FleXOR: Flexible Garbling for XOR Gates That Beats Free-XOR
Most implementations of Yao’s garbled circuit approach for 2-party secure computation use the free-XOR optimization of Kolesnikov & Schneider (ICALP 2008). We introduce an alternative technique called flexible-XOR (fleXOR) that generalizes free-XOR and offers several advantages. First, fleXOR can be instantiated under a weaker hardness assumption on the underlying cipher/hash function (related-key security only, compared to related-key and circular security required for free-XOR) while maintaining most of the performance improvements that free-XOR offers. Alternatively, even though XOR gates are not always “free” in our approach, we show that the other (non-XOR) gates can be optimized more heavily than what is possible when using free-XOR. For many circuits of cryptographic interest, this can yield a significantly (over 30%) smaller garbled circuit than any other known techniques (including free-XOR) or their combinations.
KeywordsHash Function Random Oracle Topological Order Oblivious Transfer Output Wire
- 2.Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols (extended abstract). In: 22nd ACM STOC, pp. 503–513. ACM Press (1990)Google Scholar
- 3.Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM CCS 2012, pp. 784–796. ACM Press (2012)Google Scholar
- 7.Henecka, W., Schneider, T.: Memory efficient secure function evaluation, https://code.google.com/p/me-sfe/
- 18.Naor, M., Pinkas, B., Sumner, R.: Privacy preserving auctions and mechanism design. In: Proceedings of the 1st ACM Conference on Electronic Commerce, EC 1999, pp. 129–139. ACM, New York (1999)Google Scholar
- 21.Tillich, S., Smart, N.: Circuits of basic functions suitable for MPC and FHE, http://www.cs.bris.ac.uk/Research/CryptographySecurity/MPC/