Skip to main content

Three Halves Make a Whole? Beating the Half-Gates Lower Bound for Garbled Circuits

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12825)


We describe a garbling scheme for boolean circuits, in which XOR gates are free and AND gates require communication of \(1.5\kappa + 5\) bits. This improves over the state-of-the-art “half-gates” scheme of Zahur, Rosulek, and Evans (Eurocrypt 2015), in which XOR gates are free and AND gates cost \(2\kappa \) bits. The half-gates paper proved a lower bound of \(2\kappa \) bits per AND gate, in a model that captured all known garbling techniques at the time. We bypass this lower bound with a novel technique that we call slicing and dicing, which involves slicing wire labels in half and operating separately on those halves. Ours is the first to bypass the lower bound while being fully compatible with free-XOR, making it a drop-in replacement for half-gates. Our construction is proven secure from a similar assumption to prior free-XOR garbling (circular correlation-robust hash), and uses only slightly more computation than half-gates.

First author partially supported by NSF award #1617197. Second author supported by a DoE CSGF Fellowship.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-84242-0_5
  • Chapter length: 31 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-84242-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.


  1. 1.

    These constructions require the input labels to have a certain correlation that they do not guarantee for the gate’s output labels.

  2. 2.

    We assume that all gates take two inputs. NOT gates can be merged into downstream gates—e.g. if x goes into a NOT gate, and then into an AND gate with another input y, this is equivalent to a single \(\overline{x} \wedge y\) gate.

  3. 3.

    Most garbling schemes actually do not have perfect correctness. If an output wire has labels \(W_0, W_1\), then d will contain both \(H(W_0)\) and \(H(W_1)\). Correctness is violated if \(H(W_0) = H(W_1)\).

  4. 4.

    Equivalently, \(\mathcal {U}\) is \(2^{-\kappa }\)-almost-XOR-universal (AXU).

  5. 5.

    For now, assume H is a random oracle. We ignore including the gate ID as an additional argument to H.

  6. 6.

    More generally, multiplying by a left-inverse of the matrix on the left-hand side “just works,” as in the case where the matrix on the left-hand side is invertible.

  7. 7.

    Hence the title: “Three Halves Make a Whole”.

  8. 8.

    Note also that the calls to H have globally distinct tweaks.

  9. 9.

    Circuits were obtained from

  10. 10.

    This can happen, e.g., when for every \(a \wedge b\) gate there is a corresponding \(a \vee b = \overline{ \overline{a} \wedge \overline{b}}\) gate.


  1. Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM CCS 2012, pp. 784–796. ACM Press, October 2012

    Google Scholar 

  2. Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols (extended abstract). In: 22nd ACM STOC, pp. 503–513. ACM Press, May 1990

    Google Scholar 

  3. Ball, M., Malkin, T., Rosulek, M.: Garbling gadgets for Boolean and arithmetic circuits. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 565–577. ACM Press, October 2016

    Google Scholar 

  4. Choi, S.G., Katz, J., Kumaresan, R., Zhou, H.-S.: On the security of the “Free-XOR’’ technique. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 39–53. Springer, Heidelberg (2012).

    CrossRef  MATH  Google Scholar 

  5. Carmer, B., Rosulek, M.: Linicrypt: a model for practical cryptography. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 416–445. Springer, Heidelberg (2016)

    CrossRef  Google Scholar 

  6. Frederiksen, T.K., Nielsen, J.B., Orlandi, C.: Privacy-free garbled circuits with applications to efficient zero-knowledge. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 191–219. Springer, Heidelberg (2015)

    CrossRef  Google Scholar 

  7. Guo, C., Katz, J., Wang, X., Yu, Y.: Efficient and secure multiparty computation from fixed-key block ciphers. In: 2020 IEEE Symposium on Security and Privacy, pp. 825–841. IEEE Computer Society Press, May 2020

    Google Scholar 

  8. Gueron, S., Lindell, Y., Nof, A., Pinkas, B.: Fast garbling of circuits under standard assumptions. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 567–578. ACM Press, October 2015

    Google Scholar 

  9. Kempka, C., Kikuchi, R., Suzuki, K.: How to circumvent the two-ciphertext lower bound for linear garbling schemes. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 967–997. Springer, Heidelberg (2016).

    CrossRef  Google Scholar 

  10. Kolesnikov, V., Mohassel, P., Rosulek, M.: FleXOR: flexible garbling for XOR gates that beats free-XOR. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 440–457. Springer, Heidelberg (2014)

    CrossRef  Google Scholar 

  11. Kolesnikov, V., Schneider, T.: Improved garbled circuit: free XOR gates and applications. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008).

    CrossRef  MATH  Google Scholar 

  12. Lindell, Y., Pinkas, B.: A proof of security of Yao’s protocol for two-party computation. J. Cryptol. 22(2), 161–188 (2009)

    MathSciNet  CrossRef  Google Scholar 

  13. Mohassel, P., Rindal, P.: ABY\(^3\): a mixed protocol framework for machine learning. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 35–52. ACM Press, October 2018

    Google Scholar 

  14. Naor, M., Pinkas, B., Sumner, R.: Privacy preserving auctions and mechanism design. In: Proceedings of the 1st ACM Conference on Electronic Commerce, New York, NY, USA, pp. 129–139. ACM (1999)

    Google Scholar 

  15. Pinkas, B., Schneider, T., Smart, N.P., Williams, S.C.: Secure two-party computation is practical. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 250–267. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  16. Rosulek, M.: Improvements for gate-hiding garbled circuits. In: Patra, A., Smart, N.P. (eds.) INDOCRYPT 2017. LNCS, vol. 10698, pp. 325–345. Springer, Heidelberg (2017)

    CrossRef  Google Scholar 

  17. Wang, Y., Malluhi, Q.M.: Reducing garbled circuit size while preserving circuit gate privacy. Cryptology ePrint Archive, Report 2017/041 (2017).

  18. Yao, A.C.-C.: Protocols for secure computations (extended abstract). In: 23rd FOCS, pp. 160–164. IEEE Computer Society Press, November 1982

    Google Scholar 

  19. Zahur, S., Rosulek, M., Evans, D.: Two halves make a whole-reducing data transfer in garbled circuits using half gates. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. Part II, LNCS, vol. 9057, pp. 220–250. Springer, Heidelberg (2015)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Mike Rosulek .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Rosulek, M., Roy, L. (2021). Three Halves Make a Whole? Beating the Half-Gates Lower Bound for Garbled Circuits. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12825. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-84241-3

  • Online ISBN: 978-3-030-84242-0

  • eBook Packages: Computer ScienceComputer Science (R0)