PrivacyFree Garbled Circuits for Formulas: Size Zero and InformationTheoretic
 2 Citations
 3.1k Downloads
Abstract
Garbled circuits are of central importance in cryptography, finding widespread application in secure computation, zeroknowledge (ZK) protocols, and verifiable outsourcing of computation to name a few. We are interested in a particular kind of garbling scheme, termed privacyfree in the literature. We show that Boolean formulas can be garbled informationtheoretically in the privacyfree setting, producing no ciphertexts at all. Existing garbling schemes either rely on cryptographic assumptions (and thus require cryptographic operations to construct and evaluate garbled circuits), produce garbled circuits of nonzero size, or are restricted to low depth formulaic circuits. Our result has both theoretical and practical implications for garbled circuits as a primitive. On the theory front, our result breaks the known theoretical lower bound of one ciphertext for garbling an AND gate in this setting. As an interesting implication of producing size zero garbled circuits, our scheme scores adaptive security for free. On the practical side, our garbling scheme involves only cheap XOR operations and produces size zero garbled circuits. As a side result, we propose several interesting extensions of our scheme. Namely, we show how to garble threshold and high fanin gates.
An aspect of our garbling scheme that we believe is of theoretical interest is that it does not maintain the invariant that the garbled circuit evaluator must not at any point be in possession of both keys of any wire in the garbled circuit.
Our scheme directly finds application in ZK protocols where the verification function of the language is representable by a formulaic circuit. Such examples include Boolean formula satisfiability. The ZK protocols obtained by plugging in our scheme in the known paradigm of building ZK protocols from garbled circuits offer better proof size, while relying on standard assumptions. Furthermore, the adaptivity of our garbling scheme allows us to cast our ZK protocols in the offlineonline setting and offload circuit dependent communication and computation to the offline phase. As a result, the online phase enjoys communication and computation (in terms of number of symmetric key operations) complexity that are linearly proportional to the witness size alone.
Keywords
Garbled circuits Privacyfree Formula Informationtheoretic Authenticity1 Introduction
Garbled circuits (GC) are of paramount importance in cryptographic protocol theory, lending their power in building vital cryptographic primitives such as secure computation in two party [Yao86, LP07, LP11, LR15] and multiparty [BELO16, CKMZ14, MRZ15] settings, zeroknowledge protocols [JKO13, FNO15, ZRE15], verifiable outsourcing of computation [GGP10], and functional encryption [SS10] to name a few. Roughly speaking, a GC allows evaluation of a circuit in its encoded form on an encoded input, and produces an encoded output. Based on the application that a GC serves, the information required to decode the output may be provided to the evaluator, or retained by the GC constructor if she wishes to keep the function output private. GCs first made their appearance in Yao’s secure twoparty computation protocol [Yao86]. Following multiple optimizations [BMR90, MNPS04, NPS99, PSSW09, BHKR13, GLNP15, ZRE15, KMR14, KS08], GCs today are an indispensable primitive used in various secure protocols. Their theoretical importance and potential to serve as a cryptographic primitive has been recognized by Bellare et al. [BHR12b], who elevate GCs from a technique to be used in other protocols, to a cryptographic primitive. To facilitate abstraction as a primitive, the fundamental work of Bellare et al. [BHR12b] formalizes three notions of security that a garbling scheme may achieve; namely privacy, obliviousness, and authenticity, and shows separation between them. Informally, privacy aims to protect the privacy of encrypted inputs, while obliviousness hides both the input and the output when the output decoding information is withheld. However once the output decoding information is revealed, obliviousness does not necessarily imply privacy of inputs. Lastly, authenticity captures the unforgeability of the output of a garbled circuit evaluation. Different applications of GC often use different combinations of the above properties of garbling schemes. Majority of the schemes in the literature, including the classical scheme of Yao [Yao86], satisfy all the three aforementioned properties.
In the original scheme of Yao [Yao86], each wire in the GC was assigned two strings called “keys”, each corresponding to bit values zero and one on that wire. A garbled gate in the circuit was represented by ciphertexts encrypting its output wire keys using the corresponding input wire keys as per the gate’s truth table. A garbled gate for a gate with fanin two is thus constituted of four ciphertexts. An evaluator who knows one key for each input wire can only open one of the ciphertexts and therefore obtain only one key for the gate output wire, corresponding to the bit output of the gate. The final garbled circuit was a composition of the garbled gates, and its size was defined as the number of bits of ciphertext needed overall. The encoded input consisted of the keys on the input wires corresponding to the input bits. On receiving an encoded input, an evaluator evaluates the gates topologically, finding the output key for every gate, and stops when the keys for the output gates are obtained. The efficiency of a GC is determined by the computation cost (for the constructor and the evaluator) and its size. The latter directly impacts the communication complexity of protocols that employ the GC. Towards making secure computation practically efficient, tremendous efforts have been made in boosting the performance and efficiency of GCs. Some of the outstanding lines of work are highlighted below.
The work of the evaluator is significantly cut down via a technique called pointandpermute [BMR90, MNPS04]. Specifically, it cuts down the computation cost of an evaluator to one quarter, by introducing a pointing mechanism for every gate that imparts to the evaluator the knowledge of the particular ciphertext that she needs to decrypt in order to evaluate a garbled gate. Put differently, an evaluator simply decrypts the relevant ciphertext, skipping the remaining three for a twoinput gate. Next, the celebrated FreeXOR technique [KS08] shows a simple yet brilliant way of garbling and evaluating XOR gates with zero ciphertexts and no cryptographic operations. Garbled Row Reduction (GRR) techniques [NPS99, PSSW09, GLNP15, ZRE15] are devoted towards making concise garbled gates by fixing some of the ciphertexts to constant values (therefore removing the need to transmit them). Both freeXOR and GRR techniques are instrumental in reducing the size of GCs. To date, the best known garbling scheme can garble an XOR gate with zero ciphertexts, and an AND gate with just two ciphertexts using freeXOR and clever GRR techniques [ZRE15]. Precluding further improvement in this domain, the work of [ZRE15] shows optimality of two ciphertexts (or 2 \(\upmu \) bits; \(\mu \) is the computational security parameter) for garbling an AND gate. Specifically, the lower bound holds true for any scheme that is captured by their characterization of linear garbling techniques. Informally, a garbling scheme qualifies to be linear when the circuit constructor and evaluator need to perform linear operations apart from making random oracle calls. Several other techniques for improving the computation cost of the constructor and evaluator are reported in [BHR12b, BHKR13]. The efficiency study of GCs are further enriched and extended by considering a number of interesting relaxations that lead to further optimizations. In one, some of the security properties of GCs are compromised. In the others, specific classes of circuits are used for garbling. As we discuss below, these relaxed notions of GCs are not only interesting from an application perspective, but they also show significant savings in terms of both size and computation cost. Since our work makes further inroad in the study of the GCs exploiting some relaxations, we take a detailed look at the relevant literature in order to set the stage for our contribution.
PrivacyFree Garbling. In a breakthrough result, Jawurek et al. [JKO13] show that efficient zero knowledge (ZK) protocols for nonalgebraic languages can be constructed based on garbling schemes achieving only authenticity. Frederiksen et al. [FNO15] termed this class of garbling schemes as privacyfree. There has since been significant interest in garbled circuit based ZK protocols [CGM16, HMR15]. A privacyfree garbling scheme does not need to satisfy privacy nor obliviousness, instead it only requires authenticity and a notion of verifiability. Informally, verifiability ensures that even a malicious constructor cannot create a garbled circuit that can be evaluated to different garbled output values, for inputs which when applied to the circuit in clear give the same output. This property is needed to mitigate selective failure attacks that a malicious verifier could possibly mount in a ZK protocol. Though as of writing this paper, the primary motivation of work in privacyfree garbling is to plug into the GC based ZK protocols which can prove that a ‘prover’ knows x such that \(f(x)=1\) in zero knowledge efficiently for nonalgebraic f, verifiable outsourcing of computation provides another potential application for privacyfree GCs [BHR12b, BHR12a]. Motivated by the important usecases of privacyfree garbling schemes, [FNO15, ZRE15] study the efficiency of privacyfree garbling. Both works show that more efficient GCs than the most optimized Yao’s GC can be constructed by leveraging privacyfreeness. In terms of individual gate garbling computation and communication cost in the privacyfree setting, the Half Gates approach [ZRE15] which is currently the most efficient, requires one ciphertext per garbled AND gate, and no ciphertexts to garble XOR gates (with two calls to a hash function H per AND gate). Zahur et al. [ZRE15] also argue a lower bound of one ciphertext (or \(\mu \) bits; \(\mu \) is the computational security parameter) required to garble an AND gate for any linear scheme, and conclude optimality of their privacyfree construction.
Garbling for Formulaic Circuits. Formulaic circuits or formulas, informally, are circuits comprised solely of gates with fanout of one. Formulaic circuits have several usecases, such as Boolean formula satisfiability and membership in a language to name a few. By Cook’s theorem, there exists a Boolean formula of size polynomial in x that can verify an NPwitness of membership of x in language L. Formula satisfiability and language membership are well studied languages in the study of ZK protocols [CD97, KR06, Gro10, Lip12, GGPR13]. There are examples abound showing that treating Boolean formulas as a separate case from a general circuit may be apt [Kol05, KR06, KKKS15]. In the context of garbling, Kempka et al. [KKKS15] show how to garble a formulaic circuit with just four bits to represent each garbled gate. In contrast, even the best known garbling scheme for general circuits [ZRE15] needs \(\mathcal {O}(\mu )\) bits where \(\mu \) denotes computational security parameter. However, the garbling scheme of Kempka et al. [KKKS15] requires expensive publickey operations (which also disqualifies it from being a linear scheme). In yet another attempt, Kolesnikov [Kol05] shows how to garble a formula informationtheoretically under the umbrella of “Gate Evaluation Secret Sharing”, or GESS. The underlying garbling scheme achieves privacy (and though not explicitly proven or defined, authenticity) using only informationtheoretic operations and produces a GC of size zero. On the down side, the keys associated with the wires have their length dependent on the depth of the circuit. Specifically, for a circuit of depth d and a statistical security parameter \(\kappa \), a key on an input wire can be of size \(\mathcal {O}(d(\kappa + d))\). Thus the input circuit needs to be of low depth, apart from being formulaic. The blowup in key size also means that it does not meet the requirement of linearity as per [ZRE15]. Informationtheoretic schemes are attractive in practice due to their highly efficient computation cost.
The schemes reported in [FNO15, ZRE15, KKKS15] are neither informationtheoretic nor do they produce sizezero GCs. On the other hand, while the scheme of [Kol05] produces sizezero GCs, it is restricted to lowdepth formulaic circuits. This leaves open the question of achieving best of the both worlds and sets the stage for our contribution.
1.1 Our Contribution
In this work, we explore privacyfree garbling for formulas (of arbitrary depth). Our findings are presented below.
PrivacyFree Garbling for Formulas with SizeZero GCs and InformationTheoretic Security. The main contribution in this paper is to present a privacyfree garbling scheme for formulas of arbitrary depth that achieves informationtheoretic security, sizezero GCs, and circuitdepth independence for the keys. Unlike in the informationtheoretic scheme of [Kol05], the key length for the wires in our scheme is independent of the circuit depth. Unlike the schemes of [FNO15, ZRE15, KKKS15], ours is informationtheoretic and is extremely fast due to the usage of cheap XOR operations. A couple of interesting theoretical implications of our result are given below.

– Breaking the lower bound of [ZRE15]. The proven lower bound on the number of ciphertexts (bits) for garbling an AND gate is one (\(\mu \) bits; \(\mu \) is a security parameter) as per any linear garbling scheme. We show that our scheme is linear and yet requires no ciphertext at all to garble any gate. This breaks the lower bound shown in [ZRE15] for linear garbling schemes in the privacyfree setting.

– Achieving Adaptive Security for Free. A garbling scheme is said to achieve static security if its security properties are guaranteed as long as the choice of input to the circuit is not allowed to depend on the garbled circuit itself. A scheme is adaptively secure when there is no such restriction. Several applications, notably onetime programs [GKR08], secure outsourcing [GGP10], and ZK protocols cast in offlineonline setting [KR06] need adaptive security, where the input may depend on the garbled circuit. An interesting implication of sizezero GC is that, in the terminology of Bellare et al. [BHR12b, BHR12a] achieving static security for our construction is equivalent to achieving adaptive security^{1}.
Performance and security comparison of various privacyfree garbling schemes for formulaic circuits. Calls to H refers to the number of hash function invocations. \(\mu \) and \(\kappa \) refer to the computational and the statistical parameter respectively. d is circuit depth.
Garbling scheme  Cost per gate  Input key size  Security  

Size (in bits)  Computation (calls to H)  
XOR  AND  Constructor  Evaluator  
XOR  AND  XOR  AND  
Row reduction (GRR1) [FNO15]  \(\mu \)  \(\mu \)  0  3  0  1  \( \mu \)  Static computational 
freeXOR+GRR2 [FNO15]  0  \(2\mu \)  0  3  0  1  \(\mu \)  Static computational 
Half gates [ZRE15]  0  \(\mu \)  0  2  0  1  \(\mu \)  Static computational 
GESS [Kol05]  0  0  0  0  0  0  \( \mathcal {O}\left( d (\kappa +d)\right) \)  Adaptive unconditional 
This work  0  0  0  0  0  0  \(\varvec{\kappa }\)  Adaptive unconditional 
Technically, our scheme is very simple. We garble “upwards” from the output wire similar to the garbling schemes of [Kol05, KKKS15]. As with many secure computation protocols, at the heart of our scheme is our method for handling AND gates. Here, we provide a preview of how our scheme garbles an AND gate g. Denote the keys corresponding to bit b on the left and right incoming wires, and the gate output wire, as \(L^b\), \(R^b\), and \(K^b\) respectively. Our garbling scheme proceeds as follows. \(L^1\) and \(R^1\) are defined as additive shares of \(K^1\) so that \(L^1\oplus R^1 = K^1\). Therefore, an evaluator can derive \(K^1=L^1\oplus R^1\) only if she has both \(L^1\) and \(R^1\). We then copy the value of \(K^0\) to the zero keys of both incoming wires; \(L^0 = R^0 = K^0\). An evaluator hence has the output key corresponding to bit value zero if she has a zero key on either incoming wire. Note that in the case that the left incoming wire has value 0 flowing on it, and the right incoming wire 1, an evaluator will effectively possess both keys \(R^0\) and \(R^1\) on the right incoming wire; \(R^1\) obtained legitimately, and \(R^0\) as it is equal to \(L^0\). We show that our scheme tolerates the leakage of certain keys within the garbled circuit (both directly and indirectly due to the observation above), at no cost of security.
The above aspect of our scheme is of theoretical interest as we do not maintain the invariant that an evaluator is allowed to know only one key on each wire. Our scheme achieves authenticity despite conceding both keys to an evaluator on certain wires. In fact, this property is taken advantage of in order to gain much in terms of efficiency. To the best of our knowledge, ours is the first garbling scheme where this invariant is not maintained. A direct implication of violating this invariant is that the standard proof paradigms for garbled circuits (which assume the invariant to hold) are not applicable here. We exploit the fact that the only gate that is necessarily “uncompromised” is the circuit output gate, and reduce (with no security loss) the authenticity of the circuit output gate in the context of an arbitrarily large circuit, to the authenticity of a singlegate circuit.
Extensions for High FanIn Gates and General Circuits. To optimize our garbling scheme, we propose efficient garbling of \(\ell \)fanin gates. Apart from handling \(\ell \)fanin XOR and AND gates, we consider threshold gates and provide a new garbling scheme for them. A threshold gate with fanin \(\ell \) and threshold t with \( \ell > t\) outputs 1 when at least \(t+1\) inputs carry the bit 1, and zero otherwise. The threshold range \(1<t<\ell 1\) is of interest to us, as the gate otherwise degenerates into an \(\ell \)fanin AND or NAND gate, which can be handled more efficiently by our scheme. Boolean threshold gates are considered and motivated by Ball et al. [BMR16], who construct a scheme to garble them natively (generating \(\mathcal {O}\left( \log ^3{\ell } / \log \log \ell \right) \) ciphertexts) as opposed to garbling a composition of AND, XOR and NOT gates (yielding \(\mathcal {O}\left( \ell \log {\ell }\right) \) ciphertexts using the best known garbling scheme of [ZRE15]). Here, we present a method of garbling Boolean threshold gates (embedded in formulaic circuits) directly in privacyfree setting, producing no ciphertext, and using only informationtheoretic operations; specifically two independent instances of Shamir secret sharing [Sha79] per threshold gate.
The power of threshold gates is brought out in the fact that \(\textsf {NC}^0\subsetneq \textsf {AC}^0\subsetneq \textsf {TC}^0\), where circuits deciding languages in \(\textsf {TC}^0\) contain majority gates in addition to AND, OR and NOT. More practically, threshold gates implement natural expressions in the settings of zeroknowledge [JKO13] and attributebased credentials [KKL+16]. In the former case, threshold gates can implement statements of the form, “I have witnesses for at least t out of these \(\ell \) statements”, without revealing for which statements the prover has witnesses. In the case of attributebased credentials, one can prove that her attributes satisfy at least t criteria out of \(\ell \) in a policy, without revealing which ones, or how many exactly.
We show how to garble and evaluate \(\ell \) fanin XOR and AND gates with fewer XOR operations than are needed when we express such gates in terms of two fanin XOR and AND gates respectively. Specifically, garbling an \(\ell \)fanin XOR gate directly takes \(2\ell \) XOR operations, as opposed to \(3(\ell 1)\) XOR operations to garble \(\ell 1\) XOR gates individually. Evaluating an \(\ell \)fanin AND gate, in \(2^\ell 1\) cases out of \(2^\ell \), will take zero XOR operations. In the final case, the evaluation is done at the same cost as evaluating \(\ell 1\) individual AND gates.
For completeness, we describe how to adapt our scheme to garble generic circuits in the privacyfree setting in the full version of the paper. While the adaptation itself is not generally efficient for circuits that are not largely formulaic, it establishes the feasibility of violating the singlekey invariant when garbling any generic circuit, at least in the privacyfree setting. Our approach relies on cryptographic assumptions. For generic circuits that are not largely formulaic in nature, the construction of [FNO15, ZRE15] can be used. However, both the constructions rely on nonstandard assumptions. In [FNO15], it is a customized notion of key derivation function (KDF) where random oracle can be shown to be a secure KDF. In [ZRE15], the construction needs a circular correlation robust hash function. We take a look at the scheme of [GLNP15] which works under standard pseudorandom function (PRF) assumption and propose several optimizations in privacyfree setting in the full version of the paper.
Application to ZK Protocols. Lately, ZK protocols from garbled circuits has gained a lot of momentum [JKO13, FNO15, CGM16], with applications such as attributebased key exchange built on top of them [KKL+16]. We apply our garbling scheme to the domain of ZK protocols where the verification function of the language is representable by an almost formulaic circuit such as Boolean formula satisfiability. When we plug in our scheme in the paradigm of [JKO13] (with a slight tweak), we get ZK protocols that rely on standard assumption (PRG) in the OThybrid model and results in a better proof size for right choice of the security parameters than the known instantiations in the same paradigm. The best known GCbased ZK instantiation that results from the composition of the privacyfree construction of [ZRE15] and the ZK protocols of [JKO13] needs to rely on KDF and circular correlationrobust hash function.
Complexities of GC based ZK for Boolean formula satisfiability. The last two rows correspond to the protocols in offlineonline setting. The computational and statistical security parameters are \(\mu \) and \(\kappa \) respectively, and the size of the statement is m, while the size of the witness is n.
Protocol  Communication  Computation (input encoding and GC evaluation)  

Offline  Online  Offline  Online  
0  \(\mathcal {O}(\mu m + \kappa n)\)  0  \(\mathcal {O}(n) \text { PKE} + \mathcal {O}(m)\) hash invocations  
Our protocol  0  \( \varvec{\mathcal {O}(\kappa m + \kappa n)}\)  0  \(\varvec{\mathcal {O}(n)}\ \mathbf{PKE}\, \mathbf + \,\varvec{\mathcal {O}(m)}\ \mathbf{XORs}\) 
\(\mathcal {O}(\mu n)\)  \(\mathcal {O}(\mu m)\)  \(\mathcal {O}(n)\) PKE  \(\mathcal {O}(m)\) hash invocations  
Our protocol (offlineonline)  \(\mathcal {O}(\kappa m)\)  \( \varvec{\mathcal {O}(\mu n)}\)  \(\mathcal {O}(n)\) PKE  \(\varvec{\mathcal {O}(n)}\ \mathbf{PRG\ invocations}\, \mathbf + \, \varvec{\mathcal {O}(m)}\ \mathbf{XORs}\) 
1.2 Organization
In Sect. 2, we recall the necessary definitions. In Sect. 3, we present our privacyfree informationtheoretic garbling scheme for formulas. The full proof of security appears in Sect. 4. The definition of a privacyfree linear garbling scheme and the proof that our scheme qualifies to be a linear scheme is presented in Sect. 5. We present the optimizations for \(\ell \) fanin gates in Sect. 6. Our ZK protocol appears in Sect. 7 and the required functionalities are recalled in Appendix A.
2 Preliminaries
We use \(a\leftarrow \{0,1\}^n\) to denote that a is assigned a uniformly random nbit string, and \(a\leftarrow \mathsf {alg}(x)\) to denote that a is assigned the value output by randomized algorithm \(\mathsf {alg}\) when supplied the input x. We use \(b := a\) to denote that b is deterministically assigned the value a. The operator ab denotes the concatenation of a and b. PPT denotes probabilistic polynomial time. The value \(\kappa \) is used throughout this paper to denote the statistical security parameter, which is reflected in the key length of the instance of the garbling scheme. For all practical purposes, the value of \(\kappa \) can be taken as 40. We also use the terms “zero key” and “key corresponding to bit value zero” interchangeably. In what follows, we present the required definitions. We denote by [x], the set of elements \(\{1,\ldots ,x\}\).
2.1 Formulaic Circuits
Informally, a formula is a circuit which has a fanout of one for every gate. The implication of this is that a gate’s output wire can either be a circuit output wire, or an input wire for only one other gate. Formally, we use a modified version of the syntax for circuits in [BHR12b]. In GC based ZK protocols [JKO13], the verification circuit that needs to be garbled has one bit output. The output zero indicates that the proof is rejected, whereas the output one indicates that the proof is accepted.
Definition 1
A formulaic circuit is characterized by a tuple \(f=(n,q,A,B,G)\). The parameters n, q define the number of input, and noninput wires respectively. Wires are indexed from 1 to \(n+q\), with 1 to n being input wires, and \(n+q\) being the output wire. A gate is identified by its outgoing wire index. For a gate \(g\in [n+1,n+q]\), A(g) and B(g) are injective functions that map to left and right incoming wire indices respectively^{2}. We have \(B(g) \in [1,n+q1]\), and \(A(g)\in [0,n+q1]\); \(A(g)=0\) if g has fanin of 1. We also require that \(A(g)<B(g)<g\). Additionally, we require that for every gate g, if \(\exists g', A(g')=g\), then \(\not \exists g'', B(g'')=g\), and vice versa. This is to ensure that a gate can be an incoming wire to at most one other gate. The gate functionality G(g) is a map \(G(g): \{0,1\}^2\mapsto \{0,1\}\).
The terms “wire” and “gate” are used interchangeably throughout the paper, as a gate is identified by the index of its outgoing wire.
2.2 PrivacyFree Garbling Scheme

\(\mathsf {Gb}\): \((f,1^\kappa ) \mapsto (F,e,d)\). Given the function f to garble, the PPT algorithm \(\mathsf {Gb}\) outputs the garbled circuit F, encoding information e, and decoding information d.

\(\mathsf {En}\): \((x,e)\mapsto X\). Given clear function input x and valid encoding information e, the deterministic algorithm \(\mathsf {En}\) outputs garbled input X.

\(\mathsf {Ev}\): \((F,X)\mapsto Y\). Given a garbled circuit F and garbled input X for that circuit, \(\mathsf {Ev}\) deterministically outputs garbled output Y.

\(\mathsf {De}\): \((Y,d)\mapsto y\). Given garbled output Y, and valid decoding information d, \(\mathsf {De}\) deterministically outputs the clear function output y. If Y is not consistent with d, then \(\mathsf {De}\) outputs \(\bot \).
Definition 2
We consider only projective garbling schemes, where the encoding information e is of the form \(\left( \left( k^0_{i}, k^1_{i} \right) _{i\in [n]} \right) \). We refer the reader to [BHR12b] for a formal treatment and discussion.
In [BHR12b], definitions for the security notions of privacy, obliviousness, and authenticity are provided. However, as we are not interested in achieving privacy or obliviousness, we will only consider authenticity, and the notion of verifiability defined in [JKO13].
Definition 3
The definition for unconditional authenticity in Definition 3 is stronger than that of Bellare et al. [BHR12b], as it places no bound on the computational power of the adversary, and specifies that no such adversary should be able to perform better than randomly guessing a garbled output. Intuitively, schemes delivering such guarantees should rely only on information theoretic operations.
Finally, we also consider the property of verifiability introduced in [JKO13]. A privacyfree garbling scheme that can be plugged into their ZK protocol must have an additional ‘verification function’ \(\mathsf {Ve}: (F,f,e)\mapsto b\). The purpose of this function is to enable the Prover (who evaluates the garbled circuit) to verify that the garbled circuit that she was given was legitimately constructed, which is important in ensuring that the garbled output obtained upon evaluation doesn’t reveal any input bits, i.e. the Prover’s witness. This function outputs a single bit b, given a garbled circuit F, the underlying clear function f, and encoding information e. Informally, when \(\mathsf {Ve}\) outputs 1 for a certain F, f, e, then evaluating F on garbled input X corresponding to x such that \(f(x)=1\) will produce garbled output that matches the expected garbled output that can be extracted given F, e.
Definition 4
Note that like Definition 3 the above definition for verifiability is stronger than the original one in [JKO13], owing to the fact that our Definition 4 does not place a bound on the running time of the adversary, and does not permit even a negligible error for the \(\mathsf {Ext}\) algorithm.
An unconditionally secure privacyfree garbling scheme is defined by a tuple \(\mathcal {G}= (\mathsf {Gb}, \mathsf {En}, \mathsf {Ev}, \mathsf {De}, \mathsf {Ve})\), and satisfies the correctness, authenticity, and verifiability properties detailed in Definitions 2, 3, and 4.
3 PrivacyFree Garbling for Formulas
In this section, we define our construction for an unconditionally secure, verifiable privacyfree garbling scheme whose domain of circuits that can be garbled are formulaic. As per previous paradigms of garbling formulaic circuits in [Kol05, KKKS15], our garbling scheme proceeds upwards from the output wire.
3.1 Garbling Individual Gates
As per Yao’s paradigm of garbling circuits [Yao86], every wire in the circuit is assigned two \(\kappa \)bit string tokens, called “keys”; one each for bit values zero and one on that wire. For a gate g, let the output wire keys corresponding to zero and one be \(K^0\) and \(K^1\) respectively. The zero and one keys of the left incoming wire are \(L^0,L^1\) respectively, and those of the right incoming wire are \(R^0,R^1\) respectively. The bit value flowing on wire w is \(b_w\). A gate garbling routine is a randomized algorithm that accepts the gate keys \(K^0,K^1\) as arguments, and returns constructed keys \(L^0,L^1,R^0,R^1\) for the gate’s input wires. A gate evaluation routine deterministically returns a key \(K^{G_g\left( b_L,b_R\right) }\) where \(G_g\) is the gate functionality, upon being supplied with input wire keys \(L^{b_L},R^{b_R}\) (and possibly input bits \(b_L,b_R\)). In this section, we define gate garbling and evaluation routines for XOR, AND, and NOT gates.
Garbling XOR Gates. Garbling and evaluation of XOR gates is relatively simple. Our garbling scheme for XOR gates is similar to that of Kolesnikov’s [Kol05]. The wire keys produced by our garbling scheme maintain the same relation, namely \(L^{b_L}\oplus R^{b_R}=K^{b_L\oplus b_R}\). However, while the construction of [Kol05] requires four XOR operations to garble an XOR gate, our construction requires only three (tending to two in the lfanin setting), hence saving on computation cost.
First, \(K^0\) is split into two additive shares, assigned to \(L^1\) and \(R^1\) respectively. Therefore, \(L^1\oplus R^1 = K^0\). Next, \(K^1\) is masked with \(R^1\) and assigned to \(L^0\), and independently masked with \(L^1\) and assigned to \(R^0\). I.e. \(L^0:=K^1\oplus R^1\) and \(R^0:=K^1\oplus L^1\). This ensures that \(L^0\oplus R^1 = R^0\oplus L^1 = K^1\). Conveniently, \(L^0\oplus R^0 = L^1\oplus R^1 = K^0\).
The \(\mathsf {VeXOR}\) routine defined in Fig. 1 ensures that any combination of \(L^{b_L},R^{b_R}\) taken from \(L^0,L^1,R^0,R^1\) consistently evaluates to a \(K^{b_L\oplus b_R}\). This can be considered a “consistency check”, that a given tuple of keys \((L^0,L^1,R^0,R^1)\) maintain correctness of a garbled XOR gate.
Garbling AND Gates. Our construction for garbling AND gates is as simple as the one defined for XOR gates, however the proof of authenticity is not as straightforward. Interestingly, our scheme requires only one XOR operation to garble an AND gate, and at most one XOR operation to evaluate a garbled AND gate (in three out of four cases, evaluation is completely free). This makes garbling, evaluation, and verification of AND gates cheaper than that of XOR gates. Figure 2 formalizes the construction discussed in the Introduction.
Correctness of evaluating an AND gate as per this scheme is hence implicit. Note that if an evaluator has key \(L^0\), she will be missing \(L^1\), therefore making whatever key she has on the right incoming wire irrelevant; \(K^1\) remains completely hidden unless both \(L^1\) and \(R^1\) are available. A similar argument applies in case she has \(R^0\). Additionally, if she is able to derive \(K^1\) during evaluation, it implies that she started with \(L^1\) and \(R^1\), keeping \(K^0\) inaccessible for the lack of \(L^0\) and \(R^0\). Therefore, during an evaluation of the gate for the first time (when no gate \(g'>g\) has been evaluated yet), the evaluator will be unable to forge the output key that she is missing.
The routine \(\mathsf {VeAND}\) defined in Fig. 2 verifies that both incoming wires of a gate g have the same zero key, which will also be the zero key for g. The key corresponding to bit value one for wire g is defined such that it requires no consistency checking with respect to its incoming wires’ keys. This routine can hence be considered a “consistency check” that a given tuple of keys \((L^0,L^1,R^0,R^1)\) maintain correctness of a garbled AND gate.
Garbling NOT Gates. NOT gates can be garbled for free, like in [Kol05], by switching the association of the zero and one keys. If wire w has keys \(K_w^0,K_w^1\) corresponding to bit values zero and one respectively, and is input to a NOT gate g, the outgoing wire of g will have keys \(K_g^0=K_w^1\), \(K_g^1=K_w^0\) corresponding to values 0 and 1 respectively.
Note that none of the above schemes require ciphertexts to be published. Given that XOR, NOT, and AND gates can be garbled without ciphertexts, we therefore have a scheme to garble any formula without ciphertexts in the informationtheoretic, privacyfree setting. Note that unlike the GESS construction of [Kol05], in our scheme the key size on every wire is the same (\(\kappa \) bits), hence allowing the online communication complexity of encoding the input x to be dependent only on the size of the input x, and not circuit depth of f.
3.2 Garbling an Entire Circuit
We can further optimize our scheme to handle \(\ell \)fanin gates with better concrete efficiency. A detailed discussion is deferred to Sect. 6. The full proof of security appears in the next section.
4 Full Proof of Security
Theorem 1
The garbling scheme \(\mathcal {G}\) is an unconditionally secure privacyfree garbling scheme.
Correctness follows from the correctness of the garbling schemes for individual gates, discussed in Sect. 3.1. Verifiability follows from the consistencychecks of individual gates conducted in the \(\mathsf {Ve}\) algorithm, discussed in Sect. 3.1.
We now construct a proof of authenticity by reducing the authenticity of our scheme for a generic formulaic circuit to the authenticity of a single garbled gate. We start by showing that a garbling of a circuit consisting of one gate is authentic. We then show that forging an output for an ninput garbled formulaic circuit is exactly as hard as forging an output for the same circuit with one of its gates deleted, when garbled with the same randomness^{3}. The “hidden core” of our argument is that any compromise in the keys of a gate allowed by our scheme will not concede the gate’s child’s keys; the damage will only spread ‘upward’ to its incoming wires. We denote an adversary wishing to compromise the authenticity of a circuit with n inputs as \(\mathcal {A}_n\).
4.1 Single Gate Case
Lemma 1
The garbling scheme \(\mathcal {G}\) achieves unconditional authenticity as per Definition 3 when the domain is restricted to circuits f with input size \(n=2\).
Proving that an adversarial evaluator will be unable to forge an output key, given her requested input keys for any single gate will prove Lemma 1. This can be done by considering the garbling of AND and XOR gates, as per Figs. 2 and 1 respectively.
Let the keys on the left input wire be \(L^0,L^1\), right input wire be \(R^0,R^1\), and output wire be \(K^0,K^1\). The evaluator has input bits \(b_L\) and \(b_R\) on the left and right input wires respectively. Consequently, she is given the keys \(L^{b_L}\) and \(R^{b_R}\). We denote the adversarial evaluator as \(\mathcal {A}_2\), and show that she can not forge the key \(K^{\lnot b_K}\), where \(b_K\) is the output bit (either \(b_L\wedge b_R\) or \(b_L\oplus b_R\) as per the case).
AND Gate. To show authenticity of a garbled AND gate, we have to take into account that one of the input wires may compromise both keys. We analyze all four cases, based on the input bits. Keep in mind that \(L^0=R^0=K^0\), and \(L^1\oplus R^1 = K^1\).
 1.
\(b_L = b_R = 0\): In this case, \(\mathcal {A}_2\) has absolutely no information about \(K^1\), and can do no better than directly guessing it.
 2.
\(b_L = b_R = 1\): In this case, \(\mathcal {A}_2\) has absolutely no information about \(K^0\), and can do no better than directly guessing it.
 3.
\(b_L = 1\), \(b_R = 0\), \(b_K = b_L\wedge b_R = 0\): \(\mathcal {A}_2\) has \(K^0 = R^0\), as well as \(L^1\). Due to the key structure, she also obtains \(L^0 = R^0\). However, this information is useless, as the missing output key \(K^1 = L^1\oplus R^1\) requires knowledge of \(R^1\), which \(\mathcal {A}_2\) does not have.
 4.
\(b_L = 0\), \(b_R = 1\), \(b_K = b_L\wedge b_R = 0\): This case is identical to Case 3, as the left and right input wires are treated symmetrically.
Hence, we have shown on a casebycase basis that there exists no gate or input combination in which an adversary \(\mathcal {A}_2\) can do better than guessing the output key \(K^{\lnot b_K}\) that she is missing. Therefore, even a computationally unbounded adversary will be successful in forging a gate output with probability no greater than \(2^{\kappa }\), which proves Lemma 1.
4.2 Reduction Step
In this section, we perfectly reduce the authenticity of the garbling of an ninput formulaic circuit to that of an \((n1)\)input one. We denote the garbling (i.e. collection of keys on each wire, generated within \(\mathsf {Gb}\)) of a function f as \(\mathcal {K}= \left( K_i^0,K_i^1\right) _{i\in [1,n+q]}\).
Simply put, given that garbling an ninput formulaic circuit f produces \(\mathcal {K}\), an adversary loses no advantage by deleting an input gate g (gate fed only by circuit input wires), as Lemma 1 demonstrates that the keys on input wires A(g) and B(g) are completely useless in forging an unknown key for g. Hence, an adversary \(\mathcal {A}_n\) wishing to forge an output key as per \(\mathcal {K}\) will be as successful in forging an output key as per \(\mathcal {K}'\), a garbling of f with any input gate g deleted. An adversary for the latter procedure is denoted by \(\mathcal {A}_{n1}\). As there is no security loss in the reduction from \(\mathcal {A}_n\) to \(\mathcal {A}_{n1}\), we finally conclude that \(\mathcal {A}_n\) is as successful in forging an output as per \(\mathcal {K}\) as \(\mathcal {A}_2\) is in forging an output for a singlegate circuit. We know from Lemma 1 that no such computationally unbounded \(\mathcal {A}_2\) succeeds with probability greater than \(2^{\kappa }\).
Note that the reduction from \(\mathcal {A}_n\) to \(\mathcal {A}_{n1}\) detailed in Fig. 7 only works for formulaic circuits; deleting a gate with fanout of l will produce l different input wires, each with its own independent pair of keys. For \(\mathcal {A}_{n1}\) to ensure that the deleted gate’s keys are consistent with l different outgoing wires is undefined as per our garbling scheme.
Hence, there exists no computationally unbounded adversary that succeeds in forging an output for a formulaic circuit of any size when garbled by \(\mathcal {G}\), with probability greater than \(2^{\kappa }\). This proves Theorem 1.
4.3 Adaptive Security
We had mentioned in an earlier section that our scheme achieves adaptive security, or \(\mathsf {aut}1\) in the terminology of [BHR12a], as opposed to Definition 3 which they term static security, or \(\mathsf {aut}\).
We show this by illustrating that an adversary in the \(\mathsf {Aut1}_\mathcal {G}\) game (which forms the basis for the definition of adaptive security) is at no advantage in forging a garbled output, as compared to an adversary wishing to break the ‘static’ authenticity of our scheme as per Definition 3.
 1.
The Garble stage accepts from \(\mathcal {A}\) a circuit f, computes \((F,e,d)\leftarrow \mathsf {Gb}\left( 1^\kappa , f\right) \), and returns F to \(\mathcal {A}\).
 2.
The Input stage accepts from \(\mathcal {A}\) an input x, outputs \(\bot \) if it is not in the domain of f, otherwise returns \(X=\mathsf {En}(e,x)\) to \(\mathcal {A}\).
 3.
The Finalize stage accepts from \(\mathcal {A}\) a garbled output Y, and outputs 1 if \(Y \ne \mathsf {Ev}(F,X)\) while still being a valid garbled output \(\left( \text {i.e. }\mathsf {De}(Y,d) \ne \bot \right) \), and 0 otherwise.
The output of the experiment \(\mathsf {Aut1}_\mathcal {G}\left( \mathcal {A}, 1^\kappa \right) \) is the value output by the Finalize stage. An unconditionally adaptively authentic scheme will ensure that \(\Pr [\mathsf {Aut1}_\mathcal {G}\left( \mathcal {A}, 1^\kappa \right) = 1] \le 2^{\kappa }\) for all computationally unbounded \(\mathcal {A}\).
It is immediately evident that this extra concession granted to the adversary is useless in our setting, as our scheme does not produce any ciphertexts to represent a garbled circuit. An adversary \(\mathcal {A}'\) for the \(\mathsf {Aut1}_\mathcal {G}\) game can be given a null string to serve as the garbled circuit F of any function f that it may submit to the Garble stage. Therefore, \(\mathcal {A}'\) is forced to choose x completely independently of the garbling of f, effectively having to commit to f, x simultaneously. Hence, the task of \(\mathcal {A}'\) is equivalent to that of a static adversary \(\mathcal {A}\left( F,X\right) \) attempting to forge a garbled output as per Definition 3, which is proven not to succeed with probability better than \(2^{\kappa }\) by Theorem 1.
5 Breaking the Lower Bound of [ZRE15]
Zahur et al. [ZRE15] observe that most known garbling schemes fit into their characterization of linear garbling techniques. Informally, a linear garbling scheme proceeds gate by gate, at each gate generating a vector \(\mathbf S = \left( R_1,\cdots , R_r, Q_1,\cdots , Q_q\right) \), where \(R_i\)s are fresh random values, and \(Q_i\)s are obtained by independent calls to a random oracle (queries may depend on \(R_i\) values). The gate ciphertexts as well as the keys on each wire touching the gate are derived by linearly combining the values in \(\mathbf S \). The only nonlinearity allowed in their model is through the random oracle invocations, and permutation bits. All elements are \(\mu \) bits long, where \(\mu \) is the security parameter. They prove that an ideally secure garbling scheme that is linear as per their characterization must adhere to certain lower bounds in terms of bits of ciphertext produced when garbling a single atomic AND gate. An ideally secure garbling scheme ensures that no computationally unbounded adversary (with bounded calls to the random oracle) will have advantage better than \(\mathsf {poly}\left( \mu \right) /2^\mu \) in the security games of Bellare et al. [BHR12b]. The following are the bounds in the private and privacyfree settings respectively, as argued by Zahur et al. [ZRE15].
Lower Bound for Garbling Schemes Achieving Privacy. Linear garbling schemes are shown to require at least 2 \(\upmu \) bits of ciphertext to garble an AND gate privately. This bound was circumvented (but not contradicted) in the works of Ball et al. [BMR16] and Kempka et al. [KKS16] by a different treatment of permutation bits. Both schemes garble a single AND gate privately but noncomposably with just one ciphertext.
Lower Bound for PrivacyFree Garbling Schemes. Linear garbling schemes achieving authenticity are argued to require at least \(\mu \) bits of ciphertext to garble an AND gate. To the best of our knowledge, this bound is currently unchallenged. Our scheme is clearly linear (with no requirement of a random oracle) and yet garbles AND gates with no ciphertexts for any \(\mu \). Moreover, our scheme composes to garble a nontrivial class of circuits (i.e. formulas) with no ciphertexts.
5.1 Linear Garbling
Claim
([ZRE15]). Every linear ideally secure privacyfree garbling scheme for AND gates must have \(p\ge 1\). The garbled gate consists of at least \(\mu \) bits.

Number of ciphertexts \(p=0\), random values \(r=3\) and random oracle queries \(q=0\).

The same vector to obtain all zero keys, \(\mathbf L _0=\mathbf R _0=\mathbf K _0=[1\ 0\ 0]\)

Vectors to select independent input 1keys, \(\mathbf L _1 = [0\ 1\ 0],\ \mathbf R _1 = [0\ 0\ 1]\)

Output 1key vector as the sum of both input 1keys, \(\mathbf K _1 = \mathbf L _1+\mathbf R _1 = [0\ 1\ 1]\)

\(\left( C^i\right) _{i\in [p]}\) is an empty set as there are no ciphertexts required.
 Evaluation vectors \(\left( \mathbf V _{\alpha ,\beta }\right) _{\alpha ,\beta \in \{0,1\}}\) as follows:

When the evaluator has a zero key, output the zero key. So, \( V_{0,0}=V_{0,1}=[1\ 0],\ V_{1,0}=[0\ 1] \).

When both keys correspond to 1, output their sum. So \( V_{1,1}=[1\ 1] \).

5.2 Where the [ZRE15] Technique for Bounding PrivacyFree Garbling Fails
As illustrated above, our garbling scheme is clearly linear and achieves ideal security, but can still garble an AND gate in the privacyfree setting with no ciphertext. Our scheme is therefore a simple and direct counterexample to the argument of Zahur et al. [ZRE15] that a linear garbling scheme achieving ideal authenticity must produce at least \(\mu \) bits of ciphertext when garbling and AND gate.
In more detail, the ciphertext generating \(\mathbb {G}_{a,b}\) becomes a dimension 0 matrix. At the core of the linear garbling model is that the evaluator’s behaviour must depend only on the public \(\alpha ,\beta \) ‘signal’ bits, a property which is adhered to by our privacyfree scheme. In our setting, the signal bits convey the actual semantic values with which the keys are associated. However, the lower bound proof in [ZRE15] relies on the property that changing a ‘permute’ bit a/b which is defined when garbling, must also change the corresponding signal bit on which the evaluator acts. In our setting it is immediate that this assumption does not need to hold (as \(\alpha ,\beta \) are not tied to a, b), and our scheme takes advantage of this to break the claimed lower bound.
6 \(\ell \)fanin Gates
In this section, we describe how to handle \(\ell \)fanin gates efficiently. We first provide a new garbling scheme for threshold gates in Sect. 6.1, then describe how to save computation in garbling and evaluating \(\ell \)fanin XOR and AND gates respectively in Sects. 6.2 and 6.3.
6.1 Threshold Gates
Note that in order to correctly realise \(f_t\), our garbled gate evaluation scheme also needs to ensure that if (and only if) the evaluator has fewer than \((t+1)\) input values equal to 1, she should obtain \(K^0\). In this case, her \(\ell m\) zero keys \(K_i^0\) should be sufficient to reconstruct \(K^0\). Therefore, we define the \(K_i^0\)s to form an \((\ell (t+1))\)outofl sharing of \(K^0\), i.e. any \((\ell t)\) of the \(K_i^0\)s are sufficient to reconstruct \(K^0\). This also ensures that when \(m>t\) (i.e. \(f_t\left( x_1\cdots x_{\ell }\right) =1\)), she will be unable to reconstruct \(K^0\), as \((\ell m) < (\ell t)\), and she only has \((\ell m)\ K_i^0\)s.
Security. As discussed earlier, the unconditional authenticity of our threshold gate garbling in the single gate case is implied by the unconditional security of Shamir’s secret sharing [Sha79]. Observe that our threshold gate garbling scheme is also made possible by the violation of Yao’s invariant; the nature of threshold secret sharing is such that once the curve is reconstructed, the missing shares can be computed as well. Specifically, possessing the 1key on \(t+1\) input wires to an \(\ell \)fanin threshold gate computing \(f_t\), allows the reconstruction of the 1keys on the remaining \(\ell (t+1)\) input wires in addition to the gate output 1key. However, this information is useless in reconstructing the 0key of the gate, and hence has no impact on authenticity.
Extension to Circuits. It is easy to see that our threshold gate garbling gadget can be used to augment any privacyfree circuit garbling scheme \(\mathcal {G}_c\), at the cost of cryptographic assumptions no stronger than required by \(\mathcal {G}_c\). Every input key \(k_i^b\) to the threshold gate g can be mapped to a corresponding \(K_i^b\) output by \(\mathsf {GbTHR}\). During evaluation, \(K_i^b\) is made accessible given \(k_i^b\) by means of a ciphertext \(T[g]_{i,b}=H(g,i,k_i^b,b)\oplus K_i^b\), where H is the cryptographic primitive used to implement encryption in \(\mathcal {G}_c\), eg. PRF [GLNP15], KDF [FNO15], circular correlation robust hash [ZRE15].
While this gadget costs only \(2\ell \) ciphertexts to implement, we can additionally optimize this construction to cut down the ciphertexts by half. Intuitively, we can set the curves \(h_{K^1}\) and \(h_{K^0}\) pseudorandomly rather than uniformly at random. Specifically, the polynomial \(h_{K^1}\) in \(\mathsf {GbTHR}\) (Fig. 9) can be set by fixing \(t1\) points as \(h_{K^1}(i)=H(g,i,1,k_i^1)\), \(\forall i\in [t1]\), so that cipherexts are needed to convey only the remaining \(\ell t+1\) points. The same optimization applied to \(h_{K^0}\) yields that the total number of ciphertexts that need to be communicated for this gadget is now \(\ell +2\).
Performance. Our base construction for formulas is significantly more efficient than a naive approach, as representing threshold gates in a formula is highly nontrivial, with upper bounds of \(\mathcal {O}\left( \ell ^{3.04}\right) \) [Ser14]. As for general circuits, the construction of Ball et al. [BMR16] will cost \(\mathcal {O}\left( \log ^3{\ell } / \log \log {\ell }\right) \) more ciphertexts than our construction when embedded directly in a Boolean circuit (accounting for \(\ell \) ‘projection’ gates) despite relying on a circular correlation robust hash function.
6.2 Improved \(\ell \)fanin XOR
The routine to garble an individual XOR gate described in Fig. 1 performs 3 XOR operations in order to derive the incoming wire keys corresponding to a given pair of gate keys. Hence, in order to garble \(\ell \) XOR gates, repeating this routine \(\ell 1\) times will cost \(3(\ell 1)\) XOR operations.
Consider a subtree (with \(\ell \) leaves) consisting only of XOR gates, contained within the tree representation of a formulaic circuit. Note that there are \(\ell 1\) gates in this subtree. Without loss of generality, let the subtree be collapsed into a single gate accepting \(\ell \) incoming wires. For convenience, the incoming wires (leaves of the subtree) are assumed to be numbered consecutively from w to \(w+\ell 1\), with the final XOR gate itself (root of the subtree) being numbered g such that the internal nodes of the subtree are numbered consecutively from \(w+\ell \) to \(g1\). As usual, the keys on wire i are denoted \(K_i^0,K_i^1\), corresponding to bit values 0 and 1 respectively.
The routine detailed in Fig. 11 produces keys that adhere to the exact same distribution as the result of invoking the original \(\mathsf {GbXOR}\) routine \(\ell 1\) times in an appropriate sequence. The evaluation and verification algorithms for garbled XOR gates (Fig. 1) are directly compatible. A separate proof of authenticity is therefore not required.
As for the computation cost, the new \(\mathsf {GbXOR}\) routine of Fig. 11 requires one XOR operation to find the gate offset, \(\ell 1\) XOR operations to additively secret share one of the gate keys, and \(\ell \) XOR operations to offset each of the 1keys on the incoming wires, bringing the total to \(2\ell \). This beats the \(3(\ell 1)\) cost of using multiple instances of the original routine when \(\ell >3\).
6.3 Improved \(\ell \)fanin AND
The cost of garbling an AND gate is already minimal, at a single XOR operation per gate. Instead, we focus on optimizing the evaluation of AND gates.
Similar to the \(\ell \)fanin case of XOR gates, consider a subtree consisting solely of AND gates, contained in a formulaic circuit. The gates in the subtree are numbered as described in the \(\ell \)fanin XOR section; w to \(w+\ell 1\) for the inputs, \(w+\ell \) to g for the intermediate gates, and g for the root of the subtree. The subtree is collapsed into a single \(\ell \)fanin AND gate. We follow the standard naming convention for wire keys and bit values.
The only case where XOR operations are performed in the \(\mathsf {EvAND}\) routine in Fig. 12 is when all input bit values are 1; i.e. \(b_i=1, \forall i\in [w,w+\ell 1]\). Even so, only \(\ell 1\) XOR operations are performed, which is the same as when \(\ell 1\) instances of the original \(\mathsf {EvAND}\) routine from Fig. 2 are executed. However, if there exists at least one incoming wire carrying bit value 0, i.e. \(\exists j\in [w,w+\ell 1], b_j=0\), no XOR operations are performed to evaluate the entire \(\ell \)fanin AND gate. This occurs for \(2^\ell 1\) out of the \(2^\ell \) input cases. The number of XOR operations saved will be equal to the number of gates in the (now collapsed) subtree that evaluate to bit value 1. As there is no modification to the garbling routine, there is no additional proof of authenticity required here.
7 OnlineEfficient ZeroKnowledge
Privacyfree GCs are motivated by applications to ZK protocols. Specifically, when plugged into the ZK protocol of [JKO13], a privacyfree GC yields an efficient method to prove nonalgebraic statements. In this section, we show that when instantiated with our scheme, we obtain a ZK protocol for Boolean formula satisfiability (SAT) statements in the onlineoffline paradigm, where the communication in the online phase is linearly proportional only to the size of the witness.
A SAT verification function can be realised by a formula. A witness bit may occur a number of times in the formula. While realizing the formula as a formulaic circuit, each occurrence of a witness bit in the formula is treated as a separate input wire. Denoting the \(i^\text {th}\) witness bit of the formula to be represented by input wires \(\mathbf I _i=\{i_0,i_1,\cdots i_l\}\) in the formulaic circuit, in order for the formula to correctly check a witness \(w=\left( w_i\right) _{i\in [n]}\) we must ensure that \(\forall j\in \mathbf I _i\), \(x_j=w_i\). We stress that the cumulative size of the \(\mathbf I _i\)s may be much bigger than the witness length. We denote the size of \(\cup _{i}^n \mathbf I _i\) as \(n'\). We denote the size of the (formulaic) circuit by m and the size of the witness w as n. So we have \(n \le n' \le m\).
Computation Cost. The offline phase will require \(\mathcal {O}\left( n\right) \) PRG invocations by \(\mathcal {V}\), and \(\mathcal {O}\left( n\right) \) public key operations (OTs) by both \(\mathcal {P}\) and \(\mathcal {V}\). The online phase will require \(\mathcal {O}\left( n\right) \) PRG invocations by \(\mathcal {P}\) to unmask the input keys, \(\mathcal {O}\left( m\right) \) XORs to evaluate the GC, and another \(\mathcal {O}\left( n\right) \) public key operations to verify that the GC is valid. \(\mathcal {V}\) need only perform \(\mathcal {O}(n)\) XOR operations in the online phase, and open one commitment.
Communication Cost. The preprocessing phase will require \(\mathcal {O}\left( m\right) \), and the online phase will require \(\mathcal {O}\left( n\right) \) bits of communication. The ZK protocol when instantiated with a statically secure garbling scheme can not possibly yield an online phase which is independent of the size of the statement. This is because the garbled circuit will necessarily have to be sent after the evaluator commits to her input.
Our ZK Protocol Without Offline Phase. Our protocol in Fig. 13 in its monolithic form can be obtained by running the OTs in an online fashion where the inputs of \(\mathcal {V}\) are the seeds of the PRG and the inputs of \(\mathcal {P}\) are the witness bits directly. We compare this protocol with that of [JKO13] composed with [ZRE15]. While our protocol offers the qualitative advantage of relying on weaker primitives (PRGs), we also note that since our garbling scheme is instantiated with a statistical security parameter, it can offer a better proof size.
Footnotes
 1.
Specifically, our scheme achieves \(\mathsf {aut1}\) security in the terminology of [BHR12a].
 2.
This is a departure from the [BHR12b] definition for conventional circuits. The injection property required here ensures that every gate in the circuit has a fanout of one.
 3.
I.e. the random tapes used in the garbling of f and \(f'\) are identical.
Supplementary material
References
 [BELO16]BenEfraim, A., Lindell, Y., Omri, E.: Optimizing semihonest secure multiparty computation for the internet. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 578–590. ACM, New York (2016)Google Scholar
 [BHKR13]Bellare, M., Hoang, V.T., Keelveedhi, S., Rogaway, P.: Efficient garbling from a fixedkey blockcipher. In: IEEE Symposium on Security and Privacy (SP) 2013, pp. 478–492. IEEE (2013)Google Scholar
 [BHR12a]Bellare, M., Hoang, V.T., Rogaway, P.: Adaptively secure garbling with applications to onetime programs and secure outsourcing. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 134–153. Springer, Heidelberg (2012). doi: 10.1007/9783642349614_10 CrossRefGoogle Scholar
 [BHR12b]Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. In: ACM CCS 2012, pp. 784–796. ACM (2012)Google Scholar
 [BMR90]Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols. In: Proceedings of the TwentySecond Annual ACM Symposium on Theory of Computing (STOC 1990), pp. 503–513. ACM (1990)Google Scholar
 [BMR16]Ball, M., Malkin, T., Rosulek, M.: Garbling gadgets for Boolean and arithmetic circuits. In: ACM CCS 2016, pp. 565–577. ACM (2016)Google Scholar
 [CD97]Cramer, R., Damgård, I.: Linear zeroknowledge  a note on efficient zeroknowledge proofs and arguments. In: Proceedings of the TwentyNinth Annual ACM Symposium on the Theory of Computing, El Paso, TX, USA, 4–6 May 1997, pp. 436–445 (1997)Google Scholar
 [CGM16]Chase, M., Ganesh, C., Mohassel, P.: Efficient zeroknowledge proof of algebraic and nonalgebraic statements with applications to privacy preserving credentials. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 499–530. Springer, Heidelberg (2016). doi: 10.1007/9783662530153_18 CrossRefGoogle Scholar
 [CKMZ14]Choi, S.G., Katz, J., Malozemoff, A.J., Zikas, V.: Efficient threeparty computation from cutandchoose. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 513–530. Springer, Heidelberg (2014). doi: 10.1007/9783662443811_29 CrossRefGoogle Scholar
 [EGL85]Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Commun. ACM 28(6), 637–647 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
 [FNO15]Frederiksen, T.K., Nielsen, J.B., Orlandi, C.: Privacyfree garbled circuits with applications to efficient zeroknowledge. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 191–219. Springer, Heidelberg (2015). doi: 10.1007/9783662468036_7 Google Scholar
 [GGP10]Gennaro, R., Gentry, C., Parno, B.: Noninteractive verifiable computing: outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010). doi: 10.1007/9783642146237_25 CrossRefGoogle Scholar
 [GGPR13]Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). doi: 10.1007/9783642383489_37 CrossRefGoogle Scholar
 [GKR08]Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Onetime programs. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 39–56. Springer, Heidelberg (2008). doi: 10.1007/9783540851745_3 CrossRefGoogle Scholar
 [GLNP15]Gueron, S., Lindell, Y., Nof, A., Pinkas, B.: Fast garbling of circuits under standard assumptions. In: ACM CCS 2015, pp. 567–578. ACM (2015)Google Scholar
 [GOM16]Giacomelli, I., Orlandi, C., Madsen, J.: ZKBoo: faster zeroknowledge for Boolean circuits. In: 25th USENIX Security Symposium (USENIX Security 2016). USENIX Association (2016)Google Scholar
 [Gro10]Groth, J.: Short pairingbased noninteractive zeroknowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010). doi: 10.1007/9783642173738_19 CrossRefGoogle Scholar
 [HMR15]Hu, Z., Mohassel, P., Rosulek, M.: Efficient zeroknowledge proofs of nonalgebraic statements with sublinear amortized cost. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 150–169. Springer, Heidelberg (2015). doi: 10.1007/9783662480007_8 CrossRefGoogle Scholar
 [JKO13]Jawurek, M., Kerschbaum, F., Orlandi, C.: Zeroknowledge using garbled circuits: how to prove nonalgebraic statements efficiently. In: ACM CCS 2013, pp. 955–966. ACM (2013)Google Scholar
 [KKKS15]Kempka, C., Kikuchi, R., Kiyoshima, S., Suzuki, K.: Garbling scheme for formulas with constant size of garbled gates. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 758–782. Springer, Heidelberg (2015). doi: 10.1007/9783662487976_31 CrossRefGoogle Scholar
 [KKL+16]Kolesnikov, V., Krawczyk, H., Lindell, Y., Malozemoff, A.J., Rabin, T.: Attributebased key exchange with general policies. In: Proceedings of 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 1451–1463 (2016)Google Scholar
 [KKS16]Kempka, C., Kikuchi, R., Suzuki, K.: How to circumvent the twociphertext lower bound for linear garbling schemes. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 967–997. Springer, Heidelberg (2016). doi: 10.1007/9783662538906_32 CrossRefGoogle Scholar
 [KMR14]Kolesnikov, V., Mohassel, P., Rosulek, M.: FleXOR: flexible garbling for XOR gates that beats freeXOR. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 440–457. Springer, Heidelberg (2014). doi: 10.1007/9783662443811_25 CrossRefGoogle Scholar
 [Kol05]Kolesnikov, V.: Gate evaluation secret sharing and secure oneround twoparty computation. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 136–155. Springer, Heidelberg (2005). doi: 10.1007/11593447_8 CrossRefGoogle Scholar
 [KR06]Kalai, Y.T., Raz, R.: Succinct noninteractive zeroknowledge proofs with preprocessing for LOGSNP. In: Proceedings of 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2006), Berkeley, California, USA, 21–24 October 2006, pp. 355–366 (2006)Google Scholar
 [KS08]Kolesnikov, V., Schneider, T.: Improved garbled circuit: free XOR gates and applications. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008). doi: 10.1007/9783540705833_40 CrossRefGoogle Scholar
 [Lin11]Lindell, Y.: Highlyefficient universallycomposable commitments based on the DDH assumption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 446–466. Springer, Heidelberg (2011). doi: 10.1007/9783642204654_25 CrossRefGoogle Scholar
 [Lip12]Lipmaa, H.: Progressionfree sets and sublinear pairingbased noninteractive zeroknowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169–189. Springer, Heidelberg (2012). doi: 10.1007/9783642289149_10 CrossRefGoogle Scholar
 [LP07]Lindell, Y., Pinkas, B.: An efficient protocol for secure twoparty computation in the presence of malicious adversaries. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 52–78. Springer, Heidelberg (2007). doi: 10.1007/9783540725404_4 CrossRefGoogle Scholar
 [LP11]Lindell, Y., Pinkas, B.: Secure twoparty computation via cutandchoose oblivious transfer. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 329–346. Springer, Heidelberg (2011). doi: 10.1007/9783642195716_20 CrossRefGoogle Scholar
 [LR15]Lindell, Y., Riva, B.: Blazing fast 2PC in the offline/online setting with security for malicious adversaries. In: ACM CCS 2015, pp. 579–590. ACM (2015)Google Scholar
 [MNPS04]Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplaysecure twoparty computation system. In: USENIX Security Symposium 2004, vol. 4 (2004)Google Scholar
 [MRZ15]Mohassel, P., Rosulek, M., Zhang, Y.: Fast and secure threeparty computation: the garbled circuit approach. In: ACM CCS 2015, pp. 591–602. ACM (2015)Google Scholar
 [NPS99]Naor, M., Pinkas, B., Sumner, R.: Privacy preserving auctions and mechanism design. In: Proceedings of the 1st ACM Conference on Electronic Commerce, pp. 129–139. ACM (1999)Google Scholar
 [PSSW09]Pinkas, B., Schneider, T., Smart, N.P., Williams, S.C.: Secure twoparty computation is practical. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 250–267. Springer, Heidelberg (2009). doi: 10.1007/9783642103667_15 CrossRefGoogle Scholar
 [PVW08]Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). doi: 10.1007/9783540851745_31 CrossRefGoogle Scholar
 [Ser14]Sergeev, I.S.: Upper bounds for the formula size of symmetric Boolean functions. Russ. Math. 58(5), 30–42 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
 [Sha79]Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)MathSciNetCrossRefzbMATHGoogle Scholar
 [SS10]Sahai, A., Seyalioglu, H.: Worryfree encryption: functional encryption with public keys. In: ACM CCS 2010, pp. 463–472. ACM (2010)Google Scholar
 [Yao86]Yao, A.C.C.: How to generate and exchange secrets (extended abstract). In: 27th Annual Symposium on Foundations of Computer Science, pp. 162–167. IEEE (1986)Google Scholar
 [ZRE15]Zahur, S., Rosulek, M., Evans, D.: Two halves make a whole. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 220–250. Springer, Heidelberg (2015). doi: 10.1007/9783662468036_8 Google Scholar