In the last few years garbled circuits (GC) have been elevated from being merely a component in Yao's protocol for secure two-party computation, to a cryptographic primitive in its own right, following the growing number of applications that use GCs. Zero-Knowledge (ZK) protocols is one of these examples: In a recent paper Jawurek et al. [JKO13] showed that GCs can be used to construct efficient ZK proofs for unstructured languages. In this work we show that due to the property of this particular scenario (i.e., one of the parties knows all the secret input bits, and therefore all intermediate values in the computation), we can construct more efficient garbling schemes specifically tailored to this goal. As a highlight of our result, in one of our constructions only one ciphertext per gate needs to be communicated and XOR gates never require any cryptographic operations. In addition to making a step forward towards more practical ZK, we believe that our contribution is also interesting from a conceptual point of view: in the terminology of Bellare et al.
Introduction
A garbled circuit (GC) is a cryptographic tool that allows one to evaluate "encrypted" circuits on "encrypted" inputs. Garbled circuits were introduced by Yao in the 80's in the context of secure two-party computation [Yao86] , and they owe their name to Beaver et al. [BMR90] .
Since then, garbled circuits have been used in a number of different contexts such as two-and multi-party secure computation [Yao86, GMW87] , verifiable outsourcing of computation [GGP10] , key-dependent message security [BHHI10] , efficient zero-knowledge [JKO13] , functional encryption [SS10] etc. However, it is not until recently that a formal treatment of garbled circuits appeared in the literature. The first proof of security of Yao's celebrated protocol for twoparty computation, to the best of our knowledge, only appeared a few years ago in [LP09] , and it is not until [BHR12] that garbled circuits were elevated from a technique to be used in other protocols, to a cryptographic primitive in their own right.
Different applications of GC often use different properties of the garbling scheme: In some applications we need GCs to protect the privacy of encrypted inputs, in others we need GCs to hide partial information about the encrypted function, while in yet others we ask GCs to ensure that even a malicious evaluator cannot tamper with the output of the GC. In their foundational work, Bellare et al. [BHR12] formally defined the different security properties that different applications require from GCs, showed separations between them, and showed that the original garbling scheme proposed by Yao satisfies all of the above properties. This raises a natural question:
Can we construct garbling schemes tailored to specific applications, which are more efficient than Yao's original construction?
In this work we give the first such example, namely a garbling scheme which only satisfies authenticity (in the terminology of Bellare et al.) but not privacy: One of the main properties of Yao's garbling scheme is that the circuit evaluator cannot learn the values associated to the internal wires during the evaluation of the garbled circuit. This implies that the evaluation of each garbled gate must be oblivious (it must be the same for each input combination). In this work we give up on this property and we construct a scheme where the evaluator learns the values associated which each wire in the circuit, and explicitly uses this knowledge to perform non-oblivious garbled gate evaluation. This allows us to significantly reduce the size of a garbled circuit and the computational overhead for the circuit constructor. We show that this does not have any impact on authenticity, i.e., the only thing that a malicious evaluator can do with a garbled input and a garbled circuit is to use them in the intended way, that is to evaluate the garbled circuit on the garbled input and produce the (correct) garbled output.
Our new garbling schemes can be immediately plugged-in in Jawurek et al. [JKO13] efficient zero-knowledge protocol for non-algebraic languages, and therefore we believe that our results have both practical and conceptual value. It is an interesting future direction to investigate which other applications could benefit significantly from our new garbling scheme (natural candidates include verifiable outsourcing of computation, functional encryption etc.).
Other Garbling Schemes
Since the introduction of GCs by Yao, a number of optimizations have been proposed to increase their efficiency. Some of the most significant optimizations include point-and-permute [Rog91, MNPS04] (which reduces the work of the circuit evaluator from 4 to 1 decryption per garbled gate) the row-reduction technique [NPS99, PSSW09] (which reduces the number of ciphertexts per garbled gate, by fixing some of them to be constant values), the free-XOR and fleXOR techniques [KS08, KMR14] (which allows to garble/evaluate XOR gates using none/less cryptographic operations). In [BHR12, BHKR13] efficient garbling schemes, which only use one call to a block-cipher for each row in a garbled gate, are presented. Information theoretic garbling schemes can efficiently be constructed [IK02, Kol05, KK12] for low-depth circuits. All these techniques lead to very efficient garbling schemes that are used today in practical implementation of secure two-party computation. Our optimization is conceptually different from all of the above, as our schemes are not "general purpose" since they do not satisfy privacy.
LEGO GCs [NO09,FJN
+ 13] are different from Yao GCs as they allow one to generate garbled gates independently of each other and then, at a later time, to solder them together into a functional garbled circuit. LEGO GCs can be used for secure two-party computation in the presence of active corruptions.
The size of garbled input in Yao-style GCs grows linearly in the security parameter. In [AIKW13] a garbling scheme where the garbled input grows only by a constant factor is presented at the price of using public-key primitives (traditional GCs only use symmetric key operations). Traditional GCs only work on Boolean circuits, while [AIK11] presents a way of garbling arithmetic circuits directly.
All previously discussed garbling schemes are one-time, meaning that no security is guaranteed against an adversary that receives the garbling of two different inputs for the same garbled circuit. A recent line of work considers reusable garbled circuits [GKP + 13] and their (asymptotic) overhead [GGH + 13]. While the concept of reusable garbled circuits has numerous applications in establishing important theoretical feasibility result, their use of heavy crypto machinery makes them (still) far from being practical. Finally, there exist garbling schemes tailored for other models of computation [KW13] including RAM programs [LO13, GHL + 14].
Independently from us Ishai and Wee [IW14] defined the notion of partial garbling: like us, they noticed that in some applications one of the parties controls all the inputs and therefore it is possible to construct garbling schemes which are more efficient than traditional ones. However they develop this observation in a very different direction compared to us: the two works use different abstraction models (garbling schemes vs. randomized encodings), are useful for different tasks, and use completely different techniques.
Finally, Zahur et al. [ZRE15] extended our work to the two-party case, demonstrating that it is possible to combine (in a very clever way) two privacyfree garbling schemes -where each party knows all of the inputs for one of the two garblings -into a garbling scheme which guarantees privacy and is more efficient than existing ones, in terms of communication complexity.
Furthermore, we present a formal generalization of garbling schemes with gates with arbitrary fan-in and show how to construct each of our privacy-free schemes in such a setting. It turns our that all types of our privacy-free garbled gates yield even more significant improvements in computation (and in some settings also communication) over general garbled garbles when fan-in is larger than two.
Overview of Our Schemes
In a nutshell, our garbling schemes work as follows: Consider a NAND gate, with associate input keys L 
Of course, it might be that at evaluation time the evaluator holds L 1 instead of L 0 , and thus we provide him with an "advice" to compute the correct output key in this case. It turns out that it suffices to reveal the value C = L 0 ⊕R 0 ⊕L 1 ⊕R 1 . Due to the symmetry of the XOR gate, now the evaluator can always derive the correct output key. Note that now XOR gates do not require any cryptographic operation but only the communication of a k-bit string (k being the security parameter), and therefore are "almost" for free.
The paranoid reader might now worry on whether revealing the XOR of all input keys affects the security of our scheme, and the impatient reader might not want to wait for the formal proof, which appears later in the paper: Intuitively revealing C does not represent a problem because, if it did, then the free-XOR technique would be insecure as well: In (standard) free-XOR the value C is always 0, as L 0 ⊕ L 1 = R 0 ⊕ R 1 , and therefore known to the adversary already.
Privacy free fleXOR. Finally we combine our technique with the recent fleXOR garbling scheme [KMR14] . A central concept in fleXOR is to look, for each wire, at the XOR between the two keys associated to that wire, or the offset of that wire. While in freeXOR the offset is a constant for the whole circuit (therefore fixing half of the keys in the circuit), in fleXOR wires are ordered in a way to maximize the number of offsets which are the same, while at the same time leaving the circuit garbler the ability to choose freely the output keys for the non-XOR gates. The fleXOR wire ordering induces a partitioning of the wires for each XOR gates. In particular, each XOR gates is assigned a parameter t which denotes how many input wires have offset different than the output wire. Then a 0-XOR gate can be garbled exactly like in free-XOR, while for t-XORs (with t > 0) the garbler sends t ciphertexts to the evaluator, which are used to "adjust" the offsets of those input wires. In the privacy-free case, exploiting non-oblivious gate evaluation, we can simply reveal the XOR of the offsets instead, exactly like in our GRR1 scheme. So, while the original fleXOR requires the garbler and the evaluator to perform 2t and t calls respectively to the KDF, we do not require any cryptographic operations for fleXOR gates. 
Garbling
The baseline garbling transmits 2 ciphertexts, but in most cases we can do better.
GRR1:
In this case the garbler can freely choose both ∆ O , which is set to be equal to ∆ L (so that O 1 = L 1 ⊕ R 0 ) and therefore we do not need to communicate C L , saving one ciphertexts w.r.t. the baseline. free-XOR: Here it holds that ∆ L = ∆ R = ∆ O , therefore both C L = C R = 0 and no ciphertexts need to be transfered. fleXOR: a t-XOR gate is garbled like in the baseline garbling when t = 2, like in GRR1 when t = 1 and like free-XOR when t = 0.
Efficiency Improvements
Our garbling schemes offer different performances in terms of communication and computation overhead. It is natural to ask which one is the most efficient one. Like most interesting questions, the answer is not as simple as one might want, and to answer which garbling scheme offers the best performances one must define the price of communication vs. computation. The ultimate answer depends on the actual hardware setting (CPU, network) on which the protocol is to be run and can only be determined empirically. In Table 1 and Table 2 we benchmark our garbling scheme against the best previous garbling schemes, on a number of circuits that we believe relevant for the zero-knowledge application that we have in mind e.g., proving "I know a secret x s.t., y = SHA(x)" for a y known to both the prover and the verifier. [ST12] in terms of communication complexity. The fleXOR scheme used is based on GRR1 and thus a "safe" topological ordering is assumed (see [KMR14] ). The number in each cell shows the amortized number of ciphertext per gate that need to be sent. We ignore the inversion gates, as they can be pulled inside other kind of gates. The "Saving" column is computed against the previously best solution. [ST12] in terms of computational overhead. The fleXOR scheme used is based on a "safe" topological ordering (see [KMR14] ). The number in each cell shows the amortized number of calls to a KDF per gate that the constructor/evaluator need to perform. (The evaluator always performs 1 KDF evaluation for non-free gates.) Note that we do not count the non cryptographic operations in this table (polynomial interpolation in GRR2, XOR of strings in all others). The "Saving" column is computed against the previously best solution.
Computation
The circuits used are due to Smart and Tillich and are publicly available [ST12] . Note however that the numbers in our tables depend on the actual circuits being used, meaning that it might be possible to find different circuits that compute the same functions but that are more favorable to one or another garbling scheme. Finding such circuits requires non-trivial heuristics and manual work (e.g., [BP12] ), as there is evidence that finding such circuits is computationally hard [Fin14, KMR14] .
Still, no previous garbling scheme performs better than all of our proposed schemes, therefore while the actual saving factor might change, one of our schemes will always outperforms the rest.
Preliminaries and Definitions
To keep the paper self-contained, we include the definitions for garbling schemes from [BHR12, BHKR13] in this section.
Notation
Let N = {1, 2, . . . } be the natural numbers, excluding 0. We write [x, y] (with x < y ∈ N) for {x, x + 1, . . . , y} and [x] for [1, x] . We use | · | as a shorthand for the cardinality of a set or amount of bits in a string. If S is a set we use x ∈ R S to denote that x is a uniformly random sampled element from S. We let poly(·) denote any polynomial of the argument.
Regarding variable names we let k ∈ N be the security parameter and call a function negl : N → R + negligible if for a big enough k it holds that negl(k) < 1/ poly(k). In general we use negl(·) to denote any negligible function.
We let L ⊂ {0, 1} * be an arbitrary language in NP and M L be the language verification function, i.e., for all y ∈ L there exists a string x ∈ {0, 1}
Defining Our Garbling Scheme
We start by considering a plain description of a Boolean circuit with a single output bit, consisting of Boolean gates having arbitrary fan-in. This can be used to compute a Boolean function. The description is closely related to the ones in [BHR12, JKO13] , but generalized to support gates with arbitrary fan-in along with non-oblivious gate evaluation.
Let f be a description of such a circuit, taking n ∈ N bits as input and consisting of q ∈ N internal gates. We let r = n + q be the number of wires in the circuit and specifically define inputWires = [n], Wires = [n+q], outputWire = n+q and Gates = [n + 1, n + q], where inputWires represent the set of input wires, outputWire represents the output wire, Gates represents the set of Boolean gates of arbitrary fan-in and Wires the set of all wires in the circuit.
Next we let I be a function mapping each element of Gates to an integer describing the fan-in of that gate, i.e., I : Gates → N. We let W be a function mapping an element of Gates, along with an integer i (representing a gate's i'th input wire) to an element in Wires. When calling W on some g ∈ Gates we require that the i'th input wire is in [I(g)], otherwise we return ⊥. Thus, the signature for the method is W : Gates × N → {Wires\outputWire} * ∪ {⊥}. We further require that W (g, i) < W (g, i + 1) < g for all g ∈ Gates and i ∈ [I(g) − 1] in order to avoid circularities in the circuit description.
Finally, we let G be a function taking as input an element of Gates along with an array of bits and returning a single bit or ⊥. That is, G : Gates × {0, 1} * → {0, 1}∪{⊥}. Specifically G is a description of the functionality of each gate in the circuit along with a short-circuit features such that ⊥ is returned if the amount of elements in the binary input vector is not equal to the integer returned by I when queried on the same gate index. More formally G g, {b i } i∈[I(g)] ∈ {0, 1} for all g ∈ Gates, b i ∈ {0, 1} and ⊥ otherwise. Sometimes we abuse notation and simply write G(g, b) if g ∈ Gates and b ∈ {0, 1} m when I(g) = m. We also say G(g, ·) = NAND or G(g, ·) = XOR if the truth table constructed from G is the truth table of a NAND, respectively, XOR gate.
Finally we combine all these functions and variables in f by letting f = (n, q, I, W, G). However, we sometimes abuse notation and view f as a black box Boolean function, i.e., f : {0, 1} n → {0, 1}. With this plain description of a Boolean circuit in hand we define a verifiable projective garbling scheme by a tuple G = (Gb, En, De, Ev, ev, Ve) such that:
) is the garbling function, a randomized algorithm that takes as input a security parameter 1 k and a description of a Boolean function (n, q, I, W, G) ← f under the constraint that n = poly(k), n ≥ k and |f | = poly(k). The function outputs a triple (F, e, d) representing a garbled circuit (F ), input encoding information (e) and output decoding information (d).
-En(e, x) → X is the encoding function, a deterministic function that uses the input encoding information e to map an input x to a garbled input X. We say a scheme is projective if e = X 0 i , X 1 i i∈ [n] and the garbled input X is simply {X xi i } i∈ [n] . In this paper we are only interested in projective schemes and therefore we do not use the En function explicitly. -Ev(F, X, x) → Z is the evaluation function, a deterministic functionality that produces an encoded output Z by evaluating a garbled circuit F on an encoded input X. We assume that for fixed F , the evaluation can output at most two values Z 0 and Z 1 . -De(d, Z) → z is the decoding function, a deterministic functionality that, using the string d, decodes the encoded output Z into a plaintext bit, z. We are only interested in whether z = 1 (e.g., the NP relation accepts in the ZK setting), therefore we let
= Z 1 and z = 0 otherwise.
ity that evaluates the plain function described by f on some input x, i.e., ev(f, x) = f (x). -Ve(F, f, e) → b is the verification function, a deterministic functionality that on input a garbled circuit F , a description of a Boolean function f and the input encoding information e = X 0 i , X 1 i i∈ [n] outputs 1 if the garbled circuit F computes the functionality f . Otherwise the functionality outputs 0.
We now list a number of properties that we require from a garbling scheme and refer to [BHR12, JKO13] for a detailed explanation of these definitions.
The following definition says that a correct evaluation of a correct garbling gives the right output.
Definition 1 (Correctness). Let G be a verifiable projective garbling scheme described as above. We say that G enjoys correctness if for all n = poly(k), f : {0, 1} n → {0, 1} and all x ∈ {0, 1} n s.t. f (x) = 1 the following probability
The following definition says that from a correct garbling of an input and a function outputting 0 on that input, you cannot find the decoding information for output 1, i.e., Z 1 .
Definition 2 (Authenticity).
Let G be a verifiable projective garbling scheme described as above. We say that G enjoys authenticity if for all n = poly(k), f : {0, 1} n → {0, 1} and all inputs x ∈ {0, 1} n s.t. f (x) = 0 and for any probabilistic polynomial time (PPT) A, the following probability:
The following definition says that there is a unique garbled outputs corresponding to the output value 1, and that this unique value can be efficiently extracted given all the input labels. This holds also for maliciously generated circuits, as long as they pass the verification procedure. This implies that the garbled output value Z 1 leaks no information about the original input x except for the fact that f (x) = 1.
Definition 3 (Verifiability)
. Let G be a verifiable projective garbling scheme described as above. We say that G enjoys verifiability if for all n = poly(k), f : {0, 1} n → {0, 1} and all x ∈ {0, 1} n with f (x) = 1 and for all PPT A there exists an expected polynomial time algorithm Ext such that
Finally, combining these definitions we get a definition of a secure verifiable, projective and privacy-free garbling scheme.
Definition 4 (Privacy-free Garbling Scheme). Let G be a verifiable projective garbling scheme described as above. If this scheme enjoys correctness, authenticity and verifiability in accordance with Def. 1, Def. 2 and Def. 3 respectively, then G is a secure privacy-free garbling scheme.
Key Derivation Function
We are going to use a "compressing" key derivation function KDF : {0, 1} * → {0, 1} k mapping an arbitrary binary string to a pseudorandom string of k bits. The applications of the function will be of the form
k is a wire key and id ∈ {0, 1} * is a unique label or tweak.
We need a notion of security where the adversary cannot compute the output of the key derivation function except if he can do so trivially because he knows the entire input. Specifically we let keys be fresh uniformly random values, derived or linear combinations of other keys, and id be publicly known. We require that the adversary cannot guess a key derived from at least one uniformly random key, "uncompromised" derived key or linear combination of keys where at least one is "uncompromised". An uncompromised derived key is one that was derived from at least one uniformly random key, uncompromised derived key or linear combination where at least one key in the combination was uncompromised. We allow the adversary to compromise keys by leaking them and construct new keys through linear combinations or key derivations. Furthermore, we call a (potential) key compromised if the leaked keys allow to determine the key, in which case the adversary can trivially compute it. More precisely:
Definition 5 (Game KDF). Let A be any PPT adversary and consider the following game:
Initialize: Let ID ← ∅ be a set of identifiers used by the adversary and let LEAK ← ∅ be the set of identifiers that should be leaked. Query: Let A make an arbitrary amount of calls, in any combination, to the following methods: We use Guess KDF,A (1 k ) to denote the probability that A wins the game. Using this game we define the notion of a secure key derivation function.
Definition 6 (Secure Key Derivation Function). We say that a KDF(·) is secure if the advantage of any PPT adversary
for some negligible function negl(·).
It can be proven using standard techniques that a (non-programmable, nonextractable) random oracle is a secure KDF in the above sense. More precisely:
Theorem 1. If KDF(·) is modeled by a non-programmable, non-extractable random oracle with k bits output then for any PPT A it holds that Guess
The proof appears in the full version [FNO14] .
We leave as future work the investigation of which exact computational assumptions are required for implementing our different garbling schemes: while it is clear that the freeXOR and fleXOR variant require strong notion of security (security under related-key attack and a flavor of circular security), it seems that the GRR1 variant could be instantiated using standard security notions.
Our Privacy-free Garbling Schemes
In this section we present our novel garbling schemes. Our schemes support gates with arbitrary fan-in, but as a warm-up we first present the garbling schemes for gates with fan-in 2 using GRR1 or GRR2 with free-XOR. Both allow to garble every Boolean gate with fan-in 2 using only 3 calls to the KDF for non-XOR gates and require no calls to the KDF for XOR gates.
Our first scheme has communication complexity of k bits per gate while our second garbling scheme is compatible with "free-XOR", but requires communication complexity of 2k bits for non-XOR gates.
Afterwards we present our two schemes for gates with arbitrary fan-in and in Section 4 a scheme that supports the recent fleXOR approach [KMR14] . Table 3 . Exact performances of our privacy-free garbling scheme. The "Garb." and "Eval." column state the number of calls to a KDF required for garbling and evaluation respectively, as a function of the gate fan-in m. The column "Size" states the number of bits added to the garbled circuit for each gate. We only report the fleXOR variant based on "Safe" wire ordering.
Warm-up
To simplify notation and give the intuition of our scheme we here only describe how to garble/evaluate a single NAND or XOR gate. We call the input keys to the left wire of a gate L 0 , L 1 , the input keys to the right wire R 
It should be clear that the scheme is correct. The intuition of authenticity is that if the evaluator only knows one input key for each wire, he can only learn one output key unless he can guess the output of KDF on an input he does not know. Next consider a XOR gate:
Again, it should be clear that the scheme is correct. The authenticity intuitively follows from the fact that the evaluator can only learn the XOR of two unknown keys which will not help decrypting the next gate. Now consider how to achieve the same, while allowing support for free-XOR gates (and in turn GRR2). In this scheme there is a global difference ∆ s.t., for all wires w in a garbled circuit, the key pair X 
Garbling a GRR2 NAND Gate:
Let O 0 = KDF L 1 , R 1 . This defines O 1 = O 0 ⊕ ∆ as well. Let C L = KDF L 0 ⊕ O 1 and C R = KDF R 0 ⊕ O 1 . Finally output {C L , C R }. Evaluating a GRR2 NAND Gate: To evaluate on input L a , R b , if a = b = 1 then output O 0 = KDF L 1 , R 1 otherwise, if a = 0 output O 1 = KDF L 0 ⊕ C L otherwise output O 1 = KDF(R 0 ) ⊕ C R .
Next consider a XOR gate:
Garbling a free-XOR Gate:
Again correctness should be clear and authenticity for NAND gates follow from the same argument as for GRR1 NAND gates, whereas authenticity follows from the security of free-XOR, i.e. that it is hard to learn ∆, unless one is given both keys on some wire.
Generalization Intuition
We now consider how our approaches generalizes to gates with arbitrary fan-in. Now, if we are not using a free-XOR scheme we define the 1-output key to be X 1 g = KDF X 0 1 . Then the entries in the garbled computation table is as follows:
When we are using a free-XOR scheme we have another entry in the garbled computation table since the output key X 1 g needs to meet the constraint X 1 g = X 0 g ⊕ ∆ and thus we cannot define it to simply be KDF X 0 1 . However, similarly to the scheme above that does not use free-XOR we use the KDF applied to the first input key (which we have not used to hide anything in the scheme above) to hide X 1 g . We let the rest of the table remain as before and thus the whole garbled computation table is computed as follows:
We describe the evaluation: Call the input keys X 
XOR gates.
To garble XOR gates (when we are not using the free-XOR method), we define the output 0-key from information based on all the input 0-keys. Specifically as
In a similar manner we define the output 1-key from information based on the first input 1-key and all the other input 0-keys, that is
be the input bits at evaluation time and b g = b 1 ⊕. . .⊕b m be the output of that gate. It might be the case that b 1 = 1 or that there are other j s.t., b j = 1. So we let the garbled computation table consist of information which makes it possible for the evaluator to compute the right output key in any such situation. Specifically we define the table as the following set:
It is clear that, for any
Thus by XORing all the C i 's for which b i = 1 we obtain
Other gates. It is easy to see that our garbling scheme can be applied also to few other kind of gates such as AND, (N)OR, XNOR etc., also in the case of high fan-in (by using a different partitioning of the inputs and relabeling the outputs) but it cannot be used in for generic, "unstructured" gates of high fan-in.
Using high fan-in gates. Note that our garbling scheme is favorable for gates with high fan-in, since the complexity shown in Table 3 (both in terms of communication and computational complexity) only grows linearly with the gate fan-in, while a straightforward use of standard garbled circuit leads in a exponential blow-up in the gate fan-in. Even when comparing the garbling of a gate with fan-in m to a circuit implementing the same functionality (e.g., a tree of fan-in 2 NANDs to implement a NAND with fan-in m) our scheme is still favorable. Depending on the garbling scheme we can save a factor 2-3 in terms of computation for the garbler and also save in communication. In addition, the evaluator has an overhead of log(m) when evaluating the circuit (versus a single call to the KDF in our case).
Formal specification
We describe our gate garbling schemes in the same notation as [BHR12] , but with some changes in order to reflect that we only require privacy, only assume one bit output and that we support gates of arbitrary fan-in. The specification of the garbling scheme is given in Fig. 1 and the realizations for individual gate garbling is given in Fig. 2 and Fig. 3 , depending on whether or not one uses free-XOR or GRR1.
To enhance understanding we describe each step of these procedures.
The Garbling Scheme. The first method, Gb, constructs a garbled circuit, F , along with information, e, to encode a binary string as garbled input to this garbled circuit and information, d, to check if the output of an evaluation of the garbled circuit has the semantic value 1. The method takes as input a security parameter 1 k and a description of the Boolean function to be computed, f . The format of the function description should be in accordance with the description given in Section 2.2, and thus can be viewed directly as a Boolean circuit. In step 1 the algorithm chooses two keys for each of the n input bits to f , in accordance with the specific type of garbling scheme used. These are the 0-, respectively, 1-input keys.
Step 2 involves iteratively constructing each of the q garbled gates of the circuit, along with the two output keys needed for each of these gates. It is done by first using I to decide the fan-in of a given gate, then using G to find the specific functionality of the given gate. Finally the input keys for that gate (which have already been constructed) are loaded using W and all the information is passed to the gate garbling method Garb. In step 3 the garbled circuit, F , is set to include all the information of f along with the garbled computation table returned by Garb in the previous step for all the gates in the circuit. These tables are called P . Furthermore, the encoding information e is set to be the two keys for each input wire and the decoding information d is set to be the output 1-key of the final gate in the circuit. In the last step, the garbled circuit F , the input encoding information, e, and decoding information, d, is returned.
The second method, En, constructs an ordered set of input keys to a garbled circuit, X. It takes as input the encoding information e (along with a binary
← InKeys(n, k).
For each
. 3. Set F ← (n, q, I , W, G, P ), e ← X 0 i , X 1 i i∈ [n] and d ← X 1 n+q . 4. Finally return (F, e, d) .
← e.
Then set X ← {X
x i i } i∈ [n] and return X. q, I , W, G, P ) ← F and for all i ∈ [n] set wi = xi and define Q = {wi} i∈ [n] .
For each g ∈ [n+1, n+q] let m = I(g) and add wg = G g, w W (g,i) i∈[m]
to the set Q. q, I , W, G) ← f and for all i ∈ [n] set wi = xi and define Q ← {wi} i∈ [n] .
Now for each g ∈ [n+1, n+q] let m = I(g) and define
G : {0, 1} m → {0, 1} s.t. G (i) = G(g, i) and w ∈ {0, 1} m s.t. w i = w W (g,i) for all i ∈ [m] and set Xg ← Eval g, G , w , X W (g,i) i∈[m] , P [g] . 4. Return Xn+q. ev(f, x) → b 1. Set (n,
For each g ∈ [n+1
, n+q] let m = I(g) and add wg = G g, w W (g,i) i∈ [m] to the set Q. 3. Finally return wn+q.
← e. string x of length n) representing the input to the garbled circuit. In the first step the method parses e as n ordered pairs of keys. In step 2 the functionality returns an ordered subset of the keys. In particular if the i'th bit of x is 0 then the i'th element in the ordered set is the i'th 0-key, otherwise it is the i'th 1-key.
If n
The third method, De, evaluates whether some value, Z, is equal to the output 1-key of a garbled circuit, d. It takes as input the decoding information of a garbled circuit, d, along with a potential output key, Z. The method only has one step which checks if d = Z and returns 1 if that is true, otherwise it returns 0.
The fourth method, Ev, evaluates a garbled circuit, F , and returns the output key of the final gate as a result of this evaluation, Z. It takes as input a garbled circuit F , and an ordered set of input keys, X, along with a binary vector x where the i'th bit represents the semantic value of the i'th input key. In step 1 the method parses the information stored in the garbled circuit F and defines an ordered set of bits, Q, which represents the bits on each each wire in the garbled circuit. Initially this set only includes the bits of the input wires.
Step 2 iteratively evaluates the garbled circuit one gate at a time. It first finds the fan-in of a given gate using I and then evaluates the gate in plain using the set Q along with the gate description G. After evaluating the gate in plain it updates Q to contain the output bit of the given gate. Thus at the end Q contains the expected bit on each wire given the garbled circuit F and the binary input x. In step 3 the method proceeds to evaluate each garbled gate iteratively. Again it uses I to learn the fan-in for a given gate, it uses G to decode the specific functionality of the gate and the elements of Q to find the semantic meaning of the keys supposed to be input to the garbled gate. Using this information, along with the garbled computation table of the gate, P , it calls Eval to evaluate the garbled gate and stores the output key which the method returns. Finally in step 4 it returns the output key of the final gate in the garbled circuit.
The fifth method, ev, evaluates the Boolean functionality f in plain using a binary input vector x. It returns a bit being the value f (x). In Step 1 it parses the functionality f and constructs a set Q which represents the bit on each wire in the circuit. Initially this set only contains the bits on the input wires, exactly as specified by x. In step 2 it iteratively evaluates each gate of the functionality. It does so by first learning the fan-in of the give gate using I and then using G with the given gate index and bits already stored in Q. It updates the set Q with the result. Finally it returns the result of evaluating the final gate in the circuit.
The sixth and last method, Ve, checks whether a garbled circuit, F , evaluates the same as some plain circuit, f , given both pairs of input keys for all wires of the garbled circuit, e. The method returns either 1 (for accept) or 0 (for reject). It takes as input a garbled circuit F , a plain description of the circuit functionality f along with the ordered set of input keys, e. In the first step it parses the garbled circuit F and the plain function description f .
Step 2 is a sanity check which verifies that the "meta" data of F and f is the same, i.e., same amount of input bits, n, the same amount of gates q, each with the same fan-in I, using the same wires, W , and computing the same functionality, G. If any of these checks fail the method outputs reject. Then step 3 iteratively constructs a new garbled circuit using Garb in the same manner as in Gb, based on the information in f . Finally in step 4 the method checks equality of each garbled computation table given in F with each of the tables generated in the previous step. If any are not equal then the method outputs reject, otherwise it outputs accept.
and g . It takes as input a nonce, g (gate ID), a function mapping a binary vector to a bit, G , along with a pair of input keys for each input wire to the gate. The second method reconstructs a single output key. It takes as input a nonce, g (gate ID), a function mapping a binary vector to a bit, G , a binary vector describing the bits on the input wires to the gate, w , an ordered set of input keys {X i } i∈ [m] along with
1. Sample a uniformly random difference ∆ ∈ {0, 1} k . 2. Then for each i ∈ [n] sample uniformly random X 0 i ∈R {0, 1} k and return the set X inte, g, i) ).
If instead G (·) = XOR return Xg
Xi. an ordered set which is the garbled computation tableg.
2 Two concrete schemes are shown in Fig. 2 and Fig. 3. 
Security
The scheme presented in Fig. 1 composed with Fig. 2 and Fig. 3 respectively are clearly correct. In fact, any correctly generated scheme evaluates to the correct output key with probability 1. From this it also follows that the schemes have verifiability, as we verify by regenerating each garbled gate, and hence a verified garbled gate is correctly generated. This takes care of the demands of correctness (Def. 1) and verifiability (Def. 3) of a secure privacy-free garbling scheme, as defined in Def. 4. What remains is authenticity (Def. 2): In the following we reduce this to the security of the KDF used. Proof. For notational convenience we are going to focus on the case with fan-in 2. The proof idea generalizes immediately.
A NAND gate with input keys L 0 , L 1 for the left wire and R 0 , R 1 for the right wire and gate identifier g is garbled as follows:
The 
The output keys are (O 0 , O 1 ). The garbled gate is just C. Besides this, the circuit garbling just consist of reusing the appropriate output keys as input keys to later gates. A garbled circuit F consists of, amongst other, a garbled gate for each of the q internal wires, P = (C n+1 , . . . , C n+q ), in an order in which they can be evaluated. and a plaintext input x ∈ {0, 1} n , let X x = {X xi i } i∈ [n] be the garbled version of x. For i = n + 1, . . . , n + q, let w i be the bit we get by computing plaintext gate number i on the bits for its input wires, that is w i = G(i, {W (i, 1), W (i, 2)}) in accordance with Fig. 1. This defines a plaintext evaluation w = (w 1 , . . . , w n , w n+1 , . . . , w n+q ).
The scheme is constructed such that from a correct garbled circuit F and X x one can efficiently compute K x , which in particular allows one to compute
n+q . We have to prove that from a randomly generated P and X x one cannot also efficiently compute
. For this, it is sufficient to prove that one cannot efficiently compute i, O 1−wi i for any i ∈ [n + q] with non-negligible probability.
We do the proof by a simple reduction to the game KDF in Def. 5. It is easy to see that the garbling and the keys learned by the evaluator in the scheme can be computed by queries to the game KDF in such a way that all the keys O 
and O garb, i) ). Then we add C i to the set of values to leak by outputting (leak, (garb, i) ). This is a correct garbling, so we later use it to compute O It is sufficient to prove that (key, i, 1 − w i ) is uncompromised for all i. It is clear that whether (key, i, 1 − w i ) is uncompromised does not depend on the strategy of the adversary, only the structure of the circuit, the nature of our garbling scheme and the input x. Hence, if for a fixed circuit and fixed input x some (key, i, 1 − w i ) is sometimes compromised, then it is always compromised. Hence, if any (key, i, 1 − w i ) can be compromised, then there exists a first gate j such that before executing the commands corresponding to gate j, no identifier (key, i, 1 − w i ) was compromised, and after executing the commands corresponding to gate j, some identifier (key, i, 1 − w i ) is compromised, where i ≤ j. Consider this gate C j . Furthermore, among the commands executed for gate j there is a first command that leads to a compromise of a gate. We call this command patient zero. We first show that patient zero is not a key derivation command. Then we show that it is not a linear command followed by a leak command. And then we are done.
Assume first that patient zero is a key derivation command. We use several times that a key derivation command, when it is the last command to have been executed, cannot compromise any other key than its output key. When patient zero is a key derivation command, then gate j must be a NAND gate, as there are no key derivation commands in XOR gates. Recall that we issue the key derivation commands (1), (2) and (3), as part of a NAND gate, and then we leak C j . Assume that l j = 0. In that case O Before we prove that patient zero cannot be a linear command we change the system that we analyze by replacing the processing of all NAND gates by the following commands: First we execute (fresh key, (key, j, 0)), (fresh key, (key, j, 1)) and (fresh key, (inte, j)) to define the values O 0 j , O 1 j and A j respectively. Then we compute C j = A j ⊕ O 1 j , and leak C j by issuing the commands (linear, (garb, j), (inte, j), (key, j, 0)) and (leak, (garb, j)) in that order. In addition we leak O wj j . If r j = 0 such that R 0 j is a known key, then we also leak A j . So, we essentially skip all key derivation commands and simulate their effect on the system by leaking the produced known keys. Since we could compute O wj j before the change, it was compromised before the change. It is also compromised after the change, as we now leak it. Similarly for A j . Hence, the set of compromised identifiers is the same before and after the introduced changes, at least right after the gate has been handled. As a consequence, we have not changed whether or not some other key later gets compromised.
3 Furthermore, notice that since we have already showed that patient zero could not be a key derivation command this change does not affect the adversary's advantage. We therefore just have to prove that in the modified system, no other key gets compromised. Since there are no key derivation commands left, this is simple linear algebra.
Assume that patient zero is C j = A j ⊕ O 1 j . Since A j is a fresh key and only occurs in this equation, if A j is uncompromised, adding this equation cannot change whether an output key is compromised or not.
4 Hence it must be the case that A j is compromised. Since A j is fresh and occurs in no other equation, this can only have happened because we leaked it earlier. Hence R . This does not change whether or not there will be a patient zero. We can even make further changes. We once and for all create a global key ∆ through the call (fresh key, delta). Then we execute each NAND gate as follows: Call (fresh key, (key, i, 0)), (linear, (key, i, 1), (key, i, 0), delta) and (leak, (key, i, w i )) to define the key O This will only add equations to the system, and hence if there was a patient zero in the system before the change there will also be a patient zero in the system after the change.
Assume then that patient zero is a linear command from an XOR gate, again with index j. We process such a gate as follows: Compute O After all the changes to the system, we now "garble" as follows: First call ∆ ← (fresh key, delta) Then for each input key, i ∈ [n], do: , (key, i, 1), (key, i, 0), delta) , O wi i ← (leak, (key, i, w i ) ) . It is then fairly straight-forward to see that there are no compromised other key. In particular, it is trivial to see that if an other key would be compromised in this system, then the free-XOR scheme from [KS08] would trivially be insecure, as the system of equations created by the free-XOR scheme is a super set of the system created by the above commands. We therefore refer to [KS08] for the details of why the free-XOR trick is secure.
Notice that we can use a subset of this proof to prove security of our free-XOR privacy-free garbling scheme, since the free-XOR already implements the global difference ∆. Specifically we have the following theorem: 
Privacy-free fleXOR
In [KMR14] Kolesnikov et al. introduced a generalization and optimization of the free-XOR approach which allows to weaken the security assumption needed for free-XOR and/or limit the amount of ciphertexts used to garble non-XOR gates. In their schemes (only considering fan-in 2 gates) non-XOR gates are constructed exactly as one would in a regular garbling scheme, but XOR gates are constructed differently and, depending on a wire ordering of the circuit, consists of either 0, 1 or 2 ciphertexts. When the garbling scheme used implements aggressive row reduction (i.e., GRR1) this yields an overall smaller size for most garbled circuits compared the size of garbled circuits constructed using the free-XOR approach.
Here we propose a variant of fleXOR which combines their ideas with nonoblivious gate evaluation, leading to a significant improvements in terms of computation complexity. Before we can describe our privacy-free fleXOR construction we need a few definitions. These are taken almost verbatim from [KMR14] . We assume familiarity with their construction and direct the reader to their paper if that is not the case.
is those for which L(i) = L(g), which means that the ∆ used for the 1-key on wire i is different from the ∆ used on the output wire of the gate g. This in turn means that we must associate a ciphertext in order to "adjust" the key on wire i.
Regarding evaluation: for NAND gates the scheme again does the same as in Fig. 2 and Fig. 3 depending on whether or not the wire ordering is safe or not, respectively. For XOR gates the scheme first defines (in step a) the set of input wires for which L(i) = L(g), T , and parses the garbled gateg to its ciphertexts, {C i } i∈T . Then in step c the scheme identifies the subset S ⊂ T of the input wires for which it is true that the input value for wire i is equal to 1 and finally, in step d it computes the output key by XORing all input keys and the adjustments for all the wires belonging to the set S.
Security. Like for our other privacy-free garbling schemes, correctness and verifiability follows relatively straightforwards from the constructions. The proof of authenticity follows from the one for the scheme in Fig. 2 (since the fleXOR variant is a generalization of the schemes described in Fig. 2 , for which some input wires happen to the same offset as the output wire) and from the assumption on the wire ordering. We refer to [KMR14] for more details.
