Yao's Garbled Circuit is a cryptographic protocol that enables two-party secure computation in which two mistrusting parties can jointly evaluate a function over their private inputs without the presence of a trusted third party.
The invention of garbled circuit was credited to Andrew Yao, as Yao introduced the idea in [FOCS'86]. The first written document about thus technique was by Goldreich, Micali and Wigderson in [STOC'87].
Yao's protocol solving Yao's Millionaires' Problem [IEEE'82] was the beginning example of secure computation, yet it's not directly relate to garbled circuit.
A Boolean circuit is a mathematical model for combinational digital logic circuits. Boolean circuits are defined in terms of the logic gates they contain. For example, a circuit might contain binary AND and OR gates and unary NOT gates, or be entirely described by binary NAND gates. Each gate corresponds to some Boolean function that takes a fixed number of bits as input and outputs a single bit.
Example of a boolean circuit. Image is taken from MPC Wiki
In cryptography, an oblivious transfer (OT) protocol is a type of protocol in which a sender transfers one of potentially many pieces of information to a receiver, but remains oblivious as to what piece (if any) has been transferred.
There are three types of OT protocol: 1-2 oblivious transfer, 1-out-of-n oblivious transfer and k-out-of-n oblivious transfer.
Let's take an example with 1-2 oblivious transfer type: Suppose a sender has two messages and , the receiver has a bit . With oblivious transfer protocol, they can ensure two things:
An illustration of OT protocol.
The oblivious transfer can be built using asymmetric cryptography like RSA cryptosystem, Diffie-Hellman Key Exchange,…
There are two roles in Yao's Garbled Circuit protocol:
To make the explanation easier, we will use only AND gate as our boolean circuits with symbol ; Ginny will be garbler and Eve will be evaluator. We also note that , are Ginny's secret message and Eve's secret message.
Ginny picks four random strings called labels , , and . and correspond to the event that or , respectively; and , correspond that or .
Ginny then uses every pair of labels corresponding to a possible scenario to encrypt the output corresponding to that scenario. The two relevant labels are put through a key derivation function to derive a symmetric encryption key, and that key is used to encrypt
The garbled gate consists of the four resulting ciphertexts, in a random order.
The garbling of an AND gate.
After received garbled gate, Eve needs to decrypt the ciphertext which corresponds to the real values and , encrypted with . To do this, Eve need two values and .
When Eve has two values and , Eve can try to decrypt all ciphertexts in garbled gate. If the decryption is success, Eve will send the result to Ginny and both of them will know , without knowing each other secret.
From only AND gate, we can extend to a much more complicated circuit: Ginny will garble the entire circuit. For gates whose output serves as input to other gates, instead of encrypting the output bit, she will encrypt a label corresponding to the output bit: or . That label will then be used to derive a key for the decryption of ciphertexts in other gates.
An example of complicated garbled circuit. Image is taken from MPC Wiki
The Point-and-permute technique saves Eve from trying to decrypt all four ciphertexts.
In this optimization, garbler generates two select bits and in addition to label and . For , the select bit is equal to , where is a randomly chosen bit. By this way, the select bit is different for the two possible underlying values , but does not reveal anything about . The select bit of each wire is retrieved along with the wire label.
When evaluating a gate, evaluator uses the two select bits corresponding to the two input wires to determine which ciphertext in gate to decrypt. More precisely, garbler always places in the .
Garbled AND gate by using point-and-permute optimization.
This reduces the evaluation load by 4 times, and also does not reveal anything about the output value because the select bits are randomly generated. Because of it's productive, all optimizations below are combined with Point-and-permute optimization.
Note that with this one, we can use simpler and more efficient encryption schemes such as the one-time pad.
The free-XOR technique enables the computation of XOR gates for free, as the name suggests. It does so by fixing the relationship between labels and . When garbling the circuit, garbler picks a random string and a random labels , then set .
If gate is an XOR gate and takes wires and as input, the new label for wire can be computed simply by taking the XOR of labels and . We can calculate and . This works because
Garbled XOR gate by using free-XOR optimization. We won't need to use key derivation function.
Remember that when use this optimization, we still need to garble AND gates.
This optimization reduces the size of garbled tables from 4 rows to 3 rows. It can be achieved by choosing proper label in such a way that the corresponding ciphertext is 0. Note that the eliminated ciphertext will always be the top one, as determined by the select bits.
Garbled XOR gate by using GRR3 + free-XOR optimization.
This optimization can combine perfectly with the free-XOR to reduce size and reduce times to calls to key derivarion function per gate, therefore increase performance of the protocol.
This second form of garbled row reduction allows the elimination of two ciphertexts instead of one. In GRR2, instead of recovering the output label by decrypting the ciphertext, the evaluator uses polynomial interpolation over a quadratic curve.
In this optimization, the output label is encoded as the -intercept. One point on the polynomial is revealed in the usual way - as , wich the select bits determining . Two more (the ones at and ) are included in the garbled gate. With three points, Eve can interpolate a unique polynomial and use it to calculate output label at .
Because there are two possible output labels, there are two different quadratic polynomials to consider. They are designed to intersect exactly in the two points included in the garbled gate.
GRR2 Garbled Gate Values for an AND gate
Note that GRR2 uses a finite field, not in real field.
FleXOR is a combination of the free-XOR technique with AND gate optimizations by translating wire label to have a constant distance on the fly. Depending on whether this translation is needed, XOR garbled gates contain between 0 and 2 ciphertexts.
This technique only requires two ciphertexts per garbled AND gate and is compatible with the free-XOR optimization. They use the fact that for any .
In the half gates technique, is determined to be the random value used to compute the select bit . is chosen by the garbler, and is revealed to the evaluator.
Because of knowing , garbler can efficiently garble the "garbler half gate" using a single ciphertext. Using the fact that the evaluator knows , and can this behave differently based on that value, the garbler can similarly efficiently garble the "evaluator half gate" using a singler ciphertext. Taking the XOR of these two AND operations is free, so only two ciphertexts are required.
Optimizations of garbled circuits, table from "Two halves make a whole - reducing data transfer in garbled circuits using half gates" - Zahur et al.
The implementation of this protocol can be found at https://github.com/Giapppp/toy-garbled-circuit.
[FOCS'86]. Yao, Andrew Chi-Chih (1986). "How to generate and exchange secrets". 27th Annual Symposium on Foundations of Computer Science (SFCS 1986). pp. 162–167.
[STOC'87]. Goldreich, Oded; Micali, Silvio; Wigderson, Avi (1987). "How to play ANY mental game". Proceedings of the nineteenth annual ACM conference on Theory of computing - STOC '87. pp. 218–229.
[IEEE'82]. A. C. Yao, Protocols for secure computations (Extended Abstract), 23rd annual
symposium on foundations of computer science (Chicago, Ill., 1982), 160–164, IEEE, New York, 1982.
[KS08]. Vladimir Kolesnikov and Thomas Schneider. Improved garbled circuit: Free XOR gates and applications. In Luca Aceto, Ivan Damgård, Leslie Ann Goldberg, Magnús M. Halldórsson, Anna Ingólfsdóttir, and Igor Walukiewicz, editors, ICALP 2008, Part II, volume 5126 of LNCS, pages 486–498. Springer,Heidelberg, July 2008.
[NPS99]. Moni Naor, Benny Pinkas, and Reuban Sumner. Privacy preserving auctions and mechanism design. In Proceedings of the 1st ACM Conference on Electronic Commerce, EC ’99, pages 129–139, New York, NY, USA, 1999. ACM.
[PSSW09]. Benny Pinkas, Thomas Schneider, Nigel P. Smart, and Stephen C. Williams. Secure two-party computation is practical. In Mitsuru Matsui, editor, ASIACRYPT 2009, volume 5912 of LNCS, pages 250–267. Springer, Heidelberg, December 2009.
[KMR14]. Vladimir Kolesnikov, Payman Mohassel, and Mike Rosulek. FleXOR: Flexible garbling for XOR gates that beats free-XOR. In Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part II, volume 8617 of LNCS, pages 440–457. Springer, Heidelberg, August 2014.
[ZRE15]. Samee Zahur, Mike Rosulek, and David Evans. Two halves make a whole - reducing data transfer in garbled circuits using half gates. In Elisabeth Oswald and Marc Fischlin, editors, EUROCRYPT 2015, Part II, volume 9057 of LNCS, pages 220–250. Springer, Heidelberg, April 2015.