JKO13], functional encryption [SS10] etc. However, it is not until recently that a formal treatment of garbled circuits appeared in the literature. The first proof of security of Yao's celebrated protocol for two-party computation, to the best of our knowledge, only appeared a few years ago in [LP09], and it is not until [BHR12] that garbled circuits were elevated from a technique to be used in other protocols, to a cryptographic primitive in their own right. Different applications of GC often use different properties of the garbling scheme: In some applications we need GCs to protect the privacy of encrypted inputs, in others we need GCs to hide partial information about the encrypted function, while in yet others we ask GCs to ensure that even a malicious evaluator cannot tamper with the output of the GC. In their foundational work, Bellare et al. [BHR12] formally defined the different security properties that different applications require from GCs, showed separations between them, and showed that the original garbling scheme proposed by Yao satisfies all of the above properties. This raises a natural question: Can we construct garbling schemes tailored to specific applications, which are more efficient than Yao's original construction? In this work we give the first such example, namely a garbling scheme which only satisfies authenticity (in the terminology of Bellare et al.) but not privacy: One of the main properties of Yao's garbling scheme is that the circuit evaluator cannot learn the values associated to the internal wires during the evaluation of the garbled circuit. This implies that the evaluation of each garbled gate must be oblivious (it must be the same for each input combination). In this work we give up on this property and we construct a scheme where the evaluator learns the values associated which each wire in the circuit, and explicitly uses this knowledge to perform non-oblivious garbled gate evaluation. This allows us to significantly reduce the size of a garbled circuit and the computational overhead for the circuit constructor. We show that this does not have any impact on authenticity, i.e., the only thing that a malicious evaluator can do with a garbled input and a garbled circuit is to use them in the intended way, that is to evaluate the garbled circuit on the garbled input and produce the (correct) garbled output. Our new garbling schemes can be immediately plugged-in in Jawurek et al. [JKO13] efficient zero-knowledge protocol for non-algebraic languages, and therefore we believe that our results have both practical and conceptual value. It is an interesting future direction to investigate which other applications could benefit significantly from our new garbling scheme (natural candidates include verifiable outsourcing of computation, functional encryption etc.). #### 1.1 Other Garbling Schemes Since the introduction of GCs by Yao, a number of optimizations have been proposed to increase their efficiency. Some of the most significant optimiza- tions include point-and-permute [Rog91,MNPS04] (which reduces the work of the circuit evaluator from 4 to 1 decryption per garbled gate) the row-reduction technique [NPS99,PSSW09] (which reduces the number of ciphertexts per garbled gate, by fixing some of them to be constant values), the free-XOR and fleXOR techniques [KS08,KMR14] (which allows to garble/evaluate XOR gates using none/less cryptographic operations). In [BHR12,BHKR13] efficient garbling schemes, which only use one call to a block-cipher for each row in a garbled gate, are presented. Information theoretic garbling schemes can efficiently be constructed [IK02,Kol05,KK12] for low-depth circuits. All these techniques lead to very efficient garbling schemes that are used today in practical implementation of secure two-party computation. Our optimization is conceptually different from all of the above, as our schemes are not "general purpose" since they do not satisfy privacy. LEGO GCs [NO09,FJN+13] are different from Yao GCs as they allow one to generate garbled gates independently of each other and then, at a later time, to solder them together into a functional garbled circuit. LEGO GCs can be used for secure two-party computation in the presence of active corruptions. The size of garbled input in Yao-style GCs grows linearly in the security parameter. In [AIKW13] a garbling scheme where the garbled input grows only by a constant factor is presented at the price of using public-key primitives (traditional GCs only use symmetric key operations). Traditional GCs only work on Boolean circuits, while [AIK11] presents a way of garbling arithmetic circuits directly. All previously discussed garbling schemes are *one-time*, meaning that no security is guaranteed against an adversary that receives the garbling of two different inputs for the same garbled circuit. A recent line of work considers reusable garbled circuits [GKP<sup>+</sup>13] and their (asymptotic) overhead [GGH<sup>+</sup>13]. While the concept of reusable garbled circuits has numerous applications in establishing important theoretical feasibility result, their use of heavy crypto machinery makes them (still) far from being practical. Finally, there exist garbling schemes tailored for other models of computation [KW13] including RAM programs [LO13, GHL<sup>+</sup>14]. Independently from us Ishai and Wee [IW14] defined the notion of partial garbling: like us, they noticed that in some applications one of the parties controls all the inputs and therefore it is possible to construct garbling schemes which are more efficient than traditional ones. However they develop this observation in a very different direction compared to us: the two works use different abstraction models (garbling schemes vs. randomized encodings), are useful for different tasks, and use completely different techniques. Finally, Zahur *et al.* [ZRE15] extended our work to the two-party case, demonstrating that it is possible to combine (in a very clever way) two privacy-free garbling schemes – where each party knows all of the inputs for one of the two garblings – into a garbling scheme which guarantees privacy and is more efficient than existing ones, in terms of communication complexity. #### 1.2 Our Contributions We propose some novel garbling schemes which satisfy authenticity only and are more efficient than general purpose garbling schemes<sup>1</sup>: Privacy Free GRR1 with cheap XOR: In this garbling scheme we only send one ciphertext for each encrypted gate (both XOR and non-XOR). The circuit evaluator uses 3 calls to a *Key Derivation Function* (KDF) for each non-XOR gate, and none for each XOR gate (so from a computational point of view XOR gates are free). The scheme combines the row reduction technique with non-oblivious gate evaluation. Privacy Free GRR2 with free-XOR: In this garbling scheme we send two ciphertexts for each encrypted non-XOR gate, and XOR gates are "for free". The circuit evaluator uses 3 calls to a KDF for each non-XOR gate (and none for XOR gates). The scheme is similar to GRR1, but using the free-XOR technique reduces the degrees of freedom we have in choosing the output keys and therefore require higher communication complexity for non-XOR gates. Privacy Free fleXOR: In this garbling scheme we combine either our GRR1 or GRR2 scheme with the fleXOR technique of [KMR14]. The cost of non-XOR gates is unchanged from the previous scheme, i.e. one or two ciphertexts per gate respectively, but now the cost of XOR gate depends on the structure of the circuit: XOR gates require no cryptographic operations, while for communication, depending on the circuit structure, XOR gates require communication of 2,1 or 0 ciphertexts. Also note that our fleXOR variant, being tailored for privacy-free garbled circuits, performs better than the original. Furthermore, we present a formal generalization of garbling schemes with gates with arbitrary fan-in and show how to construct each of our privacy-free schemes in such a setting. It turns our that all types of our privacy-free garbled gates yield even more significant improvements in computation (and in some settings also communication) over general garbled garbles when fan-in is larger than two. #### 1.3 Overview of Our Schemes In a nutshell, our garbling schemes work as follows: Consider a NAND gate, with associate input keys $L^0, L^1, R^0, R^1$ for the left and right wire respectively, and output keys $O^0, O^1$ . The circuit constructor needs to provide the evaluator with a cryptographic gadget that, on input $L^a, R^b$ , outputs the corresponding output key $O^{a\bar{\wedge}b}$ . Remember that our goal is not privacy, but only authenticity, meaning that the evaluator is allowed to learn a and b but even a corrupted evaluator should not learn $O^{1-(a\bar{\wedge}b)}$ . In particular, this means that the evaluator should learn $O^0$ if and only if (iff) he holds both $L^1$ and $R^1$ . This can be ensured by encrypting $O^0$ under both $L^1$ and $R^1$ . $<sup>^{1}</sup>$ The naming convention here follows [PSSW09], where GRR stands for $\it garbled\ row\ reductions.$ On the other hand, it is enough that one of the inputs is 0 for the output to be 1, so it "should be enough" to hold $L^0$ or $R^0$ to learn $O^1$ . In standard Yao GCs we do not want the evaluator to learn which of the three possible combinations of input keys he owns (nor the output of the gate) and therefore we encrypt $O^1$ under all the three possibilities in the same way as we encrypt the 0 key. But if the evaluator is allowed to know which bits keys correspond to, we can simply encrypt $O^1$ separately under $L^0$ and $R^0$ , thus saving one encryption. Note that, using the row-reduction technique, we can instead derive $O^0$ as $O^0 = \mathsf{KDF}(L^1, R^1)$ and therefore we can remove one ciphertext from the garbled table. We now have two-choices: - If we want to be compatible with the free-XOR technique the value $O^1$ is already determined by $O^0$ and the global difference $\Delta$ , and thus no more row-reduction is possible. - Alternatively we can decide to give up on free-XOR and derive $O^1$ as $O^1 = \mathsf{KDF}(L^0)$ , thus removing yet another ciphertext from the garbled table, that now contains only the ciphertext $C = O^1 \oplus \mathsf{KDF}(R^0)$ . "Almost" free-XOR. If we choose the second path, we need an efficient way of garbling the XOR gates: we do so by defining the output keys $O^0$ and $O^1$ respectively as $O^0 = L^0 \oplus R^0$ and $O^1 = L^0 \oplus R^1$ . Of course, it might be that at evaluation time the evaluator holds $L^1$ instead of $L^0$ , and thus we provide him with an "advice" to compute the correct output key in this case. It turns out that it suffices to reveal the value $C = L^0 \oplus R^0 \oplus L^1 \oplus R^1$ . Due to the symmetry of the XOR gate, now the evaluator can always derive the correct output key. Note that now XOR gates do not require any cryptographic operation but only the communication of a k-bit string (k being the security parameter), and therefore are "almost" for free. The paranoid reader might now worry on whether revealing the XOR of all input keys affects the security of our scheme, and the impatient reader might not want to wait for the formal proof, which appears later in the paper: Intuitively revealing C does not represent a problem because, if it did, then the free-XOR technique would be insecure as well: In (standard) free-XOR the value C is always 0, as $L^0 \oplus L^1 = R^0 \oplus R^1$ , and therefore known to the adversary already. Privacy free fleXOR. Finally we combine our technique with the recent fleXOR garbling scheme [KMR14]. A central concept in fleXOR is to look, for each wire, at the XOR between the two keys associated to that wire, or the offset of that wire. While in freeXOR the offset is a constant for the whole circuit (therefore fixing half of the keys in the circuit), in fleXOR wires are ordered in a way to maximize the number of offsets which are the same, while at the same time leaving the circuit garbler the ability to choose freely the output keys for the non-XOR gates. The fleXOR wire ordering induces a partitioning of the wires for each XOR gates. In particular, each XOR gates is assigned a parameter t which denotes how many input wires have offset different than the output wire. Then a 0-XOR gate can be garbled exactly like in free-XOR, while for t-XORs (with t>0) the garbler sends t ciphertexts to the evaluator, which are used to "adjust" the offsets of those input wires. In the privacy-free case, exploiting non-oblivious gate evaluation, we can simply reveal the XOR of the offsets instead, exactly like in our GRR1 scheme. So, while the original fleXOR requires the garbler and the evaluator to perform 2t and t calls respectively to the KDF, we do not require any cryptographic operations for fleXOR gates. Garbling XORs. To conclude this technical introduction, we would like to present the reader with a recap of the different ways in which XOR gates are garbled in this paper. Like before, let $L^0$ , $L^1$ , $R^0$ , $R^1$ , and $O^0$ , $O^1$ be the keys for the left, right and output wire, and let $\Delta_L$ , $\Delta_R$ and $\Delta_O$ be their differences, the offsets associated to the wires. Now, the "baseline" garbling of a XOR gate is done as follows: the garbler sets $O^0 = L^0 \oplus R^0$ , then computes and send to the evaluator the following values: $$C_L = \Delta_L \oplus \Delta_O$$ and $C_R = \Delta_R \oplus \Delta_O$ Now, on input keys $L_a$ , $R_b$ , the evaluator retrieves $$O^{a \oplus b} = L^a \oplus R^b \oplus a \cdot C_L \oplus b \cdot C_R$$ The baseline garbling transmits 2 ciphertexts, but in most cases we can do better. **GRR1:** In this case the garbler can freely choose both $\Delta_O$ , which is set to be equal to $\Delta_L$ (so that $O^1 = L^1 \oplus R^0$ ) and therefore we do not need to communicate $C_L$ , saving one ciphertexts w.r.t. the baseline. **free-XOR:** Here it holds that $\Delta_L = \Delta_R = \Delta_O$ , therefore both $C_L = C_R = 0$ and no ciphertexts need to be transferred. **fleXOR:** a t-XOR gate is garbled like in the baseline garbling when t = 2, like in GRR1 when t = 1 and like free-XOR when t = 0. #### 1.4 Efficiency Improvements Our garbling schemes offer different performances in terms of communication and computation overhead. It is natural to ask which one is the most efficient one. Like most interesting questions, the answer is not as simple as one might want, and to answer which garbling scheme offers the best performances one must define the price of communication vs. computation. The ultimate answer depends on the actual hardware setting (CPU, network) on which the protocol is to be run and can only be determined empirically. In Table 1 and Table 2 we benchmark our garbling scheme against the best previous garbling schemes, on a number of circuits that we believe relevant for the zero-knowledge application that we have in mind e.g., proving "I know a secret x s.t., y = SHA(x)" for a y known to both the prover and the verifier. **Table 1.** Comparison with other garbling schemes on some circuit examples from [ST12] in terms of communication complexity. The fleXOR scheme used is based on GRR1 and thus a "safe" topological ordering is assumed (see [KMR14]). The number in each cell shows the amortized number of ciphertext per gate that need to be sent. We ignore the inversion gates, as they can be pulled inside other kind of gates. The "Saving" column is computed against the previously best solution. | Communication | | | | | | | | | | |---------------------------------------|------------|-------|---------|----------|--------|--------------|----------|--------|--------| | (amortized # of ciphertexts per gate) | | | | | | | | | | | Circuit | # of Gates | | Private | | | Privacy-free | | | Saving | | | AND | XOR | GRR2 | free-XOR | fleXOR | GRR1 | free-XOR | fleXOR | Saving | | DES | 18124 | 1340 | 2.0 | 2.79 | 1.89 | 1.0 | 1.86 | 0.96 | 49% | | AES | 6800 | 25124 | 2.0 | 0.64 | 0.72 | 1.0 | 0.43 | 0.51 | 33% | | SHA-1 | 37300 | 24166 | 2.0 | 1.82 | 1.39 | 1.0 | 1.21 | 0.78 | 44% | | SHA-256 | 90825 | 42029 | 2.0 | 2.05 | 1.56 | 1.0 | 1.37 | 0.87 | 44% | Table 2. Comparison with other garbling schemes on some circuit examples from [ST12] in terms of computational overhead. The fleXOR scheme used is based on a "safe" topological ordering (see [KMR14]). The number in each cell shows the amortized number of calls to a KDF per gate that the constructor/evaluator need to perform. (The evaluator always performs 1 KDF evaluation for non-free gates.) Note that we do not count the non cryptographic operations in this table (polynomial interpolation in GRR2, XOR of strings in all others). The "Saving" column is computed against the previously best solution. | Computation | | | | | | | | | |-------------------------------------------------------------|-------|-------|---------|-----------|-----------|--------------|--------|--| | (amortized # of encryptions per gate for garbler/evaluator) | | | | | | | | | | Circuit | # of | Gates | | Private | | Privacy-free | Saving | | | | AND | XOR | GRR2 | free-XOR | fleXOR | - | Daving | | | DES | 18124 | 1340 | 4.0/1.0 | 3.72/0.93 | 3.78/0.96 | 2.79/0.93 | 25%/0% | | | AES | 6800 | 25124 | 4.0/1.0 | 0.85/0.21 | 1.44/0.51 | 0.64/0.21 | 25%/0% | | | SHA-1 | 37300 | 24166 | 4.0/1.0 | 2.43/0.61 | 2.78/0.78 | 1.82/0.61 | 25%/0% | | | SHA-256 | 90825 | 42029 | 4.0/1.0 | 2.73/0.68 | 3.11/0.87 | 2.05/0.68 | 25%/0% | | The circuits used are due to Smart and Tillich and are publicly available [ST12]. Note however that the numbers in our tables depend on the actual circuits being used, meaning that it might be possible to find different circuits that compute the same functions but that are more favorable to one or another garbling scheme. Finding such circuits requires non-trivial heuristics and manual work (e.g., [BP12]), as there is evidence that finding such circuits is computationally hard [Fin14, KMR14]. Still, no previous garbling scheme performs better than all of our proposed schemes, therefore while the actual saving factor might change, one of our schemes will always outperforms the rest. ### 2 Preliminaries and Definitions To keep the paper self-contained, we include the definitions for garbling schemes from [BHR12,BHKR13] in this section. #### 2.1 Notation Let $\mathbb{N} = \{1, 2, \dots\}$ be the natural numbers, excluding 0. We write [x, y] (with $x < y \in \mathbb{N}$ ) for $\{x, x + 1, \dots, y\}$ and [x] for [1, x]. We use $|\cdot|$ as a shorthand for the cardinality of a set or amount of bits in a string. If S is a set we use $x \in_R S$ to denote that x is a uniformly random sampled element from S. We let poly(·) denote any polynomial of the argument. Regarding variable names we let $k \in \mathbb{N}$ be the security parameter and call a function negl: $\mathbb{N} \to \mathbb{R}^+$ negligible if for a big enough k it holds that $\operatorname{negl}(k) < 1/\operatorname{poly}(k)$ . In general we use $\operatorname{negl}(\cdot)$ to denote any negligible function. We let $L \subset \{0,1\}^*$ be an arbitrary language in NP and $M_L$ be the language verification function, i.e., for all $y \in L$ there exists a string $x \in \{0,1\}^{\text{poly}(|y|)}$ s.t. $M_L(x,y) = \text{accept}$ and for all $y \notin L$ and $x \in \{0,1\}^*$ we have $M_L(x,y) = \text{reject}$ . #### 2.2 Defining Our Garbling Scheme We start by considering a plain description of a Boolean circuit with a single output bit, consisting of Boolean gates having arbitrary fan-in. This can be used to compute a Boolean function. The description is closely related to the ones in [BHR12,JKO13], but generalized to support gates with arbitrary fan-in along with non-oblivious gate evaluation. Let f be a description of such a circuit, taking $n \in \mathbb{N}$ bits as input and consisting of $q \in \mathbb{N}$ internal gates. We let r = n + q be the number of wires in the circuit and specifically define inputWires = [n], Wires = [n+q], outputWire = n+q and Gates = [n+1, n+q], where inputWires represent the set of input wires, outputWire represents the output wire, Gates represents the set of Boolean gates of arbitrary fan-in and Wires the set of all wires in the circuit. Next we let I be a function mapping each element of Gates to an integer describing the fan-in of that gate, i.e., $I: \mathsf{Gates} \to \mathbb{N}$ . We let W be a function mapping an element of Gates, along with an integer i (representing a gate's i'th input wire) to an element in Wires. When calling W on some $g \in \mathsf{Gates}$ we require that the i'th input wire is in [I(g)], otherwise we return $\bot$ . Thus, the signature for the method is $W: \mathsf{Gates} \times \mathbb{N} \to \{\mathsf{Wires} \setminus \mathsf{outputWire}\}^* \cup \{\bot\}$ . We further require that W(g,i) < W(g,i+1) < g for all $g \in \mathsf{Gates}$ and $i \in [I(g)-1]$ in order to avoid circularities in the circuit description. Finally, we let G be a function taking as input an element of Gates along with an array of bits and returning a single bit or $\bot$ . That is, $G : \mathsf{Gates} \times \{0,1\}^* \to \{0,1\} \cup \{\bot\}$ . Specifically G is a description of the functionality of each gate in the circuit along with a short-circuit features such that $\bot$ is returned if the amount of elements in the binary input vector is not equal to the integer returned by I when queried on the same gate index. More formally $G\left(g,\{b_i\}_{i\in[I(g)]}\right)\in\{0,1\}$ for all $g\in\mathsf{Gates},\,b_i\in\{0,1\}$ and $\bot$ otherwise. Sometimes we abuse notation and simply write G(g,b) if $g\in\mathsf{Gates}$ and $b\in\{0,1\}^m$ when I(g)=m. We also say $G(g,\cdot)=\mathsf{NAND}$ or $G(g,\cdot)=\mathsf{XOR}$ if the truth table constructed from G is the truth table of a NAND, respectively, XOR gate. Finally we combine all these functions and variables in f by letting f = (n, q, I, W, G). However, we sometimes abuse notation and view f as a black box Boolean function, i.e., $f : \{0,1\}^n \to \{0,1\}$ . With this plain description of a Boolean circuit in hand we define a *verifiable* projective garbling scheme by a tuple $$\mathcal{G} = (\mathsf{Gb}, \mathsf{En}, \mathsf{De}, \mathsf{Ev}, \mathsf{ev}, \mathsf{Ve})$$ such that: - $\mathsf{Gb}(1^k,f) \to (F,e,d)$ is the garbling function, a randomized algorithm that takes as input a security parameter $1^k$ and a description of a Boolean function $(n,q,I,W,G) \leftarrow f$ under the constraint that $n=\mathrm{poly}(k), \ n \geq k$ and $|f|=\mathrm{poly}(k)$ . The function outputs a triple (F,e,d) representing a garbled circuit (F), input encoding information (e) and output decoding information (d). - $\mathsf{En}(e,x) \to X$ is the encoding function, a deterministic function that uses the input encoding information e to map an input x to a garbled input X. We say a scheme is projective if $e = \left(\left\{X_i^0, X_i^1\right\}_{i \in [n]}\right)$ and the garbled input X is simply $\left\{X_i^{x_i}\right\}_{i \in [n]}$ . In this paper we are only interested in projective schemes and therefore we do not use the En function explicitly. - $\mathsf{Ev}(F,X,x) \to Z$ is the evaluation function, a deterministic functionality that produces an encoded output Z by evaluating a garbled circuit F on an encoded input X. We assume that for fixed F, the evaluation can output at most two values $Z^0$ and $Z^1$ . - $\mathsf{De}(d,Z) \to z$ is the *decoding function*, a deterministic functionality that, using the string d, decodes the encoded output Z into a plaintext bit, z. We are only interested in whether z=1 (e.g., the NP relation accepts in the ZK setting), therefore we let $d=Z^1$ and $\mathsf{De}(d,Z)$ outputs z=1 if $Z\stackrel{?}{=}Z^1$ and z=0 otherwise. - $ev(f, x) \rightarrow b$ is the *plaintext evaluation function*, a deterministic functionality that evaluates the plain function described by f on some input x, i.e., ev(f, x) = f(x). - $\operatorname{Ve}(F, f, e) \to b$ is the *verification function*, a deterministic functionality that on input a garbled circuit F, a description of a Boolean function f and the input encoding information $e = \{X_i^0, X_i^1\}_{i \in [n]}$ outputs 1 if the garbled circuit F computes the functionality f. Otherwise the functionality outputs 0. We now list a number of properties that we require from a garbling scheme and refer to [BHR12, JKO13] for a detailed explanation of these definitions. The following definition says that a correct evaluation of a correct garbling gives the right output. **Definition 1 (Correctness).** Let $\mathcal{G}$ be a verifiable projective garbling scheme described as above. We say that $\mathcal{G}$ enjoys correctness if for all n = poly(k), $f : \{0,1\}^n \to \{0,1\}$ and all $x \in \{0,1\}^n$ s.t. f(x) = 1 the following probability $$\Pr\left(\mathsf{Ev}\left(F,\left\{X_{i}^{x_{i}}\right\}_{i\in[n]},x\right)\neq Z^{1}:\left(F,\left\{X_{i}^{0},X_{i}^{1}\right\}_{i\in[n]},Z^{1}\right)\leftarrow\mathsf{Gb}\left(1^{k},f\right)\right)$$ is negligible in k. The following definition says that from a correct garbling of an input and a function outputting 0 on that input, you cannot find the decoding information for output 1, i.e., $Z^1$ . **Definition 2 (Authenticity).** Let $\mathcal{G}$ be a verifiable projective garbling scheme described as above. We say that $\mathcal{G}$ enjoys authenticity if for all n = poly(k), $f: \{0,1\}^n \to \{0,1\}$ and all inputs $x \in \{0,1\}^n$ s.t. f(x) = 0 and for any probabilistic polynomial time (PPT) $\mathcal{A}$ , the following probability: $$\Pr\left(\mathcal{A}\left(f,x,F,\left\{X_{i}^{x_{i}}\right\}_{i\in[n]}\right)=Z^{1}:\left(F,\left\{X_{i}^{0},X_{i}^{1}\right\}_{i\in[n]},Z^{1}\right)\leftarrow\mathsf{Gb}\left(1^{k},f\right)\right)$$ is negligible in k. The following definition says that there is a unique garbled outputs corresponding to the output value 1, and that this unique value can be efficiently extracted given all the input labels. This holds also for maliciously generated circuits, as long as they pass the verification procedure. This implies that the garbled output value $Z^1$ leaks no information about the original input x except for the fact that f(x) = 1. **Definition 3 (Verifiability).** Let $\mathcal{G}$ be a verifiable projective garbling scheme described as above. We say that $\mathcal{G}$ enjoys verifiability if for all n = poly(k), $f : \{0,1\}^n \to \{0,1\}$ and all $x \in \{0,1\}^n$ with f(x) = 1 and for all PPT $\mathcal{A}$ there exists an expected polynomial time algorithm Ext such that $$\begin{split} & \Pr\left(\operatorname{Ext}\left(F,\left\{X_i^0,X_i^1\right\}_{i\in[n]}\right) = \operatorname{Ev}\left(F,\left\{X_i^{x_i}\right\}_{i\in[n]},x\right)\right) > 1 - \operatorname{negl}(k) \\ & when \ \operatorname{Ve}\left(F,f,\left\{X_i^0,X_i^1\right\}_{i\in[n]}\right) = 1 \ \ and \ \left(F,\left\{X_i^0,X_i^1\right\}_{i\in[n]}\right) \leftarrow \mathcal{A}(1^k,f) \ . \end{split}$$ Finally, combining these definitions we get a definition of a secure verifiable, projective and privacy-free garbling scheme. **Definition 4 (Privacy-free Garbling Scheme).** Let $\mathcal G$ be a verifiable projective garbling scheme described as above. If this scheme enjoys correctness, authenticity and verifiability in accordance with Def. 1, Def. 2 and Def. 3 respectively, then $\mathcal G$ is a secure privacy-free garbling scheme. #### 2.3 Key Derivation Function We are going to use a "compressing" key derivation function KDF: $\{0,1\}^* \to \{0,1\}^k$ mapping an arbitrary binary string to a pseudorandom string of k bits. The applications of the function will be of the form $K = \text{KDF}(K_1, \ldots, K_m; id)$ for some $m \in \mathbb{N}$ , where $K_i \in \{0,1\}^k$ is a wire key and $id \in \{0,1\}^*$ is a unique label or tweak. We need a notion of security where the adversary cannot compute the output of the key derivation function except if he can do so trivially because he knows the entire input. Specifically we let keys be fresh uniformly random values, derived or linear combinations of other keys, and id be publicly known. We require that the adversary cannot guess a key derived from at least one uniformly random key, "uncompromised" derived key or linear combination of keys where at least one is "uncompromised". An uncompromised derived key is one that was derived from at least one uniformly random key, uncompromised derived key or linear combination where at least one key in the combination was uncompromised. We allow the adversary to compromise keys by leaking them and construct new keys through linear combinations or key derivations. Furthermore, we call a (potential) key compromised if the leaked keys allow to determine the key, in which case the adversary can trivially compute it. More precisely: **Definition 5 (Game KDF).** Let A be any PPT adversary and consider the following game: **Initialize:** Let $\mathsf{ID} \leftarrow \emptyset$ be a set of identifiers used by the adversary and let $\mathsf{LEAK} \leftarrow \emptyset$ be the set of identifiers that should be leaked. **Query:** Let A make an arbitrary amount of calls, in any combination, to the following methods: **Fresh key:** If A outputs (fresh key, $id \notin ID$ ), then sample $K_{id} \in_R \{0,1\}^k$ and store $(id, K_{id})$ and let $ID \leftarrow ID \cup \{id\}$ . **Linear:** If $\mathcal{A}$ outputs (linear, $id_0 \notin \mathsf{ID}$ , $id_1, \ldots, id_m$ ) where $id_i \in \mathsf{ID}$ for all $i \in [m]$ , then compute $K_{id_0} \leftarrow \bigoplus_{i=1}^m K_{id_i}$ , store $(id_0, K_{id_0})$ , and let $\mathsf{ID} \leftarrow \mathsf{ID} \cup \{id_0\}$ . **Derive:** If $\mathcal{A}$ outputs $(\textit{derive}, id_0 \notin \mathsf{ID}, id_1, \ldots, id_m)$ where $id_i \in \mathsf{ID}$ for all $i \in [m]$ , then compute $K_{id_0} \leftarrow \mathsf{KDF}(K_{id_1}, \ldots, K_{id_m}; id_0)$ , store $(id_0, K_{id_0})$ and let $\mathsf{ID} \leftarrow \mathsf{ID} \cup \{id_0\}$ . **Leak:** If A outputs (leak, $id \in ID$ ) set LEAK = LEAK $\cup \{id\}$ . **End:** When $\mathcal{A}$ outputs (end) then return the set $\{K_i\}_{i \in \mathsf{LEAK}}$ to $\mathcal{A}$ . **Guess:** When $\mathcal{A}$ outputs (guess, $id^*, K^*$ ) for $id^* \in \mathsf{ID}$ , then the adversary wins if $K^* = K_{id^*}$ and $id^*$ was not compromised, i.e., if $id^* \notin \mathsf{COMP}$ , see below. We define the set COMP of IDs of compromised keys iteratively as follows: Define a linear system LIN over formal variables $X_{id}$ and $c_{id}$ for $id \in ID$ . For each linear query (linear, $id_0, id_1, \ldots, id_m$ ) add the equation $\bigoplus_{i=1}^m X_{id_i} = X_{id_0}$ to LIN. For each leakage command (leak, $id \in ID$ ), add the equation $X_{id} = c_{id}$ to LIN. In the following we call an identifier $id^*$ determined in LIN if the linear system LIN allows to write $X_{id^*}$ as a linear combination of the variables $c_{id}$ for $id \in ID$ . We use $\operatorname{Det}(\mathsf{LIN})$ to denote the set of identifiers that are determined in $\mathsf{LIN}$ . We call $id^*$ derivable in $\mathsf{LIN}$ if there was a command $(\mathsf{derive}, id^*, id_1, \ldots, id_m)$ and $id_i \in \operatorname{Det}(\mathsf{LIN})$ for each $i \in [m]$ . We use $\operatorname{Der}(\mathsf{LIN})$ to denote the set of identifiers that are derivable in $\mathsf{LIN}$ . We define an extension $\mathsf{LIN}' = \operatorname{Ext}(\mathsf{LIN})$ by letting $\mathsf{LIN}'$ be $\mathsf{LIN}$ but with the equation $X_{id^*} = c_{id^*}$ added for each $id^* \in \operatorname{Der}(\mathsf{LIN})$ . Define $\mathsf{LIN}_0 = \mathsf{LIN}$ and $\mathsf{LIN}_{i+1} = \operatorname{Ext}(\mathsf{LIN}_i)$ . There are finitely many variables, so this has a fixed index j such that $\mathsf{LIN}_{j+1} = \operatorname{Ext}(\mathsf{LIN}_j)$ . We let $\mathsf{COMP} = \mathsf{LIN}_j$ . We use $GUESS_{KDF,\mathcal{A}}(1^k)$ to denote the probability that $\mathcal{A}$ wins the game. Using this game we define the notion of a secure key derivation function. **Definition 6 (Secure Key Derivation Function).** We say that a $\mathsf{KDF}(\cdot)$ is secure if the advantage of any PPT adversary $\mathcal A$ playing the $\mathsf{KDF}$ game is negligible in k, i.e. $$GUESS_{\mathsf{KDF},\mathcal{A}}(1^k) \leq \operatorname{negl}(k)$$ for some negligible function $negl(\cdot)$ . It can be proven using standard techniques that a (non-programmable, non-extractable) random oracle is a secure KDF in the above sense. More precisely: **Theorem 1.** If $\mathsf{KDF}(\cdot)$ is modeled by a non-programmable, non- extractable random oracle with k bits output then for any $PPT\mathcal{A}$ it holds that $\mathsf{GUESS}_{\mathsf{KDF},\mathcal{A}}(1^k) \leq \mathsf{negl}(k)$ for some negligible function $\mathsf{negl}(\cdot)$ . The proof appears in the full version [FNO14]. We leave as future work the investigation of which exact computational assumptions are required for implementing our different garbling schemes: while it is clear that the freeXOR and fleXOR variant require strong notion of security (security under related-key attack and a flavor of circular security), it seems that the GRR1 variant could be instantiated using standard security notions. # 3 Our Privacy-Free Garbling Schemes In this section we present our novel garbling schemes. Our schemes support gates with arbitrary fan-in, but as a warm-up we first present the garbling schemes for gates with fan-in 2 using GRR1 or GRR2 with free-XOR. Both allow to garble every Boolean gate with fan-in 2 using only 3 calls to the KDF for non-XOR gates and require no calls to the KDF for XOR gates. Our first scheme has communication complexity of k bits per gate while our second garbling scheme is compatible with "free-XOR", but requires communication complexity of 2k bits for non-XOR gates. Afterwards we present our two schemes for gates with arbitrary fan-in and in Section 4 a scheme that supports the recent fleXOR approach [KMR14]. **Table 3.** Exact performances of our privacy-free garbling scheme. The "Garb." and "Eval." column state the number of calls to a KDF required for garbling and evaluation respectively, as a function of the gate fan-in m. The column "Size" states the number of bits added to the garbled circuit for each gate. We only report the fleXOR variant based on "Safe" wire ordering. | | | Garb. | Eval. | Size | |-----------|-------|-------|-------|--------| | GRR1 | NAND | m+1 | 1 | k(m-1) | | Gitti | XOR | 0 | 0 | k(m-1) | | Free-XOR | NAND | m+1 | 1 | km | | Free-AOIt | XOR | 0 | 0 | 0 | | FleXOR | NAND | m+1 | 1 | k(m-1) | | FICACIT | t-XOR | 0 | 0 | kt | #### 3.1 Warm-Up To simplify notation and give the intuition of our scheme we here only describe how to garble/evaluate a single NAND or XOR gate. We call the input keys to the left wire of a gate $L^0, L^1$ , the input keys to the right wire $R^0, R^1$ and the output keys $O^0, O^1$ . All these values are elements of $\{0, 1\}^k$ . Again we point out that in contrast with general garbled circuits, in our case if the circuit evaluator has two keys $L^a$ , $R^b$ , he knows the corresponding bits a, b. First consider a NAND gate with GRR1: Garbling a GRR1 NAND Gate: Let $O^0 = \mathsf{KDF}\left(L^1, R^1\right)$ and $O^1 = \mathsf{KDF}\left(L^0\right)$ . Compute $C = \mathsf{KDF}\left(R^0\right) \oplus O^1$ and output C. Evaluating a GRR1 NAND Gate: To evaluate on input $L^a$ , $R^b$ , if a = b = 1 then output $O^0 = \mathsf{KDF}\left(L^1, R^1\right)$ otherwise, if a = 0 compute $O^1 = \mathsf{KDF}\left(L^0\right)$ . Otherwise, if b = 0 compute $O^1 = C \oplus \mathsf{KDF}\left(R^0\right)$ . It should be clear that the scheme is correct. The intuition of authenticity is that if the evaluator only knows one input key for each wire, he can only learn one output key unless he can guess the output of KDF on an input he does not know. Next consider a XOR gate: **Garbling a GRR1 XOR Gate:** Let $O^0 = L^0 \oplus R^0$ along with $O^1 = L^0 \oplus R^1$ . Finally output $C = L^0 \oplus L^1 \oplus R^0 \oplus R^1$ . Evaluating a GRR1 XOR Gate: On input $L^a, R^b$ if a = 0 then output $O^{a \oplus b} = L^a \oplus R^b$ . Otherwise compute and return $O^{a \oplus b} = C \oplus L^a \oplus R^b$ . Again, it should be clear that the scheme is correct. The authenticity intuitively follows from the fact that the evaluator can only learn the XOR of two unknown keys which will not help decrypting the next gate. Now consider how to achieve the same, while allowing support for free-XOR gates (and in turn GRR2). In this scheme there is a global difference $\Delta$ s.t., for all wires w in a garbled circuit, the key pair $X_w^0, X_w^1$ satisfies $X_w^0 \oplus X_w^1 = \Delta$ . **Garbling a GRR2 NAND Gate:** Let $O^0 = \mathsf{KDF}\left(L^1, R^1\right)$ . This defines $O^1 = O^0 \oplus \Delta$ as well. Let $C_L = \mathsf{KDF}\left(L^0\right) \oplus O^1$ and $C_R = \mathsf{KDF}\left(R^0\right) \oplus O^1$ . Finally output $\{C_L, C_R\}$ . **Evaluating a GRR2 NAND Gate:** To evaluate on input $L^a$ , $R^b$ , if a = b = 1 then output $O^0 = \mathsf{KDF}\left(L^1, R^1\right)$ otherwise, if a = 0 output $O^1 = \mathsf{KDF}\left(L^0\right) \oplus C_L$ otherwise output $O^1 = \mathsf{KDF}(R^0) \oplus C_R$ . Next consider a XOR gate: **Garbling a free-XOR Gate:** Let $O^0 = L^0 \oplus R^0$ . This defines $O^1 = O^0 \oplus \Delta$ as well. Output nothing. Evaluating a free-XOR Gate: On input $L^a, R^b$ , output $O^{a \oplus b} = L^a \oplus R^b$ . Again correctness should be clear and authenticity for NAND gates follow from the same argument as for GRR1 NAND gates, whereas authenticity follows from the security of free-XOR, i.e. that it is hard to learn $\Delta$ , unless one is given both keys on some wire. #### 3.2 Generalization Intuition We now consider how our approaches generalizes to gates with arbitrary fan-in. NAND gates. Consider a NAND gate with fan-in m, call this gate g. Recall that for this gate the output bit $b_g = 0$ should occur exactly if all the input bits are equal to $1, b_1 = b_2 = \ldots = b_m = 1$ . This means that we can define the output key representing bit 0 directly from these: If we denote the key on input wire i by $X_i^{b_i}$ , then the output 0-key is computed as $$X_a^0 = \mathsf{KDF}\left(X_1^1, X_2^1, \dots, X_m^1\right) \ .$$ Now, if we are not using a free-XOR scheme we define the 1-output key to be $X_g^1 = \mathsf{KDF}\left(X_1^0\right)$ . Then the entries in the garbled computation table is as follows: $$\left\{C_i = X_g^1 \oplus \mathsf{KDF}\left(X_i^0\right)\right\}_{i=2}^m \ .$$ When we are using a free-XOR scheme we have another entry in the garbled computation table since the output key $X_g^1$ needs to meet the constraint $X_g^1 = X_g^0 \oplus \Delta$ and thus we cannot define it to simply be KDF $(X_1^0)$ . However, similarly to the scheme above that does not use free-XOR we use the KDF applied to the first input key (which we have not used to hide anything in the scheme above) to hide $X_g^1$ . We let the rest of the table remain as before and thus the whole garbled computation table is computed as follows: $$\left\{C_i = X_g^1 \oplus \mathsf{KDF}\left(X_i^0\right)\right\}_{i=1}^m \ .$$ We describe the evaluation: Call the input keys $X_1^{b'_1}, X_2^{b'_2}, \dots, X_m^{b'_m}$ . If $b'_i = 1$ for all $i \in [m]$ then the output is $X_g^0 = \mathsf{KDF}\left(X_1^1, X_2^1, \dots, X_m^1\right)$ . Otherwise find the first value of i for which $b'_i \neq 1$ and output $X_g^1 = C_i \oplus \mathsf{KDF}\left(X_i^0\right)$ , except if i = 1 and we do not use a free-XOR garbling scheme, in which case the output is $X_g^1 = \mathsf{KDF}\left(X_1^0\right)$ . XOR gates. To garble XOR gates (when we are not using the free-XOR method), we define the output 0-key from information based on all the input 0-keys. Specifically as $$X_g^0 = X_1^0 \oplus X_2^0 \oplus \cdots \oplus X_m^0 = \bigoplus_{i=1}^m X_i^0$$ . In a similar manner we define the output 1-key from information based on the first input 1-key and all the other input 0-keys, that is $$X_g^1 = X_1^1 \oplus X_2^0 \oplus \cdots \oplus X_{m-1}^0 \oplus X_m^0 = X_1^1 \oplus \left(\bigoplus_{i=2}^m X_i^0\right).$$ Let $b_i$ , for all $i \in [m]$ be the input bits at evaluation time and $b_g = b_1 \oplus \ldots \oplus b_m$ be the output of that gate. It might be the case that $b_1 \neq 1$ or that there are other j s.t., $b_j = 1$ . So we let the garbled computation table consist of information which makes it possible for the evaluator to compute the right output key in any such situation. Specifically we define the table as the following set: $$\left\{C_i = X_i^0 \oplus X_i^1 \oplus X_1^0 \oplus X_1^1\right\}_{i=2}^m$$ . It is clear that, for any $j \neq 1$ $$\left(\bigoplus_{i\in[m]} X_i^{b_i}\right) \oplus C_j = X_1^{b_1\oplus 1} \oplus X_j^{b_j\oplus 1} \bigoplus_{j\neq i>2} X_i^{b_i}$$ Thus by XORing all the $C_i$ 's for which $b_i = 1$ we obtain $$\left(\bigoplus_{i\in[m]}X_i^{b_i}\right)\oplus\left(\bigoplus_{i:b_i=1}C_i\right)=X_1^{b_1\oplus\ldots\oplus b_m}\oplus\left(\bigoplus_{i:b_i=0}X_i^0\right)\oplus\left(\bigoplus_{i:b_i=1}X_i^{1\oplus 1}\right)=X_g^{b_g}$$ Other gates. It is easy to see that our garbling scheme can be applied also to few other kind of gates such as AND, (N)OR, XNOR etc., also in the case of high fan-in (by using a different partitioning of the inputs and relabeling the outputs) but it cannot be used in for generic, "unstructured" gates of high fan-in. Using high fan-in gates. Note that our garbling scheme is favorable for gates with high fan-in, since the complexity shown in Table 3 (both in terms of communication and computational complexity) only grows linearly with the gate fan-in, while a straightforward use of standard garbled circuit leads in a exponential blow-up in the gate fan-in. Even when comparing the garbling of a gate with fan-in m to a circuit implementing the same functionality (e.g., a tree of fan-in 2 NANDs to implement a NAND with fan-in m) our scheme is still favorable. Depending on the garbling scheme we can save a factor 2-3 in terms of computation for the garbler and also save in communication. In addition, the evaluator has an overhead of $\log(m)$ when evaluating the circuit (versus a single call to the KDF in our case). #### 3.3 Formal Specification We describe our gate garbling schemes in the same notation as [BHR12], but with some changes in order to reflect that we only require privacy, only assume one bit output and that we support gates of arbitrary fan-in. The specification of the garbling scheme is given in Fig. 1 and the realizations for individual gate garbling is given in Fig. 2 and Fig. 3, depending on whether or not one uses free-XOR or GRR1. To enhance understanding we describe each step of these procedures. The Garbling Scheme. The first method, Gb, constructs a garbled circuit, F, along with information, e, to encode a binary string as garbled input to this garbled circuit and information, d, to check if the output of an evaluation of the garbled circuit has the semantic value 1. The method takes as input a security parameter $1^k$ and a description of the Boolean function to be computed, f. The format of the function description should be in accordance with the description given in Section 2.2, and thus can be viewed directly as a Boolean circuit. In step 1 the algorithm chooses two keys for each of the n input bits to f, in accordance with the specific type of garbling scheme used. These are the 0-, respectively, 1-input keys. Step 2 involves iteratively constructing each of the qgarbled gates of the circuit, along with the two output keys needed for each of these gates. It is done by first using I to decide the fan-in of a given gate, then using G to find the specific functionality of the given gate. Finally the input keys for that gate (which have already been constructed) are loaded using W and all the information is passed to the gate garbling method Garb. In step 3 the garbled circuit, F, is set to include all the information of f along with the garbled computation table returned by Garb in the previous step for all the gates in the circuit. These tables are called P. Furthermore, the encoding information e is set to be the two keys for each input wire and the decoding information d is set to be the output 1-key of the final gate in the circuit. In the last step, the garbled circuit F, the input encoding information, e, and decoding information, d, is returned. The second method, En, constructs an ordered set of input keys to a garbled circuit, X. It takes as input the encoding information e (along with a binary string x of length n) representing the input to the garbled circuit. In the first step the method parses e as n ordered pairs of keys. In step 2 the functionality returns an ordered subset of the keys. In particular if the i'th bit of x is 0 then the i'th element in the ordered set is the i'th 0-key, otherwise it is the i'th 1-key. The third method, De, evaluates whether some value, Z, is equal to the output 1-key of a garbled circuit, d. It takes as input the decoding information of a garbled circuit, d, along with a potential output key, Z. The method only has one step which checks if d=Z and returns 1 if that is true, otherwise it returns 0. The fourth method, Ev, evaluates a garbled circuit, F, and returns the output key of the final gate as a result of this evaluation, Z. It takes as input a garbled circuit F, and an ordered set of input keys, X, along with a binary vector x ``` \mathsf{Gb}\left(1^k,f\right) \to (F,e,d) \widehat{1}. \ \widetilde{\operatorname{Set}} \ (n,q,I,W,G) \leftarrow f \ \text{and} \ \left\{X_i^0,X_i^1\right\}_{i\in[n]} \leftarrow \operatorname{InKeys}(n,k). 2. For each g \in [n+1, n+q] set m = I(g) and define G' : \{0,1\}^m \to \{0,1\} s.t. G'(i) = G(g,i) for all i \in \{0,1\}^m and set \{(X_g^0, X_g^1), P[g]\} \begin{split} & \mathsf{Garb}\left(g,G',\left\{X_{W(g,i)}^{0},X_{W(g,i)}^{1}\right\}_{i\in[m]}\right).\\ 3. \ \ & \mathsf{Set}\ F\leftarrow(n,q,I,W,G,P),\ e\leftarrow\left\{X_{i}^{0},X_{i}^{1}\right\}_{i\in[n]} \ \ \mathsf{and} \ \ d\leftarrow X_{n+q}^{1}. \end{split} 4. Finally return (F, e, d). \mathsf{En}(e,x) \to X 1. Set \left\{X_i^0, X_i^1\right\}_{i \in [n]} \leftarrow e. 2. Then set X \leftarrow \left\{X_i^{x_i}\right\}_{i \in [n]} and return X. De(d, Z) \rightarrow b 1. If d = Z then output 1 otherwise output 0. \mathsf{Ev}(F,X,x) \to Z 1. Set (n,q,I,W,G,P) \leftarrow F and for all i \in [n] set w_i = x_i and define Q = \{w_i\}_{i\in[n]}. 2. For each g \in [n+1, n+q] let m = I(g) and add w_g = G\left(g, \left\{w_{W(g,i)}\right\}_{i \in [m]}\right) to the set Q. 3. Now for each g \in [n+1, n+q] let m = I(g) and define G' : \{0, 1\}^m \to \{0, 1\} s.t. G'(i) = G(g, i) and w' \in \{0, 1\}^m s.t. w'_i = w_{W(g, i)} for all i \in [m] and set X_g \leftarrow \text{Eval}\left(g, G', w', \left\{X_{W(g,i)}\right\}_{i \in [m]}, P[g]\right). 4. Return X_{n+q}. ev(f, x) \rightarrow b 1. Set (n,q,I,W,G) \leftarrow f and for all i \in [n] set w_i = x_i and define Q \leftarrow 2. For each g \in [n+1,n+q] let m = I(g) and add w_g = G\left(g,\left\{w_{W(g,i)}\right\}_{i \in [m]}\right) to the set Q. 3. Finally return w_{n+q}. Ve(F, f, e) \rightarrow b 1. Set (n,q,I,W,G,P) \leftarrow F, (n',q',I',W',G') \leftarrow f and \{X_i^0,X_i^1\}_{i\in[n]} \leftarrow e. 2. If n \neq n', q \neq q', I \neq I', W \neq W' or G \neq G' output 0. 3. For each g \in [n+1, n+q] let m = I(g) and define G' : \{0, 1\}^m \to \{0, 1\} s.t. G'(i) = G(g, i) for all i \in \{0, 1\}^m and set \{(X_g^0, X_g^1), \bar{P}[g]\} \leftarrow \operatorname{Garb}\Big(g,G',\left\{X_{W(g,i)}^{0},X_{W(g,i)}^{1}\right\}_{i\in[m]}\Big). 4. If for any g \in [n+1, n+q] we have \overline{P}[g] \neq P[q] output 0, otherwise output ``` Fig. 1. Privacy-free Garbling 1. where the *i*'th bit represents the semantic value of the *i*'th input key. In step 1 the method parses the information stored in the garbled circuit F and defines an ordered set of bits, Q, which represents the bits on each each wire in the garbled circuit. Initially this set only includes the bits of the input wires. Step 2 iteratively evaluates the garbled circuit one gate at a time. It first finds the fan-in of a given gate using I and then evaluates the gate in plain using the set Q along with the gate description G. After evaluating the gate in plain it updates Q to contain the output bit of the given gate. Thus at the end Q contains the expected bit on each wire given the garbled circuit F and the binary input x. In step 3 the method proceeds to evaluate each garbled gate iteratively. Again it uses I to learn the fan-in for a given gate, it uses G to decode the specific functionality of the gate and the elements of Q to find the semantic meaning of the keys supposed to be input to the garbled gate. Using this information, along with the garbled computation table of the gate, P, it calls Eval to evaluate the garbled gate and stores the output key which the method returns. Finally in step 4 it returns the output key of the final gate in the garbled circuit. The fifth method, ev, evaluates the Boolean functionality f in plain using a binary input vector x. It returns a bit being the value f(x). In Step 1 it parses the functionality f and constructs a set Q which represents the bit on each wire in the circuit. Initially this set only contains the bits on the input wires, exactly as specified by x. In step 2 it iteratively evaluates each gate of the functionality. It does so by first learning the fan-in of the give gate using I and then using G with the given gate index and bits already stored in G. It updates the set G with the result. Finally it returns the result of evaluating the final gate in the circuit. The sixth and last method, Ve, checks whether a garbled circuit, F, evaluates the same as some plain circuit, f, given both pairs of input keys for all wires of the garbled circuit, e. The method returns either 1 (for accept) or 0 (for reject). It takes as input a garbled circuit F, a plain description of the circuit functionality f along with the ordered set of input keys, e. In the first step it parses the garbled circuit F and the plain function description f. Step 2 is a sanity check which verifies that the "meta" data of F and f is the same, i.e., same amount of input bits, n, the same amount of gates q, each with the same fan-in I, using the same wires, W, and computing the same functionality, G. If any of these checks fail the method outputs reject. Then step 3 iteratively constructs a new garbled circuit using Garb in the same manner as in Gb, based on the information in f. Finally in step 4 the method checks equality of each garbled computation table given in F with each of the tables generated in the previous step. If any are not equal then the method outputs reject, otherwise it outputs accept. Gate Garbling. All of our garbling schemes have two methods: Garb and Eval. The first constructs a garbled gate, $\tilde{g}$ , and two keys, $(X_g^0, X_g^1)$ . It takes as input a nonce, g (gate ID), a function mapping a binary vector to a bit, G', along with a pair of input keys for each input wire to the gate. The second method reconstructs a single output key. It takes as input a nonce, g (gate ID), a function mapping a binary vector to a bit, G', a binary vector describing the bits on the input wires to the gate, w', an ordered set of input keys $\{X_i\}_{i\in[m]}$ along with an ordered set which is the garbled computation table $\tilde{g}$ . Two concrete schemes are shown in Fig. 2 and Fig. 3. Note that, as it is described, the running time of Eval depends on the particular input used. To prevent leakage of the input based on timing attacks, any implementation of Eval would need to take appropriate countermeasures, and ensure that the running time does not depend on the input used. ``` \mathsf{InKeys}(n,k) o \left\{X_i^0, X_i^1\right\}_{i \in [n]} ``` 1. For each $i \in [n]$ sample uniformly random $X_i^0, X_i^1 \in_R \{0,1\}^k$ and return the set $$\left\{X_i^0, X_i^1\right\}_{i \in [n]}$$ . $$\operatorname{Garb}\left(g, G', \left\{\left(X_i^0, X_i^1\right)\right\}_{i \in [m]}\right) \to \left\{\left(X_g^0, X_g^1\right), \tilde{g}\right\}$$ - 1. If $G'(\cdot) = NAND$ - do as follows: - $= \mathsf{KDF}\left(X_1^1, X_2^1, \dots, X_m^1; (\mathtt{key}, g, 0)\right) \quad \text{and} \quad X_a^1$ (a) Let $X_a^0$ $\mathsf{KDF}\left(X_1^{0}; (\mathtt{key}, g, 1)\right).$ - (b) Next let $C_i = X_g^{1/2} \oplus \mathsf{KDF}\left(X_i^0; (\mathsf{inte}, g, i)\right)$ for all $i \in [2, m]$ and set $\tilde{g} = \{C_i\}_{i=2}^m.$ (c) Return $\{(X_g^0, X_g^1), \tilde{g}\}.$ - 2. If instead $G'(\cdot) = XOR$ do as follows: - (a) Let $X_g^0 = \bigoplus_{i=1}^m X_i^0$ and $X_g^1 = X_1^1 \oplus (\bigoplus_{i=2}^m X_i^0)$ . (b) Next let $C_i = X_1^0 \oplus X_1^1 \oplus X_i^0 \oplus X_i^1$ for all $i \in [2, m]$ and set $\tilde{g} = \{C_i\}_{i=2}^m$ . - (c) Return $\{(X_q^0, X_q^1), \tilde{g}\}.$ Eval $$\left(g, G', w', \{X_i\}_{i \in [m]}, \tilde{g}\right) \to \{X_g\}$$ - 1. If $G'(\cdot) = \text{NAND do as follows:}$ - (a) If $w' = 1^m$ then set $X_g = \mathsf{KDF}(X_1, X_2, \dots, X_m; (\texttt{key}, g, 0))$ . If instead $w_1' = 0$ then set $X_g = \mathsf{KDF}(X_1; (\mathsf{key}, g, 1))$ . Otherwise find the first $i \in [2,m]$ s.t. $w'_i = 0$ , parse $\{C_i\}_{i=2}^m \leftarrow \tilde{g}$ and set $X_g =$ $C_i \oplus \mathsf{KDF}(X_i; (\mathtt{inte}, g, i)).$ - (b) Return $X_g$ . - 2. If instead $G'(\cdot) = XOR$ do as follows: - (a) Parse $\{C_i\}_{i=2}^m \leftarrow \tilde{g}$ . - (b) Let S be the set of $i \in \{2, m\}$ for which it is true that $w'_i = 1$ . - (c) Return $X_g = \bigoplus_{i \in [m]} X_i \oplus \bigoplus_{i \in S} C_i$ . Fig. 2. Garbling GRR1 - Without free-XOR #### 3.4 Security The scheme presented in Fig. 1 composed with Fig. 2 and Fig. 3 respectively are clearly correct. In fact, any correctly generated scheme evaluates to the correct output key with probability 1. From this it also follows that the schemes have verifiability, as we verify by regenerating each garbled gate, and hence a verified garbled gate is correctly generated. This takes care of the demands of correctness (Def. 1) and verifiability (Def. 3) of a secure privacy-free garbling scheme, as defined in Def. 4. What remains is authenticity (Def. 2): In the following we reduce this to the security of the KDF used. **Theorem 2.** If the KDF used in the garbling scheme of Fig. 1 composed with Fig. 2 is secure according to Def. 6, then the composed scheme enjoys authenticity according to Def. 2. *Proof.* For notational convenience we are going to focus on the case with fan-in 2. The proof idea generalizes immediately. $$\mathsf{InKeys}(n,k) o \left\{X_i^0, X_i^1\right\}_{i \in [n]}$$ - 1. Sample a uniformly random difference $\Delta \in \{0,1\}^k$ . - 2. Then for each $i \in [n]$ sample uniformly random $X_i^0 \in \mathbb{R} \{0,1\}^k$ and return the set $\{X_i^0, X_i^0 \oplus \Delta\}_{i \in [n]}$ . $$\mathsf{Garb}\left(g,G',\left\{\left(X_i^0,X_i^1\right)\right\}_{i\in[m]}\right) \to \left\{\left(X_g^0,X_g^1\right),\tilde{g}\right\}$$ - 1. Set $\Delta = X_1^0 \oplus X_1^1$ . - 2. If $G'(\cdot) = \text{NAND do as follows:}$ - (a) Let $X_g^0 = \mathsf{KDF}\left(X_1^1, X_2^1, \dots, X_m^1; (\mathsf{key}, g, 0)\right)$ and $X_g^1 = X_g^0 \oplus \Delta$ . (b) Next let $C_i = X_g^1 \oplus \mathsf{KDF}\left(X_i^0; (\mathsf{inte}, g, i)\right)$ for all $i \in [m]$ and set $\tilde{g} = \{C_i\}_{i=1}^m.$ - (c) Return $\{(X_g^0, X_g^1), \tilde{g}\}.$ - 3. If instead $G'(\cdot)=\mathrm{XOR}$ set $X_g^0=\bigoplus_{i=1}^m X_i^0,\ X_g^1=X_g^0\oplus \Delta$ and return $\{(X_g^0, X_g^1), \bot\}.$ Eval $(g, G', w', \{X_i\}_{i \in [m]}, \tilde{g}) \rightarrow \{X_g\}$ - 1. If $G'(\cdot) = NAND$ do as follows: If $w' = 1^m$ then set $X_g = 1^m$ $\mathsf{KDF}(X_1, X_2, \dots, X_m; (\mathtt{key}, g, 0))$ . Otherwise find the first $i \in [m]$ s.t. $w_i' = 0$ , parse $\{C_i\}_{i=1}^m \leftarrow \tilde{g}$ and compute and return $X_g = C_i \oplus C_i$ $KDF(X_i; (inte, g, i)).$ - 2. If instead $G'(\cdot) = XOR$ return $X_g = \bigoplus_{i=1}^m X_i$ . Fig. 3. Garbling GRR2 - With free-XOR A NAND gate with input keys $L^0, L^1$ for the left wire and $R^0, R^1$ for the right wire and gate identifier q is garbled as follows: $$O^1 \leftarrow \mathsf{KDF}(L^0; (\texttt{key}, g, 1))$$ , (1) $$O^0 \leftarrow \mathsf{KDF}(L^1, R^1; (\mathsf{key}, g, 0)) , \qquad (2)$$ $$A \leftarrow \mathsf{KDF}(R^0; (\mathtt{inte}, g)) \;, \tag{3}$$ $$C \leftarrow A \oplus O^1(\text{with label }(\text{garb}, g))$$ . (4) The output keys are $(O^0, O^1)$ . The garbled gate is just C. An XOR gate with input keys $L^0$ , $L^1$ for the left wire and $R^0$ , $R^1$ for the right wire and gate identifier q is garbled as follows: $$O^0 \leftarrow L^0 \oplus R^0 \text{ (with label (key, } g, 0))},$$ (5) $$O^1 \leftarrow L^0 \oplus R^1 \text{ (with label (key}, g, 1))},$$ (6) $$C \leftarrow L^0 \oplus L^1 \oplus R^0 \oplus R^1 \text{ (with label (garb, g))}$$ . (7) The output keys are $(O^0, O^1)$ . The garbled gate is just C. Besides this, the circuit garbling just consist of reusing the appropriate output keys as input keys to later gates. A garbled circuit F consists of, amongst other, a garbled gate for each of the q internal wires, $P = (C_{n+1}, \ldots, C_{n+q})$ , in an order in which they can be evaluated. For each garbled gate $C_i$ , let $L_i^0$ and $L_i^1$ be the corresponding keys on the left input wire, let $R_i^0$ and $R_i^1$ be the corresponding keys on the right input wire, and let $O_i^0$ and $O_i^1$ be the output keys. We can assume without loss of generality that the last gate is the output gate. For a garbled input $X = \{(X_i^0, X_i^1)\}_{i=1}^n$ and a plaintext input $x \in \{0, 1\}^n$ , let $X^x = \{X_i^{x_i}\}_{i \in [n]}$ be the garbled version of x. For $i = n+1, \ldots, n+q$ , let $w_i$ be the bit we get by computing plaintext gate number i on the bits for its input wires, that is $w_i = G(i, \{W(i, 1), W(i, 2)\})$ in accordance with Fig. 1. This defines a plaintext evaluation $w = (w_1, \ldots, w_n, w_{n+1}, \ldots, w_{n+q})$ . For $i = n+1, \ldots, n+q$ , let $K_i = O_i^{w_i}$ . This defines a garbled evaluation $K^x = (K_1, \ldots, K_n, K_{n+1}, \ldots, K_{n+q})$ . The scheme is constructed such that from a correct garbled circuit F and $X^x$ one can efficiently compute $K^x$ , which in particular allows one to compute $K_{n+q} = O_{n+q}^{f(x)}$ . We have to prove that from a randomly generated P and $X^x$ one cannot also efficiently compute $O_{n+q}^{1-f(x)}$ . For this, it is sufficient to prove that one cannot efficiently compute $(i, O_i^{1-w_i})$ for any $i \in [n+q]$ with non-negligible probability. We do the proof by a simple reduction to the game KDF in Def. 5. It is easy to see that the garbling and the keys learned by the evaluator in the scheme can be computed by queries to the game KDF in such a way that all the keys $O_i^{1-w_i}$ are uncompromised. In more detail, the reduction runs as follows: Input keys: For each $i \in [n]$ and $b \in \{0,1\}$ , output (fresh key, (key, i, b)) to define a fresh random key $X_i^b \in_R \{0,1\}^k$ . Then for each $i \in [n]$ , output (leak, (key, i, $x_i$ )) to add $X_i^{x_i}$ to the set of values to leak. Let $X^x = \{X_i^{x_i}\}_{i=1}^n$ . Now for each input wire, both keys are defined in the game KDF. Internal gates: Iteratively go through all the gates. Specifically for each $i \in [n+1,q]$ we do as follows, depending on whether or not gate i is a NAND or XOR gate: **NAND gate:** Call the plaintext value on the left input wire $l_i = w_{W(i,1)}$ , call the plaintext value on the right input wire $r_i = w_{W(i,2)}$ , and call the plaintext value on the output wire $w_i$ . Call the keys on these wires $\left(L_i^0,L_i^1\right), \ \left(R_i^0,R_i^1\right)$ and $\left(O_i^0,O_i^1\right)$ respectively. Thus $\left(L_i^0,L_i^1\right)$ $\left(X_{W(i,1)}^{0}, X_{W(i,1)}^{1}\right), \left(R_{i}^{0}, R_{i}^{1}\right) = \left(X_{W(i,2)}^{0}, X_{W(i,2)}^{1}\right) \text{ and } \left(O_{i}^{0}, O_{i}^{1}\right)$ $(X_i^0, X_i^1)$ . The first four of these keys are defined in the game KDF and we are given $L_i^{l_i}$ and $R_i^{r_i}$ before our guess. We should define $(O_i^0, O_i^1)$ in the game and make sure we learn $O_i^{w_i}$ before our guess. We use derive- $= \mathsf{KDF}\left(L_i^0; (\mathtt{key}, i, 1)\right), O_i^0$ commands todefine $O_i^1$ $\mathsf{KDF}\left(L_i^1, R_i^1; (\mathsf{key}, i, 0)\right)$ , and $A_i = \mathsf{KDF}\left(R_i^0; (\mathsf{inte}, i)\right)$ . Then we use a linear-command to define $C_i = A_i \oplus O_i^1$ (with label (garb, i)). Then we add $C_i$ to the set of values to leak by outputting (leak, (garb, i)). This is a correct garbling, so when we are later given $L_i^{l_i}$ and $R_i^{r_i}$ , we can use them to compute $O_i^{w_i}$ by computing the garbled gate on $(L_i^{l_i}, R_i^{r_i})$ . **XOR gate:** We proceed as for NAND gates, except for the specific commands issued: We use linear-commands to define $O_i^0 = L_i^0 \oplus R_i^0$ (under identifier (key, i, 0)), $O_i^1 = L_i^1 \oplus R_i^0$ (under identifier (key, i, 1)) and $C_i = L_i^0 \oplus L_i^1 \oplus R_i^0 \oplus R_i^1$ (under identifier (garb, i)). Then we add $C_i$ to the set of values to leak by outputting (leak, (garb, i)). This is a correct garbling, so we later use it to compute $O_i^{w_i}$ by computing the garbled gate on $(L_i^{l_i}, R_i^{r_i})$ . End: After having handled all the gates, we issue the end-command and learn the input keys $K_i = X_i^{x_i}$ for $i \in [n]$ , along with the garbled gates $C_i$ for $i \in [n+1;n+q]$ . Using these we can evaluate the garbled circuit and thus learn the value $K_i = O_i^{w_i}$ for all $i \in [n+1;q]$ . We then give $K^x = \{K_i, \ldots, K_{n+q}\}$ to the adversary. **Guess:** If the adversary outputs $(i, O_i^{1-w_i})$ for any $i \in [n+q]$ , then we output $(guess, (key, i, 1-w_i), O_i^{1-w_i})$ . It is clear that we win the guessing game exactly when $(\mathbf{key}, i, 1 - w_i)$ is uncompromised and $O_i^{1-w_i}$ is the correct "other" key for wire i supplied by the adversary – we call $O_i^{w_i}$ the known key and we call $O_i^{1-w_i}$ the other key. We call a key $O_i^b$ compromised if the label $(\mathbf{key}, i, b)$ is compromised as defined by the KDF game. We call gate $C_i$ compromised if the other key $O_i^{1-w_i}$ is compromised as defined by the KDF game. It is sufficient to prove that $(\ker j, i, 1 - w_i)$ is uncompromised for all i. It is clear that whether $(\ker j, i, 1 - w_i)$ is uncompromised does not depend on the strategy of the adversary, only the structure of the circuit, the nature of our garbling scheme and the input x. Hence, if for a fixed circuit and fixed input x some $(\ker j, i, 1 - w_i)$ is sometimes compromised, then it is always compromised. Hence, if any $(\ker j, i, 1 - w_i)$ can be compromised, then there exists a first gate j such that before executing the commands corresponding to gate j, no identifier $(\ker j, i, 1 - w_i)$ was compromised, and after executing the commands corresponding to gate j, some identifier $(\ker j, i, 1 - w_i)$ is compromised, where $i \leq j$ . Consider this gate $C_j$ . Furthermore, among the commands executed for gate j there is a first command that leads to a compromise of a gate. We call this command patient zero. We first show that patient zero is not a key derivation command. Then we show that it is not a linear command followed by a leak command. And then we are done. Assume first that patient zero is a key derivation command. We use several times that a key derivation command, when it is the last command to have been executed, cannot compromise any other key than its output key. When patient zero is a key derivation command, then gate j must be a NAND gate, as there are no key derivation commands in XOR gates. Recall that we issue the key derivation commands (1), (2) and (3), as part of a NAND gate, and then we leak $C_j$ . Assume that $l_j = 0$ . In that case $O_j^1 = \mathsf{KDF}\left(L_j^0; (\mathsf{key}, j, 1)\right)$ is a known key and hence cannot be a compromised other key. We can also assume that $L_j^1$ is uncompromised (as it is an other key and we are at patient zero), and hence the other output key $O_j^0 = \mathsf{KDF}\left(L_j^1, R_j^1; (\mathsf{key}, j, 0)\right)$ will clearly be uncompromised after executing the command. Assume then that $r_j = 0$ . In that case the other output key is again $O_j^0 = \mathsf{KDF}\left(L_j^1, R_j^1; (\mathsf{key}, j, 0)\right)$ , and now $R_j^1$ is uncompromised. The command $A_j = \mathsf{KDF}\left(R_j^0; (\mathsf{inte}, j)\right)$ can therefore never be the patient zero compromising an output key, as $A_j$ is not an output key. Before we prove that patient zero cannot be a linear command we change the system that we analyze by replacing the processing of all NAND gates by the following commands: First we execute (fresh key, (key, j, 0)), (fresh key, (key, j, 1)) and (fresh key, (inte, j)) to define the values $O_j^0, O_j^1$ and $A_j$ respectively. Then we compute $C_j = A_j \oplus O_i^1$ , and leak $C_j$ by issuing the commands (linear, (garb, j), (inte, j), (key, j, 0)) and (leak, (garb, j)) in that order. In addition we leak $O_i^{w_j}$ . If $r_j = 0$ such that $R_i^0$ is a known key, then we also leak $A_i$ . So, we essentially skip all key derivation commands and simulate their effect on the system by leaking the produced known keys. Since we could compute $O_i^{w_j}$ before the change, it was compromised before the change. It is also compromised after the change, as we now leak it. Similarly for $A_i$ . Hence, the set of compromised identifiers is the same before and after the introduced changes, at least right after the gate has been handled. As a consequence, we have not changed whether or not some other key later gets compromised.<sup>3</sup> Furthermore, notice that since we have already showed that patient zero could not be a key derivation command this change does not affect the adversary's advantage. We therefore just have to prove that in the modified system, no other key gets compromised. Since there are no key derivation commands left, this is simple linear algebra. Assume that patient zero is $C_j = A_j \oplus O_j^1$ . Since $A_j$ is a fresh key and only occurs in this equation, if $A_j$ is uncompromised, adding this equation cannot change whether an output key is compromised or not. Hence it must be the case that $A_i$ is compromised. Since $A_i$ is fresh and occurs in no other equation, this can only have happened because we leaked it earlier. Hence $R_i^0$ is a known key. So, $l_j = 0$ and hence $w_j = 1$ . Therefore $O_j^1$ is a known key and hence already compromised. Hence $C_j = A_j \oplus O_i^1$ will compromise $A_j$ , but since $A_i$ occurs in no other equation, this does not further change the status of any variable. We can therefore assume in the following that we process all NAND gates, with index i, as follows: Call (fresh key, (key, i, 0)), (fresh key, (key, i, 1)) and (leak, (key, i, $w_i$ )) to first define the key $O_i^0$ , $O_i^1$ and then leak $O_i^{w_i}$ . This does not change whether or not there will be a patient zero. We can even make further changes. We once and for all create a global key $\Delta$ through the call (fresh key, delta). Then we execute each NAND gate as follows: Call (fresh key, (key, i, 0)), (linear, (key, i, 1), (key, i, 0), delta) and $(\mathtt{leak}, (\mathtt{key}, i, w_i))$ to define the key $O_i^0$ and $O_i^1$ respectively and leak $O_i^{w_i}$ . Similarly we can create the input keys $X_i^0$ and $X_i^1 = X_i^0 \oplus \Delta$ by calling (fresh key, (key, i, 0) and (linear, (key, i, 1), (key, i, 0), delta) respectively for $i \in [n]$ . This will only add equations to the system, and hence if there was a patient <sup>&</sup>lt;sup>3</sup> Note that if eventually an *other* key gets compromised, then the introduced changes will have an effect. When we use key derivation commands, one compromised other key leads to many compromised other keys. When we use fresh key commands, a compromised other key might not have an avalanche effect. However, we are proving that the number of compromised other keys is 0, and hence using one system or the other is equally good. <sup>&</sup>lt;sup>4</sup> If $O_j^1$ is uncompromised then $A_j$ goes from uncompromised to compromised, but $A_j$ is not an output key, and clearly no other key than $A_j$ can change status by this equation. zero in the system before the change there will also be a patient zero in the system after the change. Assume then that patient zero is a linear command from an XOR gate, again with index j. We process such a gate as follows: Compute $O_j^0 \leftarrow L_j^0 \oplus R_j^0$ (with label (key, j, 0)), $O_j^1 \leftarrow L_j^1 \oplus R_j^0$ (with label (key, j, 1)) and $C_j \leftarrow L_j^0 \oplus L_j^1 \oplus R_j^0 \oplus R_j^1$ (with label (garb, j)) using the linear command, and leak $C_j$ using the leak command. Notice that $L_j^0 \oplus L_j^1 \oplus R_j^0 \oplus R_j^1 = \Delta \oplus \Delta = 0$ . Hence leaking $C_j$ does not change the status of any key. We can therefore assume that we process XOR gates as follows: Compute $O_j^0 \leftarrow L_j^0 \oplus R_j^0$ and $O_j^1 \leftarrow L_j^1 \oplus R_j^0$ using the linear command. After all the changes to the system, we now "garble" as follows: First call $\Delta \leftarrow (\texttt{fresh key}, \texttt{delta})$ Then for each input key, $i \in [n]$ , do: $$\begin{split} X_i^0 &\leftarrow (\texttt{fresh key}, (\texttt{key}, i, 0)) \;, \\ X_i^1 &\leftarrow (\texttt{linear}, (\texttt{key}, i, 1), (\texttt{key}, i, 0), \texttt{delta}) \;, \\ X_i^{x_i} &\leftarrow (\texttt{leak}, (\texttt{key}, i, x_i)) \;. \end{split}$$ For each NAND gate, with index i, do: $$\begin{split} O_i^0 &\leftarrow (\texttt{fresh key}, (\texttt{key}, i, 0)) \;, \\ O_i^1 &\leftarrow (\texttt{linear}, (\texttt{key}, i, 1), (\texttt{key}, i, 0), \texttt{delta}) \;, \\ O_i^{w_i} &\leftarrow (\texttt{leak}, (\texttt{key}, i, w_i)) \;. \end{split}$$ Finally, for each XOR gate, with index i, do: $$\begin{aligned} O_i^0 &\leftarrow (\texttt{linear}, (\texttt{key}, i, 0), (\texttt{key}, l_i, 0), (\texttt{key}, r_i, 0)) \;, \\ O_i^1 &\leftarrow (\texttt{linear}, (\texttt{key}, i, 0), (\texttt{key}, l_i, 0), (\texttt{key}, r_i, 1)) \;, \\ O_i^{w_i} &\leftarrow (\texttt{leak}, (\texttt{key}, i, w_i)) \;. \end{aligned}$$ It is then fairly straight-forward to see that there are no compromised *other* key. In particular, it is trivial to see that if an other key would be compromised in this system, then the free-XOR scheme from [KS08] would trivially be insecure, as the system of equations created by the free-XOR scheme is a super set of the system created by the above commands. We therefore refer to [KS08] for the details of why the free-XOR trick is secure. Notice that we can use a subset of this proof to prove security of our free-XOR privacy-free garbling scheme, since the free-XOR already implements the global difference $\Delta$ . Specifically we have the following theorem: **Theorem 3.** If the KDF used in the garbling scheme of Fig. 1 composed with Fig. 3 is secure according to Def. 6, then the composed scheme enjoys authenticity according to Def. 2. ``` \mathsf{Gb}\left(1^k,f,\mathcal{L}\right) \to (F,e,d) 1. Set (n,q,I,W,G) \leftarrow f and \left\{X_i^0,X_i^1,\left\{\Delta_i\right\}_{i\in[L]}\right\}_{i\in[n]} \leftarrow \mathsf{InKeys}(n,k,\mathcal{L}). 2. For each g \in [n+1, n+q] set m = I(g) and define G': \{0,1\}^m \to \{0,1\} s.t. G'(i) = G(g,i) for all i \in \{0,1\}^m and set \{(X_g^0, X_g^1), P[g]\} \mathsf{Garb}\left(g,G',\mathcal{L},\left\{X_{W(g,i)}^{0},X_{W(g,i)}^{1}\right\}_{i\in[m]},\varDelta_{\mathcal{L}(g)}\right)\!. 3. Set F \leftarrow (n, q, I, W, G, \mathcal{L}, P), e \leftarrow \left\{X_i^0, X_i^1\right\}_{i \in [n]} and d \leftarrow X_{n+q}^1. 4. Finally return (F, e, d). \mathsf{En}(e,x) \to X Like in Fig. 1. De(d, Z) \rightarrow b Like in Fig. 1. \mathsf{Ev}(F,X,x) \to Z 1. Set (n, q, I, W, G, \mathcal{L}, P) \leftarrow F and for all i \in [n] set w_i = x_i and define Q = \{w_i\}_{i \in [n]}. 2. For each g \in [n+1, n+q] let m = I(g) and add w_g = G\left(g, \left\{w_{W(g,i)}\right\}_{i \in [m]}\right) to the set Q. 3. Now for each g \in [n+1, n+q] let m = I(g) and define G': \{0, 1\}^m \to \{0, 1\} s.t. G'(i) = G(g, i) and w' \in \{0, 1\}^m s.t. w'_i = w_{W(g, i)} for all i \in [m] and set X_g \leftarrow \text{Eval}\left(g, G', \mathcal{L}, w', \left\{X_{W(g,i)}\right\}_{i \in [m]}, P[g]\right). 4. Return X_{n+a}. ev(f,x) \rightarrow b Like in Fig. 1. Ve(F, f, e) \rightarrow b 1. Set (n,q,I,W,G,\mathcal{L},P) \leftarrow F, (n',q',I',W',G') \leftarrow f and \left\{X_i^0,X_i^1\right\}_{i\in[n]} \leftarrow f 2. If n \neq n', q \neq q', I \neq I', W \neq W' or G \neq G' output 0. 3. For each g \in [n+1, n+q] let m = I(g) and define G': \{0, 1\}^m \to \{0, 1\} s.t. G'(i) = G(g, i) for all i \in \{0, 1\}^m and set \{(X_g^0, X_g^1), \bar{P}[g]\} \leftarrow \operatorname{Garb}\Big(g,G',\mathcal{L},\left\{X_{W\left(g,i\right)}^{0},X_{W\left(g,i\right)}^{1}\right\}_{i\in\left[m\right]},\Delta_{\mathcal{L}\left(g\right)}\Big). 4. If for any q \in [n+1, n+q] we have \bar{P}[q] \neq P[q] output 0, otherwise output ``` Fig. 4. Privacy-free FleXOR Garbling ## 4 Privacy-Free FleXOR In [KMR14] Kolesnikov et al. introduced a generalization and optimization of the free-XOR approach which allows to weaken the security assumption needed for free-XOR and/or limit the amount of ciphertexts used to garble non-XOR gates. In their schemes (only considering fan-in 2 gates) non-XOR gates are constructed exactly as one would in a regular garbling scheme, but XOR gates are constructed differently and, depending on a wire ordering of the circuit, consists of either 0, 1 or 2 ciphertexts. When the garbling scheme used implements aggressive row reduction (i.e., GRR1) this yields an overall smaller size for most garbled circuits compared the size of garbled circuits constructed using the free-XOR approach. $$\mathsf{InKeys}(n,k,\mathcal{L}) \to \left\{ \left(X_i^0, X_i^1\right)_{i \in [n]}, \left\{\Delta_i\right\}_{i \in [L]} \right\}$$ - 1. For each $i \in [L]$ sample uniformly random differences $\Delta_i \in \{0,1\}^k$ . - 2. Then for each $i \in [n]$ sample uniformly random $X_i^0 \in \mathbb{R} \{0,1\}^k$ and return the set $\left\{ \left( X_i^0, X_i^0 \oplus \Delta_{\mathcal{L}(i)} \right)_{i \in [n]}, \left\{ \Delta_i \right\}_{i \in [L]} \right\}$ . $$\mathsf{Garb}\left(g,G',\mathcal{L},\left\{\left(X_{i}^{0},X_{i}^{1}\right)\right\}_{i\in[m]},\Delta_{\mathcal{L}(g)}\right)\rightarrow\left\{\left(X_{g}^{0},X_{g}^{1}\right),\tilde{g}\right\}$$ - 1. If $G'(\cdot) = \text{NAND}$ do garbling as described in Fig. 2 if $\mathcal{L}$ is safe, otherwise as described in Fig. 3. - 2. If instead $G'(\cdot) = XOR$ do as follows: - (a) Let T be the set of integers $i \in [m]$ for which $\mathcal{L}(i) \neq \mathcal{L}(g)$ . - (b) Let $X_g^0 = \bigoplus_{i=1}^m X_i^0$ and $X_g^1 = X_g^0 \oplus \Delta_{\mathcal{L}(g)}$ . - (c) Next let $C_i = \Delta_{\mathcal{L}(g)} \oplus \Delta_{\mathcal{L}(i)}$ for all $i \in T$ and set $\tilde{g} = \{C_i\}_{i \in T}$ . - (d) Return $\{(X_q^0, X_q^1), \tilde{g}\}.$ Eval $$\left(g,G',\mathcal{L},w',\left\{X_i\right\}_{i\in[m]},\tilde{g}\right) ightarrow \left\{X_g\right\}$$ - 1. If $G'(\cdot) = \text{NAND}$ do evaluation as described in Fig. 2 if $\mathcal{L}$ is safe, otherwise as described in Fig. 3. - 2. If instead $G'(\cdot) = XOR$ do as follows: - (a) Let T be the set of integers $i \in [m]$ for which $\mathcal{L}(i) \neq \mathcal{L}(g)$ and parse $\{C_i\}_{i\in T} \leftarrow \tilde{g}.$ (b) Parse $\{C_i\}_{i\in T} \leftarrow \tilde{g}.$ - (c) Let S be the subset of T for which it is true that $w'_i = 1$ . - (d) Return $X_g = \left(\bigoplus_{i \in [m]} X_i\right) \oplus \left(\bigoplus_{i \in S} C_i\right)$ . Fig. 5. Garbling - Using fleXOR Here we propose a variant of fleXOR which combines their ideas with nonoblivious gate evaluation, leading to a significant improvements in terms of computation complexity. Before we can describe our privacy-free fleXOR construction we need a few definitions. These are taken almost verbatim from [KMR14]. We assume familiarity with their construction and direct the reader to their paper if that is not the case. **Definition 7 (Wire Ordering).** A wire ordering for a Boolean circuit f is a function $\mathcal{L}$ that assigns an integer to each wire in f. Without loss of generality, we assume that $im(\mathcal{L}) = \{1, \dots, L\}$ for some integer L, and we denote $|\mathcal{L}| = L$ . We say a wire ordering $\mathcal{L}$ is safe if: - For each non-XOR gate with output wire i, and each wire j where there exists a directed path in the circuit that contains wire j before wire i, we have $\mathcal{L}(i) > \mathcal{L}(j)$ . - For each value $\ell \in im(\mathcal{L})$ , there is at most one non-XOR gate whose output wire i satisfies $\mathcal{L}(i) = \ell$ . We say that a topological ordering of gates in a circuit f is safety-respecting of $\mathcal{L}$ if for every non-XOR gate q with output wire i, q appears earlier in the ordering than any other gate g' with output wire i' satisfying $\mathcal{L}(i) = \mathcal{L}(i')$ . Formal Description. We describe the privacy-free fleXOR protocol for gates of fan-in m in Fig. 4 and Fig. 5. Notice that the description in Fig. 4 is essentially the same as the one for the general privacy-free scheme we described in Fig. 1, except for the fact that we include the wire ordering $\mathcal{L}$ needed in order for the garbling scheme to know which $\Delta$ 's should be used for which wires. Regarding the specificities of the garbling, described in Fig. 5, see that the garbling of NAND gates is exactly the same as in Fig. 2 and Fig. 3, depending on whether or not the wire ordering is safe. That is, the scheme first checks whether or not a gate is an XOR or NAND gate. If it is a NAND gate then the garbling is the same as in Fig. 2 if $\mathcal{L}$ is safe, and the same as in Fig. 3 if $\mathcal{L}$ is not safe. Regarding XOR gates, we garble them essentially as in Fig. 2 but, since the offsets of the wires are chosen during the InKeys procedure, the Garb procedure can only define the 0-key corresponding to the output wire. Then, as in Fig. 2, the Garb procedure computes and outputs the XOR of the offsets between the inputs and output wire, but only for the wires that belong to the set T, that is those for which $\mathcal{L}(i) \neq \mathcal{L}(g)$ , which means that the $\Delta$ used for the 1-key on wire i is different from the $\Delta$ used on the output wire of the gate g. This in turn means that we must associate a ciphertext in order to "adjust" the key on wire i. Regarding evaluation: for NAND gates the scheme again does the same as in Fig. 2 and Fig. 3 depending on whether or not the wire ordering is safe or not, respectively. For XOR gates the scheme first defines (in step a) the set of input wires for which $\mathcal{L}(i) \neq \mathcal{L}(g)$ , T, and parses the garbled gate $\tilde{g}$ to its ciphertexts, $\{C_i\}_{i \in T}$ . Then in step c the scheme identifies the subset $S \subset T$ of the input wires for which it is true that the input value for wire i is equal to 1 and finally, in step d it computes the output key by XORing all input keys and the adjustments for all the wires belonging to the set S. Security. Like for our other privacy-free garbling schemes, correctness and verifiability follows relatively straightforwards from the constructions. The proof of authenticity follows from the one for the scheme in Fig. 2 (since the fleXOR variant is a generalization of the schemes described in Fig. 2, for which some input wires happen to the same offset as the output wire) and from the assumption on the wire ordering. We refer to [KMR14] for more details. **Acknowledgments.** We would like to thank Payman Mohassel and Benny Pinkas (for useful discussions), the authors of [KMR14] (for sharing with us an early copy of their manuscript and the result of their "safe ordering" heuristics that were used for compiling Table 1 and 2), and Helene Flyvholm Haag (for valuable editorial comments). #### References - [AIK11] Applebaum, B., Ishai, Y., Kushilevitz, E.: How to garble arithmetic circuits. In: FOCS, pp. 120–129 (2011) - [AIKW13] Applebaum, B., Ishai, Y., Kushilevitz, E., Waters, B.: Encoding functions with constant online rate or how to compress garbled circuits keys. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 166–184. Springer, Heidelberg (2013) - [BHHI10] Barak, B., Haitner, I., Hofheinz, D., Ishai, Y.: Bounded key-dependent message security. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 423–444. Springer, Heidelberg (2010) - [BHKR13] Bellare, M., Hoang, V.T., Keelveedhi, S., Rogaway, P.: Efficient garbling from a fixed-key blockcipher. In: IEEE Symposium on Security and Privacy, pp. 478–492. IEEE Computer Society (2013). http://eprint.iacr.org/2013/ 426 - [BHR12] Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. In: ACM Conference on Computer and Communications Security, pp. 784–796 (2012). http://eprint.iacr.org/2012/265 - [BMR90] Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols (extended abstract). In: STOC, pp. 503–513 (1990) - [BP12] Boyar, J., Peralta, R.: A small depth-16 circuit for the AES S-Box. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 287–298. Springer, Heidelberg (2012) - [Fin14] Find, M.G.: On the complexity of computing two nonlinearity measures. In: Hirsch, E.A., Kuznetsov, S.O., Pin, J.É., Vereshchagin, N.K. (eds.) CSR 2014. LNCS, vol. 8476, pp. 167–175. Springer, Heidelberg (2014) - [FJN<sup>+</sup>13] Frederiksen, T.K., Jakobsen, T.P., Nielsen, J.B., Nordholt, P.S., Orlandi, C.: MiniLEGO: efficient secure two-party computation from general assumptions. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 537–556. Springer, Heidelberg (2013) - [FNO14] Frederiksen, T.K., Nielsen, J.B., Orlandi, C.: Privacy-free garbled circuits with applications to efficient zero-knowledge. IACR Cryptology ePrint Arch. 2014, 598 (2014) - [GGH<sup>+</sup>13] Gentry, C., Gorbunov, S., Halevi, S., Vaikuntanathan, V., Vinayagamurthy, D.: How to compress (reusable) garbled circuits. IACR Cryptology ePrint Arch. 2013, 687 (2013) - [GGP10] Gennaro, R., Gentry, C., Parno, B.: Non-interactive verifiable computing: outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010) - [GHL<sup>+</sup>14] Gentry, C., Halevi, S., Lu, S., Ostrovsky, R., Raykova, M., Wichs, D.: Garbled RAM revisited. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 405–422. Springer, Heidelberg (2014) - [GKP<sup>+</sup>13] Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: STOC, pp. 555–564 (2013) - [GMW87] Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC, pp. 218–229 (1987) - [IK02] Ishai, Y., Kushilevitz, E.: Perfect constant-round secure computation via perfect randomizing polynomials. In: Widmayer, P., Triguero, F., Morales, R., Hennessy, M., Eidenbenz, S., Conejo, R. (eds.) ICALP 2002. LNCS, vol. 2380, pp. 244–256. Springer, Heidelberg (2002) - [IW14] Ishai, Y., Wee, H.: Partial garbling schemes and their applications. In: Esparza, J., Fraigniaud, P., Husfeldt, T., Koutsoupias, E. (eds.) ICALP 2014. LNCS, vol. 8572, pp. 650–662. Springer, Heidelberg (2014). http://eprint.iacr.org/2014/995 - [JKO13] Jawurek, M., Kerschbaum, F., Orlandi, C.: Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently. In: ACM Conference on Computer and Communications Security, pp. 955–966 (2013) - [KK12] Kolesnikov, V., Kumaresan, R.: Improved secure two-party computation via information-theoretic garbled circuits. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 205–221. Springer, Heidelberg (2012) - [KMR14] Kolesnikov, V., Mohassel, P., Rosulek, M.: FleXOR: flexible garbling for XOR gates that beats free-XOR. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 440–457. Springer, Heidelberg (2014) - [Kol05] Kolesnikov, V.: Gate evaluation secret sharing and secure one-round two-party computation. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 136–155. Springer, Heidelberg (2005) - [KS08] Kolesnikov, V., Schneider, T.: Improved garbled circuit: free XOR gates and applications. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008) - [KW13] Kamara, S., Wei, L.: Garbled circuits via structured encryption. In: Adams, A.A., Brenner, M., Smith, M. (eds.) FC 2013. LNCS, vol. 7862, pp. 177–188. Springer, Heidelberg (2013) - [LO13] Lu, S., Ostrovsky, R.: How to garble ram programs? In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 719–734. Springer, Heidelberg (2013) - [LP09] Lindell, Y., Pinkas, B.: A proof of security of Yao's protocol for two-party computation. J. Cryptology 22(2), 161–188 (2009) - [MNPS04] Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplay secure two-party computation system. In: USENIX Security Symposium, pp. 287–302 (2004) - [NO09] Nielsen, J.B., Orlandi, C.: LEGO for two-party secure computation. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 368–386. Springer, Heidelberg (2009) - [NPS99] Naor, M., Pinkas, B., Sumner, R.: Privacy preserving auctions and mechanism design. In: ACM Conference on Electronic Commerce, pp. 129–139 (1999) - [PSSW09] Pinkas, B., Schneider, T., Smart, N.P., Williams, S.C.: Secure two-party computation is practical. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 250–267. Springer, Heidelberg (2009) - [Rog91] Rogaway, P.: The round complexity of secure protocols. Ph.D thesis, Massachusetts Institute of Technology (1991) - [SS10] Sahai, A., Seyalioglu, H.: Worry-free encryption: functional encryption with public keys. In: ACM Conference on Computer and Communications Security, pp. 463–472 (2010) - [ST12] Smart, N., Tillich, S.: Circuits of basic functions suitable for MPC and FHE (2012). http://www.cs.bris.ac.uk/Research/CryptographySecurity/MPC/ - [Yao86] Yao, A.C.-C.: How to generate and exchange secrets (extended abstract). In: FOCS, pp. 162–167 (1986) - [ZRE15] Zahur, S., Rosulek, M., Evans, D.: Two halves make a whole: reducing data transfer in garbled circuits using half gates. In: These proceedings (2015). http://eprint.iacr.org/2014/756