Garbling Gadgets for Boolean and Arithmetic Circuits

Transcription

1 Garblng Gadgets for Boolean and Arthmetc Crcuts Marshall Ball Columba Unnversty New York, NY Tal Malkn Columba Unversty New York, NY Mke Rosulek Oregon State Unversty Corvalls, Oregon oregonstate.edu ABSTRACT We present smple, practcal, and powerful new technques for garbled crcuts. These technques result n sgnfcant concrete and asymptotc mprovements over the state of the art, for several natural knds of computatons. For arthmetc crcuts over the ntegers, our constructon results n garbled crcuts wth free addton, weghted threshold gates wth cost ndependent of fan-n, and exponentaton by a fxed exponent wth cost ndependent of the exponent. For boolean crcuts, our constructon gves an exponental mprovement over the state of the art for threshold gates (ncludng AND/OR gates) of hgh fan-n. Our constructon can be effcently nstantated wth practcal symmetrc-key prmtves (e.g., AES), and s proven secure under smlar assumptons to that of the Free-XOR garblng scheme (Kolesnkov & Schneder, ICALP 2008). We gve an extensve comparson between our scheme and stateof-the-art garblng schemes appled to boolean crcuts. 1. INTRODUCTION Garbled crcuts were famously ntroduced by Yao n the 1980s [20]. Snce that tme they have become an nvaluable technque for both practcal and theoretcal cryptographc constructons. Most notably, garbled crcuts form the conceptual core for the most practcal approaches to secure two-party computaton. In these protocols, the garbled crcuts are the major performance bottleneck both n computaton and communcaton. A consderable amount of work [5, 16, 14, 18, 6, 13, 21, 11] has been dedcated to reducng the cost of garbled crcuts snce Yao s semnal constructon. The current state of the art provdes hghly effcent garblng for boolean crcuts expressed usng XOR, NOT, & AND gates. Concretely, usng the most recent half gates constructon of Zahur, Rosulek and Evans [21], XOR & NOT nvolve no computaton or communcaton, whle fan-n-2 AND gates requre 4 AES calls to garble, 2 AES calls to evaluate, and 256 bts to communcate. Implementatons lke JustGarble [6], whch take advantage of hardware-accelerated AES, can garble Permsson to make dgtal or hard copes of all or part of ths work for personal or classroom use s granted wthout fee provded that copes are not made or dstrbuted for proft or commercal advantage and that copes bear ths notce and the full ctaton on the frst page. Copyrghts for components of ths work owned by others than the author(s) must be honored. Abstractng wth credt s permtted. To copy otherwse, or republsh, to post on servers or to redstrbute to lsts, requres pror specfc permsson and/or a fee. Request permssons from permssons@acm.org. CCS 16, October 24-28, 2016, Venna, Austra c 2016 Copyrght held by the owner/author(s). Publcaton rghts lcensed to ACM. ISBN /16/10... $15.00 DOI: crcuts at a rate of 100s of mllons AND gates per second on consumer hardware. Despte ths success story, garbled crcuts reman ted deeply to boolean crcuts. Many computatons of nterest are cumbersome and expensve to express as boolean crcuts. As two specfc examples (whch our contrbutons address drectly): Threshold computatons wth very hgh fan-n (for example, the knds of computatons that mght be found n a neural-network-based classfer) do not have small boolean crcuts. Arthmetc computatons (over the ntegers or n a rng mod m) are poorly suted to boolean crcuts, especally when compared to other technques for secure computaton that are based on secret sharng. In partcular, secret-sharng-based secure computaton protocols allow addtons for free, whereas addton n a boolean crcut requres non-free AND gates (even gnorng a possble modular reducton step). Our work ams to address these shortcomngs of boolean crcuts and drectly construct garbled crcut technques supportng these advanced knds of computatons. 1.1 Our Contrbutons We show a practcal garblng scheme that can be used to natvely garble both boolean crcuts and arthmetc crcuts (wth arthmetc over a large modulus), applyng nsghts and technques from one doman to the other. Our approach gves sgnfcant concrete & asymptotc mprovements over the state of the art. In partcular, our most extreme mprovements are for the followng knds of computatons (below λ s a securty parameter, e.g., 128 bts): Lnear operatons n arthmetc crcuts. Our scheme supports addton and multplcaton by a publc constant for free, over the ntegers. Other costs n the scheme (.e., sze of wre labels & cost of other gates) depend only polylogarthmcally on the maxmum sze of ntegers n the computaton. In ths way, our constructon combnes the best aspects of the two man paradgms for secure computaton: free addton (beyond addton mod 2) as n secret-sharng-based MPC, and constant-round protocols from garbled crcuts. Current garbled crcut technques would represent ntegers n bnary and ncur O(λ l) cost to add two l-bt numbers. 565

2 Other arthmetc operatons. Our scheme supports exponentaton (by a fxed/publc power) wth cost ndependent of the choce of exponent, and weghted threshold gates wth cost that s ndependent of the fan-n. Hgh fan-n boolean threshold gates. For gates of fann b, our constructon requres O(λ log 3 b) bts, or only O(λ log 2 b) bts n the specal case of AND/OR gates. Current technques are exponentally worse, requrng Θ(λb) bts even for AND/OR gates. On the other hand, our scheme does least well on comparson gates, where we are polynomally slower. We gve more n-depth comparsons between our scheme and exstng technques n Sectons 7 and 8. We also explore the case of natural lnear algebrac operatons over the ntegers (e.g., matrx multplcaton) and show that our technques gve close to an order of magntude mprovement. Fnally, we use our constructon to crcumvent the lower bound of [21]. They proved that any garblng scheme usng known technques requres 2λ bts to garble a sngle ANDgate, whle we show an nstantaton of our constructon that garbles a sngle AND-gate usng only λ bts. Ths nstantaton s of theoretcal nterest, but does not lead to mprovements for general larger crcuts. 1.2 Technques Our results buld on a smple and powerful combnaton of technques that were ntroduced n prevous works n several contexts. In partcular, our garblng scheme s based on a natural generalzaton of the Free-XOR technque of Kolesnkov & Schneder [14], allowng for free addton mod larger m, rather than just mod 2. Ths generalzaton was shown before, e.g. by Malkn, Pastro and shelat [15], who used t to obtan free addton n arthmetc (mod m) crcuts. We observe that ths technque s n fact useful not only for mod-m addton, but for any operaton that depends only on the Hammng weght of ts nputs (namely, symmetrc operaton): such operatons can be garbled by frst applyng free addton to get the Hammng weght, then applyng a projecton gadget whch garbles a unary mappng of each sum to the correct output. Ths projecton gadget can be vewed as the trval extenson of Yao s garbled gate, appled to unary gates over mod m nputs (smlar gadgets have been used before, at least mplctly, e.g. n [14, 13]). In Secton 4 we formally descrbe these smple components as a garblng scheme for what we call mxed modul smple crcuts, whch are crcuts that allow only modular addton (under many modul) and projectons. As we show n Secton 5, these smple components already provde savngs over the state of the art, even for boolean crcuts, through smple ways to represent boolean gadgets as mxed modul crcuts. One example s a boolean fan-n-b AND gate, whch has output equal 1 f and only f the sum of ts nputs equals b, and thus can be represented as a projecton of sum. Ths representaton can be vewed as an extenson of the one by Nelsen and Orland [17], who (n a dfferent context) represent a fan-n-2 NAND gate by addng the two nputs over the ntegers and then gvng a gadget that checks whether or not the result equals 2. Whle the above deas drectly handle symmetrc operatons lke boolean AND and threshold gates, as well as arthmetc addton, the cost grows prohbtvely hgh as the modulus (or the fan-n) grows, and other operatons such as comparson or modular multplcaton are also hghly neffcent. We address ths n Secton 6 by showng how to express those more complex operatons wth hgh modul more effcently as mxed modul crcuts. In partcular, we represent large-modulus values usng the Chnese Remander Theorem (CRT), as well as another prmoral mxed-radx representaton, together wth several other optmzatons (as we wll explan). We note that CRT-based representatons have also been used n many other contexts, wth the most relevant one beng by Applebaum, Isha, and Kushlevtz [2] who (n addton to ther more effcent man result) outlne a garblng scheme for arthmetc crcuts, relyng on frst encodng the nputs va CRT encodng, and then applyng standard boolean garbled crcut technques. In Secton 7 we dscuss how to use our gadgets for better garblng of boolean and arthmetc crcuts, provde asymptotc and concrete comparson wth standard garbled crcut technques, and dscuss a lnear algebrac applcaton scenaro. Fnally n Secton 8 we gve a more n-depth comparson to the related work dscussed above, and to other 2PC technques. 2. PRELIMINARIES Logarthms are taken to be base 2, unless otherwse noted. We take p to denote the -th prme. Let Z denote the ntegers, and N the natural numbers. Addtonally, Z m denotes the rng of ntegers modulo m N. We use [x] m to denote the resdue of x mod m. In some cases t s convenent to defne < on Z m. For concreteness, f m = 2k + 1 for some k, then consder Z m as { k,..., 1, 0, 1,..., k} and let x < y f y x > 0 over Z. Otherwse f m = 2k, then consder Z m as { k + 1,..., 1, 0, 1,..., k}, defnng order dentcally. 2.1 Garbled Crcuts We use the garblng schemes abstracton and securty defntons of Bellare, Hoang and Rogaway [7]. Roughly speakng, a garblng scheme conssts of the followng algorthms: Gb: gven nput a crcut f, generates garbled crcut F, encodng nformaton e, and decodng nformaton d En: gven a crcut-nput x, encodng nformaton e, generates garbled nput X Ev: gven garbled crcut F and garbled nput X, generates garbled output Y De: gven garbled output Y and decodng nformaton d, generates plantext crcut-output y Bellare et al. dentfy 3 natural securty propertes for a garblng scheme, whch we summarze below. For more detals, we refer the reader to [7]: Prvacy (prv.sm securty): ntutvely, the dstrbuton of values (F, X, d) generated as above leaks no more than f(x). More specfcally, there exsts a smulator that can smulate the jont dstrbuton of (F, X, d) gven just f and f(x). Oblvousness (obv.sm securty): the values (F, X) alone (.e., wthout d) leak nothng about x. That s, there exsts a smulator that can smulate (F, X) gven just f. 566

3 Authentcty (aut securty): Gven (F, X), t s nfeasble for an adversary to generate Ỹ Ev(F, X) such that De(d, Y ). 3. BACKGROUND ON GARBLED CIRCUITS We gve a bref and self-contaned overvew of standard garbled crcut constructons and optmzatons. Readers famlar wth garbled crcuts may safely skp ths secton. 3.1 Yao s Classcal Constructon In (the modern nterpretaton of) Yao s scheme [20], the garbler chooses two random wre labels W 0 and W 1 for each wre, where W x s a bt-strng encodng the truth value x. Then for each (boolean, fan-n 2) gate, the garbler generates a garbled gate consstng of 4 cphertexts. If a gate has nput wres ndexed and j, output wre ndex k, and functonalty g : {0, 1} 2 {0, 1}, then the 4 cphertexts are: E W 0,W 0 j E W 1,W 0 j g(0,0) g(0,1) (Wk ), E W 0,W j 1 (Wk ), g(1,0) g(1,1) (Wk ), E W 1,W j 1 (Wk ) where E k (m) s a sutable encrypton scheme. Intutvely, the wre labels encodng (a, b) on the nput wres are used as keys to encrypt the wre label encodng g(a, b) on the output wre. An evaluator evaluates the garbled crcut by holdng one wre label per wre. Hence, she can decrypt only one cphertext per gate, and learn one label for the output wre. We pont out that Yao s classcal scheme can be trvally extended to support garblng of non-boolean crcuts of any fan-n. In partcular, for m-ary wres we choose m dfferent wre labels on each wre. Then to garble a fan-n-k gate, we nclude m k cphertexts (one for each entry n the gate s truth table). Whle ths trval extenson s obvously not effcent, we wll rely on ths observaton for unary gates (fan-n 1) as a component n some of our gadgets. 3.2 Standard Elementary Optmzatons Arrangng the 4 cphertexts n order of truth values leaks nformaton, so n the classcal scheme these cphertexts are gven n random order. The evaluator performs tral decrypton on each one, and we use an encrypton scheme that makes t obvous when decryptng the correct cphertext. A better approach s to use the pont-and-permute optmzaton of Beaver, Mcal and Rogaway [5]. A random color bt s appended to each wre label, so that W 0 and W 1 have opposte color bts. Because the assocaton between colors and truth values s random, t s safe to arrange the 4 cphertexts accordng to color bts of the nput wre labels (.e., the frst cphertext should be the one that uses two keys havng both 0 color bts, regardless of what truth value they represent). Usng pont-and-permute, the evaluator need only decrypt one cphertext the one ndcated by the color bts of the nput wre labels. Hence, t s possble to use a smple onetme encrypton scheme E k1,k 2 (m) = H(g; k 1 k 2) m, where g s the ndex of the gate and H s a key dervaton functon or random oracle. The number of cphertexts can also be reduced from 4 to 3 by the followng row reducton trck of Naor, Pnkas and Sumner [16]. Instead of choosng the output wre labels Wk 0 and Wk 1 at random, we choose one of them so that the frst of the 4 cphertexts s always the all-zeroes strng. For example, f the frst cphertext for a gate s E W 0,W 0 j (W 1 k ) = H(g; W 0 W 0 j ) W 1 k, then we choose W 1 k not unformly, but as H(g; W 0 W 0 j ). Snce the frst cphertext s all zeroes, t need not be sent, and only 3 cphertexts are requred. Note that ths method constrans the selecton of one of W 0 k, W 1 k. A more sophstcated approach, constranng the selecton of both labels, can further reduce the garbled gate to 2 cphertexts, as shown by Pnkas et al. [18] (see also a smpler constructon n [11]). 3.3 Free-XOR Arguably the optmzaton to garbled crcuts wth the hghest practcal mpact s the Free-XOR optmzaton of Kolesnkov & Schneder [14]. When usng Free-XOR, wre labels are chosen so that W 0 W 1 =, where {0, 1} λ s a secret value that s common to the entre crcut. In other words, the wre label that encodes x can be wrtten as W x = W 0 x. The result of ths choce of wre labels s that (W x W y j ) = (W 0 Wj 0 ) (x y) ; that s, smply XORng two wre labels that encode x & y results n a wre label encodng x y, f we take Wk 0 = W 0 Wj 0 to be the false wre label of the output wre. As a consequence, garbled values can be XOR ed wthout any cryptographc operatons by the evaluator or any garbled-gate nformaton n the garbled crcut. To support pont-and-permute, consder appendng an addtonal bt to both and each wre label to represent the color bts. Suppose ths last bt of s 1, and we extend the relaton W 0 W 1 = to nclude these color bts, then on every wre the two wre labels W 0 and W 1 wll stll have opposte and random color bts. Ths s all that s requred for pont-and-permute. The Free-XOR optmzaton s easly compatble wth the row reducton trck above, allowng for 3 cphertexts per AND gate and 0 per XOR. It s not compatble wth the 2-row reducton of [18], snce that technque constrans the selecton of both wre labels, and thus does not allow to mantan the requred relaton. However, the half-gates technque of [21] provdes a way to acheve a 2 cphertext AND that s compatble wth free-xor. 4. OUR BUILDING BLOCKS 4.1 Generalzng Free-XOR & Pont-Permute Our startng pont s a natural generalzaton of Free- XOR whch permts free addton mod m for any fxed m (collapsng to Free-XOR when m = 2). Ths generalzaton was also used by [15]. In ths secton, and throughout the rest of ths paper, we nterpret wre labels as vectors of Z m- elements. We use bold-face symbols to denote wre labels (Z m-vectors). Each wre carres a logcal value n Z m. The wre label encodng x Z m s W x = W 0 + x m, where now addton refers to component-wse addton n Z m. The value m s a random vector of Z m-elements that s global to the crcut. Our constructon wll nvolve wres wth dfferent modul, and we use a dfferent m for each modulus m (but all wres wth assocated modulus m wll share the same m). Lke Free-XOR, ths generalzaton supports several computatons on garbled values for free: Addton mod m: We can add garbled values mod m 567

4 for free, snce (W x + W y j ) = (W 0 + Wj 0 ) + (x + y) m (where addtons are mod m). Multplcaton by a publc/constant c mod m, provded that c s coprme to m: Ths becomes nontrval only when generalzng beyond m = 2. Indeed, let c Z m be a known constant, then cw x = c(w 0 + x m) = cw 0 +(cx) m, where the operatons are component-wse mod m. We requre c to be coprme to m for techncal reasons n the securty proof ntutvely, multplyng by c preserves ts unform dstrbuton. W 0 We can smlarly generalze the pont-permute optmzaton. As descrbed n Secton 3, magne appendng an extra color dgt (now a Z m element rather than a sngle bt) to each wre label and a 1 Z m dgt to m (any other dgt value that s coprme to m would also work). Let τ m(w ) denote the last component of such a wre label, then we have τ m(w x j ) = τ m(w 0 j ) + x τ m( m) = τ m(w 0 j ) + x. In other words the m possble wre labels for ths wre are assgned a random cyclc shft of the set Z m of possble colors, wth the cyclc shft amount beng determned by the random value τ m(wj 0 ). Ths turns out to be suffcent to prove securty of ths generalzaton of pont-permute. In short, seeng the color of a sngle label W x on a wre leaks no nformaton about ts truth value x. Length of the wre labels. Let λ denote the global securty parameter, and defne λ m = λ/ log m. Suppose wre labels mod m have λ m components, each from Z m. Then the length of wre labels when wrtten as strngs s at least λ bts, whch s mportant for securty. When accountng for the pont-permute optmzaton, we add an extra component to wre labels. In the end, wre labels mod m are elements of Z λm+1 m. Ther length n bts s therefore at most λ + 2 log m bts. Instead of startng wth λ-bt wre labels and addng a few bts for the color dgt, one could alternatvely thnk of all wre labels havng exactly λ bts (ncludng color dgts), but the color dgts slghtly degradng the effectve securty parameter by log m bts. For nstance, n practce one would typcally use AES-128 to mplement garbled crcuts. Then t s convenent f all wre labels are exactly 128 bts. One would requre AES to provde securty when the last log m bts of the key are known. In our fnal constructons, we never suggest a modulus m larger than, say, 256. So n practce our constructon would degrade the AES securty by only 8 bts. We note that all mplementatons of garbled crcuts take ths approach, but for the case of smple pontpermute where the degradaton of securty s only 1 bt. 4.2 Garblng Mxed Modul Smple Crcuts Next, we construct a smple and practcal garblng scheme for a specal subclass of crcuts. In the followng sectons we wll show how to effcently express more general computatons wth ths subclass. A mxed-modulus smple crcut s a crcut (drected acyclc graph) where each wre has an assocated modulus (.e., the wre can carry values from Z m for ts preferred m). In addton to standard nput/output gates, the crcut s allowed to have the followng types of nternal gates: An addton-mod-m gate (of unbounded fan-n) s allowed f all the wres touchng the gate are mod-m wres. A unary gate that multples by a constant mod m s allowed f both the nput and output wre are mod m, and f the constant s coprme to m. Arbtrary unary projecton gates: f the nput wre s mod-m and the output wre s mod-n, then the gate can apply an arbtrary functon ϕ : Z m Z n. We refer to a gate wth ths functonalty as Proj ϕ. In our constructon, the frst two types of gates are free, and the thrd type uses at most m 1 cphertexts (the 1 follows from the row-reducton technque). The man dea follows the dscusson above. For each modulus m that appears n the crcut, we choose a global value m (nterpreted as a vector n Z λm+1 m ), and use the generalzed free-xor method of choosng wre labels. That s, W 0 s random and W x = W 0 + x m. Addton mod m and multplcaton by a (coprme) constant can be garbled for free, as descrbed above. A projecton gate Proj ϕ can be garbled usng m cphertexts, where each wre label W x s used to encrypt the assocated payload W ϕ(x) j. These m cphertexts can be ordered by the color dgts of the nput wre labels, namely by x+τ, where τ = τ m(w 0 ). Thus, the garbled gate conssts of the followng m cphertexts (one for each x): Ĝ x+τ = H(g, W 0 + x m) + W 0 j + ϕ(x) n = H(g, W x ) + W ϕ(x) j, where H s a hash/key dervaton functon (see below) and g s the gate ndex (used as a tweak n the hash functon). The outer vector addton (as well as the value of ϕ(x)) s over Z n, whle the nner vector addton (as well as the values of x, τ) are over Z m. The evaluator wll decrypt only one of these cphertexts, specfcally the one whose subscrpt s the color dgt of the nput wre label she holds. Usng the row reducton trck descrbed above [16], we can remove one of the cphertexts (gettng m 1) by settng Ĝ 0 = 0. To do ths, choose Wj 0 = H(g, W τ ) ϕ( τ) n. We could also remove 2 cphertexts (gettng m 2) usng the approach of [18, 11], but at the cost of havng the output wre labels no longer satsfy the m-correlaton property. The scheme s presented formally n Fgure Securty Here we prove securty of the basc garblng scheme we just presented. We pont out that the securty of our constructons n later sectons wll follow from the fact that we express the desred functonalty as a mxed-modulus smple crcut, to be garbled usng our basc scheme. The orgnal free-xor constructon of [14] was proven secure n the random oracle model. Cho et al. [9] later proved that the securty depends only on a specfc property of the oracle that they called crcular correlatonrobustness. Let H be a hash functon and defne an oracle O H (g, X, Y, a, b, c) = H(g, X a, Y b ) c. Here X, Y, are strng of length λ, whle a, b, c are bts, and g s an arbtrary strng. Then H s crcular-correlaton-robust f the outputs of ths oracle appear random, to adversares that query on dstnct g values wth a, b not both zero, when s chosen unformly. We use the correspondng generalzaton to multple 568

5 procedure Gb(1 λ, f) for m f.wredomans do λ λ m log m u m Z λm m 1 for f.nputs do Z m.doman W 0 u Z λm+1 m ê (W1 0,..., Wq 0, m1,..., mr ) for g f.gates topo do a g.nputs Z m g.doman f g s Add m-gate then W 0 g b =1 W 0 a else f g s Mult c-gate then Wg 0 c Wa 0 1 else f g s Proj ϕ gate then Z n g.range τ τ(wa 0 1 ) Wg 0 H(g, Wa 0 1 τ m) ϕ( τ) n for x Z m do Ĝ g x+τ H ( ) g, Wa x m + W 0 g + ϕ(x) n Ĝ g (Ĝg 1,..., Ĝg k 1 ) ˆF (Ĝ1,..., Ĝ gates.proj ) for f.outputs do Z m.doman, for k Z m do d k H(out k, W 0 + k m) d (d 0,..., d m 1 ) ˆd (d 1,..., d l ) return ( ˆF, ê, ˆd) procedure En(ê, ˆx) for x ˆx do Z m.doman X W 0 + x m return ˆX (X 1,..., X q) procedure De( ˆd, Ŷ ) for d ˆd do Z m.doman (h 1,..., h m) d for k Z m do f H(out k, Y ) = h k then y k f y unassgned then return return ŷ (y 1,..., y l ) procedure Ev( ˆF, ˆX) for f.nputs do W X for g f.gates topo do a g.nputs Z m g.doman f g s Add m-gate then W g b =1 Wa else f g s Mult c-gate then W g c W a1 else f g s Proj gate then ˆτ τ(w a1 ) W g Ĝgˆτ H(g, Wa 1) for f.outputs do Y W return Ŷ (Y1,..., Y l) Fgure 1: Our garblng scheme for mxed modul smple crcuts values (one for each modulus). oracle: We defne the followng O H m1,..., mn (g,, j, X, a, c) = H(g, X + a m ) + c mj We assume that the nner addton s mod m and the outer addton s mod m j. The parameter a s nterpreted as a value mod m and c as a value mod m j. We also assume that the nputs and outputs of H can be nterpreted as vectors of Z m-elements for approprate m whenever needed. Defnton 1. We say that H s mxed-modulus crcular correlaton robust f for all polynomal tme adversares that query ther oracle on dstnct g values and a 0, the oracle O H m1,..., mn (wth m values chosen unformly) s ndstngushable from a random functon. As usual, ths assumpton can be abstracted away f one s wllng to use the random oracle model. Theorem 1. The scheme n Fgure 1 satsfes the prv.sm, obv.sm, and aut securty defntons (Secton 2.1), when the functon H s mxed-modulus crcular correlaton robust (Defnton 1). Proof Sketch. The proofs follow very closely the securty proof for Free-XOR n [9] and a smlar proof n [13]. We start out wth (F, X, d) generated va (F, e, d) Gb(f) and X En(e, x). The man dea s to frst perform a conceptual shft to ths hybrd. The garblng procedure s normally wrtten from the garbler s pont of vew, mantanng the false wre labels W for each wre. We can nstead compute for every wre n the crcut the value v that s on that wre when the crcut s nput s x. Note that ths hybrd stll requres knowng the crcut nput x only n later hybrds can we argue that x s not used. Then we can dentfy for each wre whch wre label W wll be vsble to the evaluator. Fnally, we replace every reference to a wre label W z wth W + (z v ) m. After ths conceptual shft, we see that all garbled gate cphertexts (and decodng nformaton d) can be wrtten n the followng form: H(g, W + a m) + c m + Q where W and Q are known to the evaluator (Q s ether another vsble wre label, or an empty strng n the case of the decodng nformaton). Because of the shft to the evaluator s pont of vew, whenever a = 0, we also have c = 0. Hence all of these cphertexts can be computed wthout the m values, and only oracle access to the mxed-modulus-correlaton-robustness oracle of Defnton 1. Hence all cphertexts, apart from the ones where a = 0 above, can be replaced wth unformly chosen values. After dong such a replacement, we see that the v values (the truth values on each wre of the crcut) are no longer 569

6 needed. They were used to compute a and c values n the above. The only other place there were used s to determne whch cyclc shft of the decodng nformaton d to apply on each output wre. But the v values for output wres are smply the crcut output f(x). Hence, the fnal result s a smulator that depends only on f(x). For obv.sm securty, we smply observe that n the above smulator, f(x) s used only to compute d. So when d s not gven, the smulator does not requre f(x). For aut securty, we observe that all other entres n d (apart from the ones obtanable by Ev(F, X)) are chosen unformly by the smulator. Hence, the probablty that the evaluator guesses any other output wre label correctly s 1/2 λ. 5. SIMPLE IMPROVEMENTS TO GARBLED SYMMETRIC BOOLEAN GATES In the prevous secton we saw a gadget extendng Free- XOR to allow free addton-mod-m for m > 2 (assumng all wres have mod-m labels). Perhaps surprsngly, ths turns out to be useful not only for (arthmetc) modular addton, but even for boolean computatons. For example, consder an AND gate x 1 x b wth fan-n b. We observe that ths gate can be expressed as χ b ( x) where χ b(n) = 1 f n = b and χ b (n) = 0 otherwse. 1 In the termnology above, we have expressed an AND as a projecton of a sum. If the nput wres to ths AND gate have mod-(b + 1) wre labels, then the addton s free (and wll not wrap around). So the total cost of the AND gate s that of the Z b+1 projecton gate, whch s b cphertexts. By comparson, the best-known way to garble a fan-n-b AND gate usng exstng boolean technques s to make a tree of b 1 bnary AND gates and use the constructon of [21], costng 2 cphertexts per AND gate for a total of 2b 2 cphertexts. Thus, our basc buldng blocks already gve a constant sze mprovement (from 2b 2 to b). It s also clear that any t-out-of-b threshold gate can be garbled at the same cost (b cphertexts) by substtutng χ b for an approprate projecton functon. Most generally, we can garble at a cost of b cphertexts any symmetrc fan-n-b Boolean gate (a symmetrc gate s one whose output depends only on the Hammng weght of ts nputs). Whle these mprovements are already sgnfcant, we later show how to do exponentally better for threshold gates n the case of very hgh fan-n. Crcumventng a lower bound. For b = 2, ths gves us a boolean AND gate at a cost of 2 cphertexts, whch matches the half-gates constructon of [21]. The half-gates constructon s compatble wth Free- XOR (n our termnology, t uses wre labels that are 2- correlated), whle ours requres nput wre labels to be mod-3 (the output labels n our constructon can use any modulus). Lookng more closely at our constructon, we express an AND as a projecton of a sum. As explaned above, the nomnal cost of the projecton s b + 1 cphertexts, whch we reduce to b usng the smple row-reducton dea. However, as we ponted out, we can further reduce t to b 1 usng the more nvolved row reducton technque of [18], at the prce 1 As prevously mentoned, ths can be vewed as generalzng the representaton of fan-n-2 NAND gates n [17]. of havng both output wre labels constraned, and thus not satsfyng the requred correlaton. Consder now a sngle boolean AND gate (thus, correlaton of the output wre labels s unmportant). We can garble ths AND gate wth just a sngle cphertext. Ths constructon s not very useful n tself, snce t does not compose even wth tself (although t may gve some savngs for boolean crcuts of a certan structure, that doesn t requre all wres to have a correlaton). However, t s of theoretcal nterest, snce t crcumvents a lower bound. Specfcally, [21] show not only a 2-cphertext upper bound for garbled AND gates, but also that the cost of 2 cphertexts s optmal n a model they defne, capturng all prevously known garblng schemes. The reason our constructon s able to crcumvent the lower bound s that ther model ncludes the mplct assumpton that there s a sngle color bt per wre label. Our constructon breaks the bound by usng a generalzed color dgt from Z 3 nstead of from Z 2. Ths underscores the power of our pont-permute generalzaton, whose man techncal dfference from Free-XOR s the use of generalzed color dgts for wre labels. 6. GARBLING ARITHMETIC GATES OVER LARGE MODULI Our basc constructon (Fgure 1) can n prncple be used to represent any boolean crcut. However, whle t supports free addton mod m, the cost of the non-free projecton gates s lnear n the modulus m, whch s clearly mpractcal for large values of m. We are nterested n large values of m both for boolean crcuts wth massve fan-n (say m 1000), and even more so for arthmetc crcuts (wth, e.g., m 2 64 ). Indeed, one of the most natural uses of arthmetc crcuts s to carry out computatons over the ntegers, by choosng a modulus that s larger than any ntermedate value n the computaton. In ths secton we suggest new representatons and gadgets that allow for radcally more effcent garblng over large modul. Despte the arthmetc nature of the gadgets, we wll show applcatons for both boolean and arthmetc crcuts. Rather than choosng a prme modulus, we choose a composte prmoral modulus P k = 2 3 p k, the product of the frst k prmes. Then values can be represented n terms of smaller modul Z 2 Z 3 Z pk usng the Chnese Remander Theorem (CRT). Defne the resdue representaton of x as: [[x]] crt := ([x] 2, [x] 3,..., [x] pk ) In terms of mxed-modulus crcuts, we represent [x]] crt wth a bundle of wres havng wre-modul 2, 3, and so on. Bounds on parameter szes. Suppose we wsh to support arthmetc over the ntegers, and we requre a modulus at least as large as some bound Z on the possble ntermedate values n the computaton. We have the followng facts from number theory: Lemma 1. Let k be the smallest nteger such that k p > Z (where p denotes the th prme). Then, asymptotcally: k = O(log Z/ log log Z); k p = O(log 2 Z/ log log Z); =1 p k = O(k log k) = Θ(log Z); k log 2 p = Θ(log Z). =1 570

7 Concrete example parameters are gven below: Z k p k k =1 p k =1 log 2 p Our constructons n ths secton have cost ether O( p) = O(log 2 Z) or O(k p) = O(log3 Z) cphertexts (each of length λ bts). To represent a sngle value [x]] crt requres a bundle of k = O(log Z) wres and hence that many wre labels (each λ bts long). Ths s comparable to representng the number x n bnary for a standard boolean garbled crcut, whch would also requre log Z wres/labels. 6.1 Basc Arthmetc Addton & multplcaton by a constant. To add [[x]] crt and [[y]] crt (modulo the prmoral composte), one smply adds ther CRT resdues component-wse. The cost s free n our garblng scheme. Smlarly, to multply [[x]] crt by a constant c, one smply multples by c wthn each ndvdual CRT resdue. For resdues p where c s coprme to p, the operaton s free n our garblng scheme. For resdues where c s not coprme to p, ths only happens when c 0 (mod p) by our choce of prme CRT modul. Hence the result of the multplcatonby-c wll be zero (and snce c s publc, t s known that the result wll be zero). For these CRT resdues, we nstead use a global wre label representng [0] p (ths s common to the whole crcut and sent as part of the garblng procedure - ndependent of the number of gates). Overall the cost of multplyng by any constant c s free. Exponentaton. To rase [[x]] crt to the power n (modulo the prmoral composte), for a publc constant n, t agan suffces to do so wthn each CRT resdue. Ths can be done wth a smple projecton gate φ p(x) = [x n ] p wthn each modulus p. The cost of a mod-p projecton gate s p 1 cphertexts, so the total cost of exponentaton s (p 1) cphertexts. For the use case of arthmetc over ntegers bounded by Z, the cost s O(log 2 Z) cphertexts. Ths constructon works also when the exponent s secret but known only to the crcut garbler. Ths s because our projecton gates hde the actual choce of projecton functon. Remander mod p. Suppose we wsh to transform [x]] crt nto [[x mod p ]] crt for some p that s among the prmes n our CRT representaton. Note that the value [x] p already exsts wthn [[x]] crt. All that s needed s to copy that value to the other resdues. Ths s acheved by usng an dentty projecton gate [x] p [x] pj for each other prme p j. The cost s p 1 cphertexts for each projecton, for a total of (k 1)(p 1). As a specal case, when the remander s mod 2, the total cost s k 1 cphertexts. General Multplcaton. To multply two (prvate) values [x]] crt and [[y]] crt, we agan smply multply ther resdues component-wse. A naïve way to multply two values mod p would be to generate a truth table of all p 2 combnatons, resultng n p 2 cphertexts. However, we can take advantage of the fact that each p s prme and nstead garble a multplcaton wth only O(p) cphertexts (wth small constants). For example, Malkn, Pastro & shelat [15] suggest such a way based on a generalzaton of [21] (who constructed a low-cost multplcaton gate over Z 2). Here we suggest the followng alternatve approach (whch convenently scales well wth hgh fan-n). Frst, let us blatantly gnore the case where 0 {x, y}. Dong so, we may wrte x y = g dlog g (x)+dlog g (y) where g s any prmtve root mod p. The addton n the exponent s mod p 1. Hence, our approach for multplcaton s to frst use a projecton gate to map Z p values to ther dscrete logs (n Z p 1). The cost s p 1 cphertexts for each nput. Whle the dscrete logarthm problem s of course dffcult n general, we are only askng for a lookup table of dscrete logarthms to be precomputed for very small p (e.g., p 103 for all of our proposed nstantatons). The dscrete logs can then be added mod p 1 for free, and fnally the result promoted to the fnal product usng a projecton gate z g z (mod p). The fnal projecton gate uses p 2 cphertexts, but to handle zeroes we wll use a slghtly dfferent projecton. To handle the case where one of the multplcands may be zero mod p, we wrte: { 0 f OR(x = 0, y = 0) x y = g dlog g (x)+dlog g (y) else To compute the comparsons x = 0 and y = 0 requres 2p 2 total cphertexts. We arrange for these comparsons to have output wre wth modulus 2. That way, we can compute ther OR for only 2 cphertexts. The two dlog projectons requre 2p 2 total cphertexts. The fnal operaton s { g z f b = 0 f(z, b) =. 0 else We can garble ths operaton wth the standard Yao truthtable approach, usng 2(p 1) 1 cphertexts f we use a rowreducton trck. The total cost of the entre multplcaton mod p s 6p 5 cphertexts. For the entre CRT representaton, the cost of multplcaton s (6p 5) cphertexts. For the use case of arthmetc over ntegers bounded by Z, the cost s O(log 2 Z) cphertexts. In the specal case where one of the multplcands y s a (secret) value known to the garbler, the cost can be reduced. The dea s to garble a projecton gate [x] p [xy] p wthn each resdue. The total cost s (p 1) cphertexts. The asymptotc cost s the same as a general multplcaton, but the concrete cost s roughly 6 tmes better. 571

8 6.2 Equalty Tests & Exact Weghted Threshold To test whether [[x]] crt = [[y]] crt, we observe that [[x]] crt = [y]] crt AND([x y] p1 = 0,..., [x y] pk = 0). The subtractons mod each p are free. We can test whether z 0 (mod p) usng a smple projecton gate. The cost of such a projecton gate s p 1 cphertexts. Note that the output of ths projecton gate can be any modulus, and we choose the output modulus to be k + 1 where k s the number of prmes n the CRT representaton. That way, we can garble the fnal AND gate usng k cphertexts usng the constructon descrbed n Secton 5. The total cost to garble ths equalty test s therefore k + (p 1) = p cphertexts. However, ths assumes an output of a sngle mod-2 wre. To use the output of the equalty test n other gadgets, the output would have to be represented as [x]] crt that s, as a bundle of wres wth dstnct modul. Ths smply requres an dentty projecton Z 2 Z p for each prme p. The cost s 1 cphertext per projecton, brngng the total cost of a composable equalty test to k + p = (p + 1) cphertexts, where k s the number of CRT modul. For the use case of arthmetc over ntegers bounded by Z, the cost s O(log 2 Z) cphertexts. Applcaton to exact-weghted-threshold gates. An exact weghted threshold gate refers to the followng knd of computaton: { 1 f t = Th t,c1,...,c b (x 1,..., x b ) = cx 0 otherwse For example, an AND gate s an exact weghted threshold, correspondng to the case where c 1 = = c b = 1 and t = b and where the x s are bts. We can garble these knds of gates effcently n our scheme when the nputs are n our CRT resdue encodng. The computaton conssts of a weghted sum followed by equalty test. The equalty test requres p cphertexts. When the weghts c are publc, the weghted sum s free, so there s no addtonal cost. In the case of boolean crcuts (where x s and c s are bts), ths constructon gves exponental mprovements over the state of the art for AND/OR gates. To use ths constructon n a boolean crcut, the nputs must stll be CRT-encoded, and the CRT encodng must be spacous enough to not overflow durng the addton step. The maxmum possble sum s equal to the fan-n b, hence we must have k prmes where k =1 p > b. Compared to the boolean case, each bt wll have k wre labels rather than just one, but the cost of the AND/OR gate wll be asymptotcally O(log 2 b) cphertexts rather than 2b 2 cphertexts (va a tree of bnary AND gates). 6.3 Comparsons & Weghted Threshold Gates Whle the CRT representaton s effectve for arthmetc operatons, t does not lend tself to smple comparsons. In ths secton we dscuss how to compare [[x]] crt and [[y]] crt. Our approach has several steps. Our hgh-level dea s to convert the CRT representaton nto a postonal number system. Specfcally, we use a prmoral mxed-radx (PMR) system. Ths number system s defned as [x]] pmr := (d k,..., d 1) Z pk Z p1, where: x d = (mod p ) p 1p 2 p 1 Whereas bnary has a 1s-dgt, 2s-dgt, 4s-dgt, 8s-dgt, and more generally a 2 -dgt, PMR has a 1s-dgt, 2s-dgt, 6s-dgt, 30s-dgt, and more generally a j< pj dgt.2 Once a number s converted nto PMR form, a comparson can be done easly, as we show. Frst steps. [ ] We wll frst show how to effcently compute x/p, q gven [x] p, [x] q and usng the operatons we have prevously dscussed (namely, free modular addtons and projectons). A runnng example correspondng to p = 3, q = 5 s gven n Fgure 2. The dea s to consder the functon δ(x) = [x] p [x] q, where we nterpret the terms [x] p and [x] q as ntegers (from {0,..., p 1} and {0,..., q 1}, respectvely), and the subtracton also over the ntegers. δ has the property that t s pecewse constant, wth a constant run endng each tme x s a multple of p or of q. In Fgure 2, the runs are shown dvded by vertcal lnes. In partcular, f x/p x /p, then x and x wll be n dfferent runs of δ. Wth p and q relatvely prme, there are p + q 1 runs. Furthermore, each run gves a dstnct output of δ mod p + q 1. In other words, f x/p x /p then δ(x) δ(x ) (mod p + q 1). Ths mples that we can wrte [ ] ( [[x]p ] ) x/p = ϕ [x] q q p+q 1 for a sutable projecton ϕ. For the example n Fgure 2, we can obtan [ x/3 ] 5 as ϕ([[x] 3 [x] 5] 7) where ϕ s the projecton 0 0; 1 3; 2 1; 3 3; 4 1; 5 4; 6 2. The cost to compute ths n a garbled crcut s the cost of Proj ϕ (p + q 2 cphertexts) plus the cost to project [x] p and [x] q to Z p+q 1 (another p + q 2 cphertexts). The subtracton mod p+q 1 s free. The total cost s 2p+2q 4 cphertexts. Full converson. Now we show how to use the prevous gadget to convert [[x]] crt to [[x]] pmr. Defne: [ x ] x,j := p 1 p To compute [[x]] pmr t suffces to compute x,+1 for all. We proceed recursvely. In the base case, x 0,j = [x] pj, whch s gven as part of [x]] crt. For the recursve step, we use the dentty a/b /c = a/bc and observe that [ x ] [ x ] p 1 p x,j = 1 p 1 p p j = whch s just the prevous gadget appled to x 1, and x 1,j. Inductvely, the total cost to obtan [[x]] pmr s the cost to 2 In fact, one can obtan the bnary number system by settng every p = 2. p j p p j 572

9 x [x] [x] [x] 3 [x] [[x] 3 [x] 5] [ x/3 ] Fgure 2: An example of the gadget computng [ x/p ] q. apply the gadget for all pars p, p j wth < j: ( ) k k (2p + 2p j + 4) = 2(k 1) p <j k Comparng values va PMR representaton. Suppose we wsh to determne whether [[x]] crt < [[y]] crt (note the CRT representaton, not PMR). Ths s equvalent to the comparson [[x y]] crt < 0. Suppose our CRT representaton uses one more prme modulus than s necessary. Then by assumpton, all ntermedate values n the crcut are at most p 1 p k 1 n absolute value. Then f x y s postve, the most sgnfcant dgt of [[x y]] pmr wll be zero. If x y s negatve, the sum wll wrap around mod p 1 p k and be a number larger than p 1 p k 1. Hence the most sgnfcant dgt of [[x y]] pmr wll be nonzero. Hence, to compare [x]] crt to [[y]] crt, we obtan [[x y]] crt for free, convert to [[x y]] pmr at the above cost, then do a smple projecton on the most sgnfcant dgt of [[x y]] pmr, costng p k cphertexts. If we desre to have the result of the comparson as a CRT-encoded wre bundle, an addtonal k cphertexts are requred, as was the case for exact thresholds. Overall, the total cost wll be k 2(k 1) p + 2k 2 k + p k =1 For the use case of arthmetc over ntegers bounded by Z, the cost of a comparson s O(log 3 Z) cphertexts. Applcaton to weghted threshold gates. A weghted threshold gate refers to the followng knd of computaton: { 1 f t > Th t,c1,...,c b (x 1,..., x b ) = cx 0 otherwse Snce a weghted threshold gate s smply a weghted sum followed by a comparson, the cost of such a threshold gate s smply the cost of a comparson as descrbed above. The weghted sum s free f the weghts are publc. 7. USING OUR SCHEME AND COMPARI- SON TO STANDARD GARBLING We have now ntroduced all of the low-level gates that are supported compactly by our garblng scheme. In ths secton we dscuss the costs nvolved when usng our scheme n the context of a secure computaton protocol. In partcular, we focus on the hdden costs nvolved n: (1) transferrng garbled nputs va oblvous transfers (2) =1 ensurng that all of our low-level gate gadgets nteroperate wthn a common crcut. We dscuss these costs n the context of a natural applcaton scenaro, and provde a comprehensve comparson of our scheme to standard stateof-the-art garblng technques. Our focus s on the communcaton costs: sze (number of cphertexts) of the garbled crcuts, and costs of OTs. Wth the use of hardware-accelerated AES nstructons, current 2PC applcatons of garbled crcuts are usually networkbound, 3 so communcaton cost reflects the domnant bottleneck. 7.1 Transferrng Wre Labels va OT In Yao s protocol paradgm, the crcut evaluator obtans her garbled nput va oblvous transfer (OT). For boolean crcuts, there are two possble wre labels per nput wre, and 1-out-of-2 OT s the natural way for the evaluator to obtan the one wre label of her choce on each wre. In practce, OT nstances are realzed va OT extenson protocols [4, 12]. The man dea behnd OT extenson s that after performng only λ so-called base OTs on random strngs, the partes can obtan a large number N λ of effectve OTs usng only cheap symmetrc-key operatons. Only the base OTs requre expensve publc-key operatons. When dscussng the cost of OT, we gnore the fxed cost of the base OTs. The margnal cost ncurred by each 1-out-of-2 OT nstance (for OT of λ-bt messages) s 2λ bts. However, when usng OT to transfer wre labels n partcular, t s possble to use an optmzaton smlar to row-reducton for garbled crcuts. One can allow the OT protocol tself to randomly choose one of the two possble wre labels. Ths reduces the margnal cost of each OT to just λ bts (cf. [3]). In our scheme, we consder crcuts whose wres carry values n Z p for some prme p. There are p possble wre labels for each such wre. When these wres are the nput wres of a crcut, we must provde a way for the recever to obtan approprate garbled nput. The nave way to do ths s usng 1-out-of-p OTs, at the cost of (p 1)λ bts. However, we suggest the followng superor approach whch takes advantage of the specfc form of the strngs. Consder a mod-p nput wre w to the crcut. Set l = log p and wrte w n bnary as w = l 1 j=0 wj2j. Our dea s to use l 1-out-of-2 OTs to obtan garbled nputs encodng the bts of w. Whle these w j nputs are bts, we requre them to be represented as mod-p wre labels. Then the computaton w = l 1 j=0 wj2j can be done for free wthn the crcut, as the values 2 j are publc. We note that the free addton wll be mod p, but by constructon the result of the weghted sum s w < p. 3 As a concrete example, the garblng scheme of Zahur et al. [21] reduced garbled crcut sze by 33% but doubled the number of AES calls for the evaluator (compared to pror work). The changes were stll a sgnfcant net mprovement. 573

10 The total cost of these OTs (usng the OT-row-reducton optmzaton descrbed above) s only l cphertexts. For an nput value [x]] crt represented by k prmes, the total cost of all OTs under ths method s log p. 7.2 Arthmetc Crcuts Consder the settng of garblng an arthmetc crcut nvolvng operatons over the ntegers. Let Z 1 be an 2 upper bound on the absolute value of ntermedate values wthn the crcut. Then our scheme should be nstantated usng CRT representatons wth k prmes, where k p k > Z to avod any wrap-arounds. We make a dstncton between the logcal values of the arthmetc crcut (.e., values n { Z 1 Z 1, Z + 1,..., }) and the physcal 2 2 (encodng) values n our mxed-modulus smple crcut (.e., values mod p for some prme p). In Fgure 3 we summarze the cost of varous arthmetc gates n our scheme, ncludng concrete costs for Z {2 16, 2 32, 2 64 }. The numbers n the table reflect gates whose (logcal) nput and output wres are all [[x]] crt bundles (e.g., not just sngle boolean wres n the case of comparsons). A sngle logcal value n the crcut s encoded by k = O(log Z/ log log Z) wre labels. The total OT cost for a logcal crcut nput s log p = O(log Z). The fgure also ncludes a comparson to the standard boolean garbled crcut approach. To obtan these numbers, we consder drectly convertng the arthmetc crcut nto a boolean crcut, and representng ts logcal values as bnary ntegers of length log Z bts. In partcular, ths means that the outputs of the multplcaton/exponentaton gates, not the nputs, are taken to be log Z bts long. To generate optmzed boolean subcrcuts for these operatons, we frst used Cryptol [10] to convert the nput/output specfcaton nto an unoptmzed crcut. We then used the ABC [8] and Yosys [19] crcut synthess tools to create an optmzed Verlog sequental crcut. Yosys was confgured to treat XOR and NOT gates as free and otherwse mnmze the crcut. The numbers n the table reflect the cost to garble each such subcrcut usng the state-of-the art half-gates garblng scheme [21]. For multplcaton- and exponentaton-by-constant, we chose arbtrary constants to obtan the subcrcuts. We see that, wth the excepton of comparson gates, our scheme results n less cost n almost all dmensons. Both the sze of the garbled crcut and the memory requrement (to store garbled values) are smaller n our constructon. The cost of OTs s slghtly hgher (12-37%). Addtonally, we emphasze that lnear operatons (addton and multplcaton by a constant) are free n our scheme. 7.3 Boolean Crcuts wth Hgh Fan-In Gates Our constructon also gves mprovements for Boolean crcuts, specfcally when gates have hgh fan n. In ths settng, we consder Boolean crcuts consstng of AND, OR, XOR, and threshold gates. Let b be an upper bound on the fan-n of any non-xor gate n a crcut. Our approach s to encode boolean values n a CRT representaton wth k prmes, where P k := k p > b. Ths suffces for us to use the boolean AND/OR and threshold gates descrbed n Sectons 6.2 & 6.3. The costs are summarzed n Fgure 4, and they reflect composable gates whose logcal outputs are also n the CRT representaton. A sde-effect of usng a CRT representaton to encode sngle bts s that we no longer have XOR for free. Rather, we have addton mod P k for free. However, snce 2 P k, the cost of XOR s ndeed low. To compute the XOR of values x 1,..., x n, we add them mod P k (for free), and then perform the transformaton [[ x]]crt [[ x mod 2]]crt usng the method n 6.1. The total cost of the fnal transformaton s k 1 cphertexts, regardless of the fan-n of ths XOR gate. As above, the fgure also contans a comparson to the standard boolean garbled crcut paradgm. The correspondng numbers reflect the cost of garblng the best avalable boolean crcut usng the half-gates constructon. The numbers for threshold gates are for a majorty gate (whereas the numbers for our scheme are for any threshold gate). For crcuts of ths knd, our cost for OTs and for XOR gates s certanly hgher. However, our exponental mprovement for AND/OR/threshold gates s strkng even for the modest values of fan-n that we consder. 7.4 Applcaton Scenaro We now focus our comparson to a specfc applcaton. Suppose Alce and Bob have prvate vectors (a 1,..., a n) and (b 1,..., b n), respectvely, and they would lke to prvately compute the nner product ab, n the presence of semhonest adversares (.e., usng Yao s protocol). The entres of these vectors are 32-bt nonnegatve ntegers (for example, these matrces could be a 32-bt fxed-pont representaton of real numbers), and so the nner product may contan 64-bt values. Such a computaton s representatve of a natural class of elementary lnear-algebrac computatons for example, a matrx multplcaton conssts of many such nner products. The computaton conssts of (1) an OT, (2) a multplcaton gate, and (3) an addton gate, for each component of the partes nput vectors (of course there are n multplcatons and n 1 addtons, but we assume n s large enough that the dfference of 1 addton s nsgnfcant). Usng our scheme, the partes would choose a CRT encodng large enough to avod overflow.e., so that k p > 264. In ths case, k = 16. Alce can garble the smple arthmetc crcut usng the approach outlned n Secton 6.1. Snce Alce knows one argument of each of the multplcaton gates, the cost to garble each multplcaton gate s 16 =1 (p 1) = 365 cphertexts. Addtons are free, and the cost of OT per nput element s 74 cphertexts. Usng the standard boolean approach, the partes must generate a boolean crcut that expresses the arthmetc computaton. For each component of the vectors, the crcut ncludes a 32-bt 32-bt multplcaton and 64-bt addton crcut. Usng Fgure 3, we see that the cost of an addton subcrcut s 126 cphertexts, and the cost of a multplcaton-by-constant s at least 3744 cphertexts. Note that n the desred functonalty, the garbled crcut must hde Alce s argument to the multplcaton gate, so t s perhaps rather optmstc to use the cost of a multplcaton-by-constant gate n our calculaton. The OT cost per nput element s 32 cphertexts. Overall, our total protocol cost per vector-component s = 439 cphertexts compared to = 3902 for the boolean case an mprovement of 88%. Ths smple example demonstrates that our constructon 574