Garbled circuit

Last updated March 28, 2024

Garbled circuit is a cryptographic protocol that enables two-party secure computation in which two mistrusting parties can jointly evaluate a function over their private inputs without the presence of a trusted third party. In the garbled circuit protocol, the function has to be described as a Boolean circuit.

The history of garbled circuits is complicated. The invention of garbled circuit was credited to Andrew Yao, as Yao introduced the idea in the oral presentation of a paper^[1] in FOCS'86. This was documented by Oded Goldreich in 2003.^[2] The first written document about this technique was by Goldreich, Micali, and Wigderson in STOC'87.^[3] The term "garbled circuit" was first used by Beaver, Micali, and Rogaway in STOC'90.^[4] Yao's protocol solving Yao's Millionaires' Problem was the beginning example of secure computation, yet it is not directly related to garbled circuits.

Background

Oblivious transfer

In the garbled circuit protocol, we make use of oblivious transfer. In the oblivious transfer, a string is transferred between a sender and a receiver in the following way: a sender has two strings $S_{0}$ and $S_{1}$ . The receiver chooses $b\in \{0,1\}$ and the sender sends $S_{b}$ with the oblivious transfer protocol such that

the receiver doesn't gain any information about the unsent string $S_{(1-b)}$ ,
the value of $b$ is not exposed to the sender.

Note that while the receiver doesn't know the $S_{0},S_{1}$ values, in practice the receiver knows some information about what $S_{b}$ encodes so that the receiver is not blindly choosing $b$ . That is, if $S_{0}$ encodes a false value, $S_{1}$ encodes a true value and the receiver wants to get the encoded true value, the receiver chooses $b=1$ .

The oblivious transfer can be built using asymmetric cryptography like the RSA cryptosystem.

Definitions and notations

Operator $\parallel$ is string concatenation. Operator $\oplus$ is bit-wise XOR. k is a security parameter and the length of keys. It should be greater than 80 and is usually set at 128.

Garbled circuit protocol

The protocol consists of 6 steps as follows:

The underlying function (e.g., in the millionaires' problem, comparison function) is described as a Boolean circuit with 2-input gates. The circuit is known to both parties. This step can be done beforehand by a third-party.
Alice garbles (encrypts) the circuit. We call Alice the garbler.
Alice sends the garbled circuit to Bob along with her encrypted input.
In order to calculate the circuit, Bob needs to garble his own input as well. To this end, he needs Alice to help him, because only the garbler knows how to encrypt. Finally, Bob can encrypt his input through oblivious transfer. In terms of the definition from above, Bob is the receiver and Alice the sender at this oblivious transfer.
Bob evaluates (decrypts) the circuit and obtains the encrypted outputs. We call Bob the evaluator.
Alice and Bob communicate to learn the output.

Circuit generation

The Boolean circuit for small functions can be generated by hand. It is conventional to make the circuit out of 2-input XOR and AND gates. It is important that the generated circuit has the minimum number of AND gates (see Free XOR optimization). There are methods that generate the optimized circuit in term of number of AND gates using logic synthesis technique.^[5] The circuit for the Millionaires' Problem is a digital comparator circuit (which is a chain of full adders working as a subtractor and outputting the carry flag). A full adder circuit can be implemented using only one AND gate and some XOR gates. This means the total number of AND gates for the circuit of the Millionaires' Problem is equal to the bit-width of the inputs.

Garbling

Construction of the truth table of an AND gate

Alice (garbler) encrypts the Boolean circuit in this step to obtain a garbled circuit. Alice assigns two randomly generated strings called labels to each wire in the circuit: one for Boolean semantic 0 and one for 1. (The label is k-bit long where k the security parameter and is usually set to 128.) Next, she goes to all the gates in the circuit and replaces 0 and 1 in the truth tables with the corresponding labels. The table below shows the truth table for an AND gate with two inputs $w^{a},w^{b}$ and output $w^{c}$ :

a	b	c
0	0	0
0	1	0
1	0	0
1	1	1

Alice replaced 0 and 1 with the corresponding labels:

a	b	c
$X_{0}^{a}$	$X_{0}^{b}$	$X_{0}^{c}$
$X_{0}^{a}$	$X_{1}^{b}$	$X_{0}^{c}$
$X_{1}^{a}$	$X_{0}^{b}$	$X_{0}^{c}$
$X_{1}^{a}$	$X_{1}^{b}$	$X_{1}^{c}$

She then encrypts the output entry of the truth table with the corresponding two input labels. The encrypted table is called garbled table. This is done such that one can decrypt the garbled table only if he has the correct two input labels. In the table below, $Enc_{k}(X)$ is a double-key symmetric encryption in which k is the secret key and X is the value to be encrypted (see Fixed-Key Blockcipher).

Garbled Table
$Enc_{X_{0}^{a},X_{0}^{b}}(X_{0}^{c})$
$Enc_{X_{0}^{a},X_{1}^{b}}(X_{0}^{c})$
$Enc_{X_{1}^{a},X_{0}^{b}}(X_{0}^{c})$
$Enc_{X_{1}^{a},X_{1}^{b}}(X_{1}^{c})$

After this, Alice randomly permutes the table such that the output value cannot be determined from the row. The protocol's name, garbled, is derived from this random permutation.

Data transfer

Alice sends the computed garbled tables for all gates in the circuit to Bob. Bob needs input labels to open the garbled tables. Thus, Alice chooses the labels corresponding to her input $a$ and sends them to Bob. For example, if Alice's input is $\mathbf {a} =a_{4}a_{3}a_{2}a_{1}a_{0}=01101$ , then she sends $X_{0}^{a_{4}}$ , $X_{1}^{a_{3}}$ , $X_{1}^{a_{2}}$ , $X_{0}^{a_{1}}$ , and $X_{1}^{a_{0}}$ to Bob. Bob will not learn anything about Alice's input, $\mathbf {a}$ , since the labels are randomly generated by Alice and they look like random strings to Bob.

Bob needs the labels corresponding to his input as well. He receives his labels through oblivious transfers for each bit of his input. For example, if Bob's input is $\mathbf {b} =b_{4}b_{3}b_{2}b_{1}b_{0}=10100$ , Bob first asks for $b_{0}=0$ between Alice's labels $X_{0}^{b_{0}}$ and $X_{1}^{b_{0}}$ . Through a 1-out-of-2 oblivious transfer, he receives $X_{0}^{b_{0}}$ and so on. After the oblivious transfers, Alice will not learn anything about Bob's input and Bob will not learn anything about the other labels.

Evaluation

After the data transfer, Bob has the garbled tables and the input labels. He goes through all gates one by one and tries to decrypt the rows in their garbled tables. He is able to open one row for each table and retrieve the corresponding output label: $X^{c}=Dec_{X^{a},X^{b}}(garbled\_table[i])$ , where $0\leq i\leq 3$ . He continues the evaluation until he reaches to the output labels.

Revealing output

After the evaluation, Bob obtains the output label, $X^{c}$ , and Alice knows its mapping to Boolean value since she has both labels: $X_{0}^{c}$ and $X_{1}^{c}$ . Either Alice can share her information to Bob or Bob can reveal the output to Alice such that one or both of them learn the output.

Optimization

Point-and-permute

In this optimization, Alice generates a random bit, $s$ , called select bit for each wire $w$ . She sets the first bit of label 0, $X_{0}^{a}$ to $s$ and the first bit of label 1, $X_{1}^{a}$ , to ${\bar {s}}$ (NOT of $s$ ). She does the same for wire $w^{b}$ . She then, instead of randomly permuting, sorts the garbled table according to the inputs select bits. This way, Bob does not need to test all four rows of the table to find the correct one, since he receives the pointer bits with each wire label and can find the correct row and decrypt it with one attempt. This reduces the evaluation load by 4 times. It also does not reveal anything about the output value because the select bits are randomly generated.^[6]

Row reduction

This optimization reduces the size of garbled tables from 4 rows to 3 rows. Here, instead of generating a label for the output wire of a gate randomly, Alice generates it using a function of the input labels. She generates the output labels such that the first entry of the garbled table becomes all 0 and no longer needs to be sent:^[7]

${\begin{aligned}&Enc_{X_{0}^{a},X_{0}^{b}}(X_{0}^{c})=0\\&X_{0}^{c}=Dec_{X_{0}^{a},X_{0}^{b}}(0).\end{aligned}}$

Free XOR

In this optimization, Alice generates a global random (k-1)-bit value $R$ which is kept secret. During the garbling of the input gates $w^{a}$ and $w^{b}$ , she only generates the labels $(X_{0}^{a},X_{0}^{b})$ and computes the other labels as $X_{1}^{a}=X_{0}^{a}\oplus (R\parallel 1)$ and $X_{1}^{b}=X_{0}^{b}\oplus (R\parallel 1)$ . Using these values, the label of an XOR gate's output wire $w^{c}$ with input wires $w^{a}$ , $w^{b}$ is set to $X^{c}=X^{a}\oplus X^{b}$ . The proof of security in the Random Oracle Model for this optimization is given in the Free-XOR paper.^[8]

Implication

Free XOR optimization implies an important point that the amount of data transfer (communication) and number of encryption and decryption (computation) of the garbled circuit protocol relies only on the number of AND gates in the Boolean circuit not the XOR gates. Thus, between two Boolean circuits representing the same function, the one with the smaller number of AND gates is preferred.

Fixed-key blockcipher

This method allows to efficiently garble and evaluate AND gates using fixed-key AES, instead of costly cryptographic hash function like SHA-2. In this garbling scheme which is compatible with the Free XOR and Row Reduction techniques, the output key $X^{c}$ is encrypted with the input token $X^{a}$ and $X^{b}$ using the encryption function $Enc(X^{a},X^{b},T,X^{c})=\pi (K)\oplus K\oplus X^{c}$ , where $K=2X^{a}\oplus 4X^{b}\oplus T$ , $\pi$ is a fixed-key block cipher (e.g., instantiated with AES), and $T$ is a unique-per-gate number (e.g., gate identifier) called tweak.^[9]

Half And

This optimization reduce the size of garbled table for AND gates from 3 row in Row Reduction to 2 rows. It is shown that this is the theoretical minimum for the number of rows in the garbled table, for a certain class of garbling techniques.^[10]

Security

The Yao's Garbled Circuit is secure against a semi-honest adversary. This type of adversary follows the protocol and does not do any malicious behavior, but it tries to violate the privacy of the other party's input by scrutinizing the messages transmitted in the protocol.

It is more challenging to make this protocol secure against a malicious adversary that deviates from the protocol. One of the first solutions to make the protocol secure against malicious adversary is to use zero-knowledge proof to prevent malicious activities during the protocol.^[11] For years, this approach was considered more as theoretical solution than a practical solution because of complexity overheads of it. But, it is shown that it is possible to use it with just a small overhead.^[12] Another approach is using several GC for a circuit and verifying the correctness of a subset of them and then using the rest for the computation with the hope that if the garbler was malicious, it would be detected during the verification phase.^[13] Another solution is to make the garbling scheme authenticated such that the evaluator can verify the garbled circuit.^[14]^[15]

Related Research Articles

In theoretical computer science, communication complexity studies the amount of communication required to solve a problem when the input to the problem is distributed among two or more parties. The study of communication complexity was first introduced by Andrew Yao in 1979, while studying the problem of computation distributed among several machines. The problem is usually stated as follows: two parties each receive a $-bit string and . The goal is for Alice to compute the value of a certain function,, that depends on both and, with the least amount of communication between them.$

<span class="mw-page-title-main">Exclusive or</span> True when either but not both inputs are true

Exclusive or, exclusive disjunction, exclusive alternation, logical non-equivalence, or logical inequality is a logical operator whose negation is the logical biconditional. With two inputs, XOR is true if and only if the inputs differ. With multiple inputs, XOR is true if and only if the number of true inputs is odd.

An adder, or summer, is a digital circuit that performs addition of numbers. In many computers and other kinds of processors, adders are used in the arithmetic logic units (ALUs). They are also used in other parts of the processor, where they are used to calculate addresses, table indices, increment and decrement operators and similar operations.

Secure multi-party computation is a subfield of cryptography with the goal of creating methods for parties to jointly compute a function over their inputs while keeping those inputs private. Unlike traditional cryptographic tasks, where cryptography assures security and integrity of communication or storage and the adversary is outside the system of participants, the cryptography in this model protects participants' privacy from each other.

<span class="mw-page-title-main">Boolean function</span> Function returning one of only two values

In mathematics, a Boolean function is a function whose arguments and result assume values from a two-element set. Alternative names are switching function, used especially in older computer science literature, and truth function, used in logic. Boolean functions are the subject of Boolean algebra and switching theory.

In Boolean algebra, any Boolean function can be expressed in the canonical disjunctive normal form (CDNF) or minterm canonical form, and its dual, the canonical conjunctive normal form (CCNF) or maxterm canonical form. Other canonical forms include the complete sum of prime implicants or Blake canonical form, and the algebraic normal form.

The Goldwasser–Micali (GM) cryptosystem is an asymmetric key encryption algorithm developed by Shafi Goldwasser and Silvio Micali in 1982. GM has the distinction of being the first probabilistic public-key encryption scheme which is provably secure under standard cryptographic assumptions. However, it is not an efficient cryptosystem, as ciphertexts may be several hundred times larger than the initial plaintext. To prove the security properties of the cryptosystem, Goldwasser and Micali proposed the widely used definition of semantic security.

A carry-lookahead adder (CLA) or fast adder is a type of electronics adder used in digital logic. A carry-lookahead adder improves speed by reducing the amount of time required to determine carry bits. It can be contrasted with the simpler, but usually slower, ripple-carry adder (RCA), for which the carry bit is calculated alongside the sum bit, and each stage must wait until the previous carry bit has been calculated to begin calculating its own sum bit and carry bit. The carry-lookahead adder calculates one or more carry bits before the sum, which reduces the wait time to calculate the result of the larger-value bits of the adder.

XOR gate is a digital logic gate that gives a true output when the number of true inputs is odd. An XOR gate implements an exclusive or from mathematical logic; that is, a true output results if one, and only one, of the inputs to the gate is true. If both inputs are false (0/LOW) or both are true, a false output results. XOR represents the inequality function, i.e., the output is true if the inputs are not alike otherwise the output is false. A way to remember XOR is "must have one or the other but not both".

The NAND Boolean function has the property of functional completeness. This means that any Boolean expression can be re-expressed by an equivalent expression utilizing only NAND operations. For example, the function NOT(x) may be equivalently expressed as NAND(x,x). In the field of digital electronic circuits, this implies that it is possible to implement any Boolean function using just NAND gates.

The XNOR gate is a digital logic gate whose function is the logical complement of the Exclusive OR (XOR) gate. It is equivalent to the logical connective from mathematical logic, also known as the material biconditional. The two-input version implements logical equality, behaving according to the truth table to the right, and hence the gate is sometimes called an "equivalence gate". A high output (1) results if both of the inputs to the gate are the same. If one but not both inputs are high (1), a low output (0) results.

Secure two-party computation (2PC) a.k.a. Secure function evaluation is sub-problem of secure multi-party computation (MPC) that has received special attention by researchers because of its close relation to many cryptographic tasks. The goal of 2PC is to create a generic protocol that allows two parties to jointly compute an arbitrary function on their inputs without sharing the value of their inputs with the opposing party. One of the most well known examples of 2PC is Yao's Millionaires' problem, in which two parties, Alice and Bob, are millionaires who wish to determine who is wealthier without revealing their wealth. Formally, Alice has wealth $, Bob has wealth, and they wish to compute without revealing the values or .$

In theoretical computer science, circuit complexity is a branch of computational complexity theory in which Boolean functions are classified according to the size or depth of the Boolean circuits that compute them. A related notion is the circuit complexity of a recursive language that is decided by a uniform family of circuits $.$

In electronics, a subtractor – a digital circuit that performs subtraction of numbers – can be designed using the same approach as that of an adder. The binary subtraction process is summarized below. As with an adder, in the general case of calculations on multi-bit numbers, three bits are involved in performing the subtraction for each bit of the difference: the minuend, subtrahend, and a borrow in from the previous bit order position. The outputs are the difference bit and borrow bit $. The subtractor is best understood by considering that the subtrahend and both borrow bits have negative weights, whereas the X and D bits are positive. The operation performed by the subtractor is to rewrite as the sum .$

Zhegalkinpolynomials, also known as algebraic normal form, are a representation of functions in Boolean algebra. Introduced by the Russian mathematician Ivan Ivanovich Zhegalkin in 1927, they are the polynomial ring over the integers modulo 2. The resulting degeneracies of modular arithmetic result in Zhegalkin polynomials being simpler than ordinary polynomials, requiring neither coefficients nor exponents. Coefficients are redundant because 1 is the only nonzero coefficient. Exponents are redundant because in arithmetic mod 2, x² = x. Hence a polynomial such as 3x²y⁵z is congruent to, and can therefore be rewritten as, xyz.

Correlation attacks are a class of cryptographic known-plaintext attacks for breaking stream ciphers whose keystreams are generated by combining the output of several linear-feedback shift registers (LFSRs) using a Boolean function. Correlation attacks exploit a statistical weakness that arises from the specific Boolean function chosen for the keystream. While some Boolean functions are vulnerable to correlation attacks, stream ciphers generated using such functions are not inherently insecure.

In Boolean algebra, a parity function is a Boolean function whose value is one if and only if the input vector has an odd number of ones. The parity function of two inputs is also known as the XOR function.

Yao's Millionaires' problem is a secure multi-party computation problem introduced in 1982 by computer scientist and computational theorist Andrew Yao. The problem discusses two millionaires, Alice and Bob, who are interested in knowing which of them is richer without revealing their actual wealth.

Verifiable computing enables a computer to offload the computation of some function, to other perhaps untrusted clients, while maintaining verifiable results. The other clients evaluate the function and return the result with a proof that the computation of the function was carried out correctly. The introduction of this notion came as a result of the increasingly common phenomenon of "outsourcing" computation to untrusted users in projects such as SETI@home and also to the growing desire to enable computationally-weak devices to outsource computational tasks to a more powerful computation service, as in cloud computing. The concept dates back to work by Babai et al., and has been studied under various terms, including "checking computations", "delegating computations", "certified computation", and verifiable computing. The term verifiable computing itself was formalized by Rosario Gennaro, Craig Gentry, and Bryan Parno, and echoes Micali's "certified computation".

The Hidden Matching Problem is a computation complexity problem that can be solved using quantum protocols: Let $be a positive even integer. In the Hidden Matching Problem, Alice is given and Bob is given (denotes the family of all possible perfect matchings on nodes). Their goal is to output a tuple such that the edge belongs to the matching and .$

References

↑ Yao, Andrew Chi-Chih (1986). "How to generate and exchange secrets". 27th Annual Symposium on Foundations of Computer Science (SFCS 1986). pp. 162–167. doi:10.1109/SFCS.1986.25. ISBN 978-0-8186-0740-0.
↑ Goldreich, Oded (2003). "Cryptography and Cryptographic Protocols". Distributed Computing - Papers in Celebration of the 20th Anniversary of PODC. 16 (2–3): 177–199. CiteSeerX 10.1.1.117.3618 . doi:10.1007/s00446-002-0077-1. S2CID 9966766.
↑ Goldreich, Oded; Micali, Silvio; Wigderson, Avi (1987). "How to play ANY mental game". Proceedings of the nineteenth annual ACM conference on Theory of computing - STOC '87. pp. 218–229. doi:10.1145/28395.28420. ISBN 978-0897912211. S2CID 6669082.
↑ Beaver, Donald; Micali, Silvio; Rogaway, Phillip (1990). "The round complexity of secure protocols". Proceedings of the twenty-second annual ACM symposium on Theory of computing - STOC '90. pp. 503–513. CiteSeerX 10.1.1.697.1624 . doi:10.1145/100216.100287. ISBN 978-0897913614. S2CID 1578121.
↑ Songhori, Ebrahim M; Hussain, Siam U; Sadeghi, Ahmad-Reza; Schneider, Thomas; Koushanfar, Farinaz (2015). "TinyGarble: Highly Compressed and Scalable Sequential Garbled Circuits". 2015 IEEE Symposium on Security and Privacy. pp. 411–428. doi:10.1109/SP.2015.32. ISBN 978-1-4673-6949-7. S2CID 5346323.
↑ Beaver, Donald; Micali, Silvio; Rogaway, Phillip (1990). "The round complexity of secure protocols". Proceedings of the twenty-second annual ACM symposium on Theory of computing - STOC '90. pp. 503–513. CiteSeerX 10.1.1.697.1624 . doi:10.1145/100216.100287. ISBN 978-0897913614. S2CID 1578121.
↑ Naor, Moni; Pinkas, Benny; Sumner, Reuban (1999). "Privacy preserving auctions and mechanism design". Proceedings of the 1st ACM conference on Electronic commerce. pp. 129–139. CiteSeerX 10.1.1.17.7459 . doi:10.1145/336992.337028. ISBN 978-1581131765. S2CID 207593367.
↑ Kolesnikov, Vladimir; Schneider, Thomas (2008). "Improved Garbled Circuit: Free XOR Gates and Applications". Automata, Languages and Programming. Lecture Notes in Computer Science. Vol. 5126. pp. 486–498. CiteSeerX 10.1.1.160.5268 . doi:10.1007/978-3-540-70583-3_40. ISBN 978-3-540-70582-6.
↑ Bellare, Mihir; Hoang, Viet Tung; Keelveedhi, Sriram; Rogaway, Phillip (2013). "Efficient Garbling from a Fixed-Key Blockcipher". 2013 IEEE Symposium on Security and Privacy. pp. 478–492. CiteSeerX 10.1.1.299.2755 . doi:10.1109/SP.2013.39. ISBN 978-0-7695-4977-4. S2CID 1351222.
↑ Zahur, Samee; Rosulek, Mike; Evans, David (2015). Two halves make a whole (PDF).
↑ Goldwasser, S; Micali, S; Rackoff, C (1985-12-01). "The knowledge complexity of interactive proof-systems". Proceedings of the seventeenth annual ACM symposium on Theory of computing - STOC '85. Providence, Rhode Island, US: Association for Computing Machinery. pp. 291–304. doi:10.1145/22145.22178. ISBN 978-0-89791-151-1. S2CID 8689051.
↑ Abascal, Jackson; Faghihi Sereshgi, Mohammad Hossein; Hazay, Carmit; Ishai, Yuval; Venkitasubramaniam, Muthuramakrishnan (2020-10-30). "Is the Classical GMW Paradigm Practical? The Case of Non-Interactive Actively Secure 2PC". Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. CCS '20. Virtual Event, US: Association for Computing Machinery. pp. 1591–1605. doi:10.1145/3372297.3423366. ISBN 978-1-4503-7089-9. S2CID 226228208.
↑ Lindell, Yehuda; Pinkas, Benny (2007). "An Efficient Protocol for Secure Two-Party Computation in the Presence of Malicious Adversaries". In Naor, Moni (ed.). Advances in Cryptology - EUROCRYPT 2007. Lecture Notes in Computer Science. Vol. 4515. Berlin, Heidelberg: Springer. pp. 52–78. Bibcode:2007LNCS.4515...52L. doi: 10.1007/978-3-540-72540-4_4 . ISBN 978-3-540-72540-4.
↑ Ishai, Yuval; Kushilevitz, Eyal; Ostrovsky, Rafail; Prabhakaran, Manoj; Sahai, Amit (2011). "Efficient Non-interactive Secure Computation". In Paterson, Kenneth G. (ed.). Advances in Cryptology – EUROCRYPT 2011. Lecture Notes in Computer Science. Vol. 6632. Berlin, Heidelberg: Springer. pp. 406–425. doi: 10.1007/978-3-642-20465-4_23 . ISBN 978-3-642-20465-4.
↑ Hazay, Carmit; Ishai, Yuval; Venkitasubramaniam, Muthuramakrishnan (2017). "Actively Secure Garbled Circuits with Constant Communication Overhead in the Plain Model". In Kalai, Yael; Reyzin, Leonid (eds.). Theory of Cryptography. Lecture Notes in Computer Science. Vol. 10678. Cham: Springer International Publishing. pp. 3–39. doi:10.1007/978-3-319-70503-3_1. ISBN 978-3-319-70503-3.