A New Approach to Garbled Circuits

Abstract

A garbling scheme is a fundamental cryptographic building block with a long list of applications. The study of different techniques for garbling a function, towards optimizing computation and communication complexity, has been an area of active research. Most common garbling techniques work by representing each gate in the circuit as a set of ciphertexts that encrypt its truth table row-by-row.

In this work we present a new garbling scheme in the random oracle (RO) model that garbles circuits in the gate-by-gate paradigm by capturing the gate functionality (\(\textsf{AND}, \textsf{XOR}\)) as a whole rather than as a set of ciphertexts. The final gate garbling requires \(4\kappa \) bits of communication in expectation, 4 RO calls for garbling and 1 RO call for evaluation. We prove that the scheme satisfies privacy in the non-programmable random oracle model and against PPT adversaries. We also show how this scheme can be extended to support free-XOR and garble any gate functionality over binary inputs.

Appendices

A Additional Details of the Scheme

1.1 A.1 Setting the Length of \(\textsf{RO}\) Output

The random oracle \(\textsf{RO}\) is employed in each gate in the garbling to derive the approximate keys \(t=(X_{00},X_{01},X_{10},X_{11})\) from the gate input labels \(\textsf{L}^A_0,\textsf{L}^A_1\) and \(\textsf{L}^B_0,\textsf{L}^B_1\). This oracle \(\textsf{RO}\) takes as an input a gate id \(g\in [q]\) as a tweak, and two \(\ell \)-bit labels: one from each input wire A and B. It outputs an \({\ell '}\)-bit value \(X_{ab}\). In the garbling scheme, for a security parameter \(\kappa \), we set \(\ell =\kappa \) and \({\ell '}=8\ell =8\kappa \). In this section we discuss the reason why \({\ell '}\) is set this way in terms of \(\kappa \).

Table 3. For a gate index g and \(j\in [{\ell '}]\), this table defines \(\nabla ^g_\wedge [j]\) (where \(f_g=\textsf{AND}\)) as a function in \(X^g_{00}[j], X^g_{01}[j], X^g_{10}[j], X^g_{11}[j]\). The right side demonstrates how \(X^g_{ab}[j]\circ \nabla ^g[j]\) collapses into only two distinct values \(\textsf{L}^g_0 = \textsf{L}_{00} = \textsf{L}_{01} = \textsf{L}_{10}\) and \(\textsf{L}^g_1 = \textsf{L}_{11}\). Each row in the table corresponds to one bit-slice of the values \(X^g_{ab}[j]\) for \(a,b\in \{0,1\}\).

The primary reason stems from the nature of the algorithm used to create \(\nabla ^g\). The gate garbling \(\nabla ^g\) is created bit-by-bit independently until it contains \(\ell \) positions with 1. From Table 3, 4 it is evident that a position j in \(\nabla ^g\) is set to 1 with probability \(\frac{1}{4}\) over a random choice of \((X_{00}[j],X_{01}[j],X_{10}[j],X_{11}[j])\in \{0,1\}^4\). As these bits originate from random oracle outputs, they are indeed distributed uniformly at random. Therefore, \({\ell '}\) needs to be set such that the probability of \(\nabla ^g\) having Hamming weight \(<\ell \) is negligible in \(\kappa \). Let us now examine this probability for \({\ell '}=8\kappa \).

Table 4. For a gate index g and \(j\in [{\ell '}]\), this table defines \(\nabla ^g_\oplus [j]\) (where \(f_g=\textsf{XOR}\)) as a function in \(X^g_{00}[j], X^g_{01}[j], X^g_{10}[j], X^g_{11}[j]\). In addition, the right side demonstrates how \(X^g_{ab}[j]\circ \nabla ^g[j]\) collapses into only two distinct values \(\textsf{L}^g_0 = \textsf{L}_{00} = \textsf{L}_{11}\) and \(\textsf{L}^g_1 = \textsf{L}_{01} = \textsf{L}_{10}\). Each row in the table corresponds to one bit-slice of the values \(X^g_{ab}[j]\) for \(a,b\in \{0,1\}\).

Table 5. For a gate index g, \(j\in [{\ell '}]\) and \(j'\in [\ell ]\), this table defines \(\nabla ^g_\wedge [j]\) (where \(f_g=\textsf{AND}\)) as a function of \(X^g_{00}[j], X^g_{01}[j], X^g_{10}[j], X^g_{11}[j]\) and \(\varDelta [j']\). In addition, the right side demonstrates how combining \(X^g_{ab}[j]\circ \nabla ^g[j]\) collapses into only two distinct values \(\textsf{L}^g_0 = \textsf{L}_{00} = \textsf{L}_{01} = \textsf{L}_{10}\) and \(\textsf{L}^g_1 = \textsf{L}_{11}\) such that \(\textsf{L}^g_0\oplus \textsf{L}^g_1=\varDelta \). Each row in the table corresponds to one bit-slice of the values \(X^g_{ab}[j]\) for \(a,b\in \{0,1\}\).

For a gate g, let H be a random variable that denotes the Hamming weight of \(\nabla ^g\) derived from a random \(t=(X_{00},X_{01},X_{10},X_{11})\) where each \(X_{ab}\in \{0,1\}^{{\ell '}}\).

$$H\sim \textsf{Binomial}({\ell '},\frac{1}{4})=\textsf{Binomial}(8\kappa ,\frac{1}{4})$$

This random variable has a mean \(\mu =np= \frac{8\kappa }{4}=2\kappa \) and variance \(\sigma ^2=npq=1.5\kappa \). Then, using Hoeffding’s inequality for Binomial Distributions,

$$\begin{aligned} \Pr [H<\kappa ] \le&e^{-2n(p-\frac{k}{n})^2}\\ =&e^{-16\kappa (\frac{1}{4}-\frac{\kappa }{8\kappa })^2}\\ =&e^{-\frac{\kappa }{4}} \end{aligned}$$

which is negligible in \(\kappa \).

B Proof of Theorem 1

Before stating the proof itself, we define certain terms used within our proof.

1.1 B.1 Proof Setup

In the security game, the adversary’s goal given (F, X, d) is to distinguish whether \((F,d)\leftarrow \textsf{Gb}(C_0)\) and \(X = \textsf{En}(e,x^0)\), or \((F,d)\leftarrow \textsf{Gb}(C_1)\) and \(X = \textsf{En}(e,x^1)\). Going forward, for a gate g, we denote by \(\textsf{L}^A\) and \(\textsf{L}^B\) the active input labels, and by \(\textsf{L}^g\) the active output label. These values are revealed during the evaluation of F on X. We show in our proof that the knowledge of these active values only gives the adversary \(\mathcal {A}\) zero advantage in distinguishing b.

We denote by \(\textsf{L}^{A*}\) and \(\textsf{L}^{B*}\) the inactive input labels, and by \(\textsf{L}^{g*}\) the inactive output label. We term as a “Bad Event”, the case where an adversary \(\mathcal {A}\) learns an inactive label for any wire in F. These reveal additional information about the circuit and potentially its correlation to X, leading the adversary to gain advantage in distinguishing in the privacy game. For simplicity of analysis, we assume that when a random oracle query leads to a ‘Bad Event’, privacy is already violated, without needing further work/queries from the adversary. For any wire indexed i, we denote by \(\textsf{L}^{i'}\) a candidate for an inactive label. Such a candidate is queried to the random oracle in order to learn whether it is the inactive label or not. We bound the probability of a “Bad Event” by computing a bound on the number of such possible queries. We then argue that for each query to \(\textsf{RO}\in (\textsf{RO}^g,\textsf{RO}'\)), the probability of encountering a bad event is negligible.

We denote by Q the set of adversarial queries and responses. Setting \(|Q|=s\),

$$Q = \bigg \{ [g_i,q_i,r_i] \bigg \}_{i\in [s]}$$

where \(g_i\) is the gate index for when \(\textsf{RO}\) is queried, \(q_i\) is the value input during the \(i^{th}\) query, and \(r_i\) is its respective response.

We denote by H, the set of honest queries and responses. Given the challenge (F, X, d), this is the set of queries to \(\textsf{RO}^g,\textsf{RO}'\) that are made within \(\textsf{Ev}(F,X)=Y\) and \(\textsf{De}(Y,d)=y\). The set H has the following form:

$$H= {\left\{ \begin{array}{ll} \{[g,(\textsf{L}^{A_g},\textsf{L}^{B_g}),X^{AB_g}]\}_{g\in [q]}\\ \{[-,(Y[j],d^j),y_j]\}_{j\in [m]} \end{array}\right. } $$

We denote by P the corresponding active path in F. P contains all the values revealed when evaluating the garbling (F, d) on X. All the elements in P can be derived from the elements in H. P has the form:

$$P=\bigg \{ \big \{ \textsf{L}^{A_g},\textsf{L}^{B_g},X^{AB_g},\textsf{L}^g \big \}_{g\in [q]} \bigcup \big \{ Y[j],d^j,y_j \big \}_{j\in [m]} \bigg \}$$

Note that all the labels \(\textsf{L}^w\) for each wire \(w\in [n+q]\) are of length \(\ell \)-bits (Table 2). This is also the length of the output labels Y[j] and decoding labels \(d^j\) for each output wire \(j\in [m]\). For each gate \(g\in [q]\), the values \(X^{AB_g}\) has length \({\ell '}\)-bits. This is an upper bound on the length of the gate garbling \(\nabla ^g\). Each \(\nabla ^g\) has Hamming weight \(\ell \). This Hamming weight is the effective key length and the indices in \(\nabla ^g\) containing 1 are termed as the effective key positions.

Definition 3 (Bad Event 1)

For a gate g with a garbling \(\nabla ^g\), let \(\mathcal{L}^B\) be the set of candidate inactive labels for input wire B. Let \(\textsf{L}^{g*}\) be the inactive output label and \(\textsf{L}^{g}\) be the active output label. ‘Bad Event 1’ occurs when for \(\textsf{L}^{b'}\in \mathcal{L}^B\) that is queried by the adversary to \(\textsf{RO}\), it holds that,

$$\textsf{RO}^g(\textsf{L}^A,\textsf{L}^{b'})\circ \nabla ^g\in \{\textsf{L}^g,\textsf{L}^{g*}\}$$

For simplicity, we treat the test for whether a candidate output label \(\textsf{L}^{g'}\) is the inactive label \(\textsf{L}^{g*}\) as requiring zero additional calls after the call to \(\textsf{RO}^g\) for Bad Event 1 (Definition 3).

Lemma 1

In the same setting as in Definition 3, let \(B_{\mathcal{L}^B} \subseteq \mathcal{L}^B\) be the set of candidates leading to ‘Bad Event 1’, \(\textsf{L}^{b'}\) be the candidate queried in the i-th query, and \(\mathcal{L}_i\subseteq \mathcal{L}^B\) the set consisting of the previous \(i-1\) queried candidates. For effective key length \(\ell \) of \(\nabla ^g\) it holds that,

$$\begin{aligned} \Pr [\textsf{RO}^g(\textsf{L}^A,\textsf{L}^{b'})\circ \nabla ^g\in \{\textsf{L}^g,\textsf{L}^{g*}\}|B_{\mathcal{L}^B} \cap \mathcal{L}_i = \varnothing ] \le \frac{1}{2^{\ell }-i} + 2^{-\ell +1} \end{aligned}$$

i.e., the probability that the i-th query triggers ‘Bad Event 1’ is upper bounded by \( \frac{1}{2^{\ell }-i-1} + 2^{-\ell +1}\) as long as none of the previous queries triggered the same.

Proof:

Let \(\mathcal{S}=\mathcal{L}^B-\mathcal{L}_i\) be the set of candidate input labels that have not yet been queried. Note that the size of the set \(\mathcal{S}\ge 2^{\ell }-i-1\). Let E be the event that \(B_{\mathcal{L}^B} \cap \mathcal{L}_i = \varnothing \cap \textsf{L}^{b'}\not \in \mathcal{L}_i\), that is, a new label is being queried and none of the previous \(i-1\) queries have triggered a Bad Event. We calculate the probability of ‘Bad Event 1’ by considering two cases. One case is when the inactive input label is chosen: \(\textsf{L}^{b'}=\textsf{L}^{B*}\in \mathcal{S}\). Querying on this yields one of \(\textsf{L}^{g*}\) or \(\textsf{L}^g\) (according to the gate functionality) with probability 1. The other case is when any other candidate \(\textsf{L}^{b'}_i\in \mathcal{S}\) is picked. Since the output of \(\textsf{RO}^g\) is a truly random string in \(\{0,1\}^{\ell }\), it can yield \(\textsf{L}^{g*}\) or \(\textsf{L}^{g}\) with probability \(\frac{2}{2^{\ell }}\). Therefore,

$$\begin{aligned} \Pr [\textsf{RO}^g&(\textsf{L}^A,\textsf{L}^{b'})\circ \nabla ^g\in \{\textsf{L}^g,\textsf{L}^{g*}\}|E]\\&= \Pr [\textsf{RO}^g(\textsf{L}^A,\textsf{L}^{b'})\circ \nabla ^g\in \{\textsf{L}^g,\textsf{L}^{g*}\}|E,\textsf{L}^{b'}=\textsf{L}^{B*}] \cdot \Pr [\textsf{L}^{b'}=\textsf{L}^{B*}\big |E] \\&+ \Pr [\textsf{RO}^g(\textsf{L}^A,\textsf{L}^{b'})\circ \nabla ^g\in \{\textsf{L}^g,\textsf{L}^{g*}\}|E,\textsf{L}^{b'}\ne \textsf{L}^{B*}] \cdot \Pr [\textsf{L}^{b'}\ne \textsf{L}^{B*}\big |E] \\&= 1\cdot \frac{1}{2^{\ell }-i-1} + \frac{2}{2^{\ell }}\cdot \frac{2^{\ell }-i-2}{2^{\ell }-i-1} \\&\approx \frac{1}{2^{\ell }-i-1} + 2^{-\ell +1} \end{aligned}$$

\(\square \)

Symmetrically, we define Bad Event 2 and 3 as follows:

Definition 4 (Bad Event 2)

For a gate g with a garbling \(\nabla ^g\), let \(\mathcal{L}^A\) be the set of candidate inactive labels for input wire A. Let \(\textsf{L}^{g*}\) be the inactive output label and \(\textsf{L}^{g}\) be the active output label. ‘Bad Event 2’ occurs when for \(\textsf{L}^{a'}\in \mathcal{L}^A\), it holds that,

$$\textsf{RO}^g(\textsf{L}^{a'},\textsf{L}^{B})\circ \nabla ^g\in \{\textsf{L}^g,\textsf{L}^{g*}\}$$

Definition 5 (Bad Event 3)

For a gate g with a garbling \(\nabla ^g\), let \(\mathcal{L}^B\) and \(\mathcal{L}^A\) be the set of candidate inactive labels for input wire B and A respectively. Let \(\textsf{L}^{g*}\) be the inactive output label and \(\textsf{L}^{g}\) be the active output label. ‘Bad Event 3’ occurs when for \(\textsf{L}^{b'}\in \mathcal{L}^B\) and \(\textsf{L}^{a'}\in \mathcal{L}^A\), it holds that,

$$\textsf{RO}^g(\textsf{L}^{a'},\textsf{L}^{b'})\circ \nabla ^g\in \{\textsf{L}^g,\textsf{L}^{g*}\}$$

Corollary 1

In the same setting as Definition 4, let \(B_{\mathcal{L}^A} \subseteq \mathcal{L}^A\) the set of candidates leading to ‘Bad Event 2’, \(\textsf{L}^{a'}\) be the candidate queried in the i-th query, and \(\mathcal{L}_i\subseteq \mathcal{L}^A\) the set consisting of the previous \(i-1\) queried candidates. For effective key length \(\ell \) of \(\nabla ^g\) it holds that,

$$\begin{aligned} \Pr [\textsf{RO}^g(\textsf{L}^{a'},\textsf{L}^{B})\circ \nabla ^g\in \{\textsf{L}^g,\textsf{L}^{g*}\}|B_{\mathcal{L}^A} \cap \mathcal{L}_i = \varnothing ] \le \frac{1}{2^{\ell }-i-1} + 2^{-\ell +1} \end{aligned}$$

i.e., the probability that the i-th query triggers ‘Bad Event 2’ is upper bounded by \( \frac{1}{2^{\ell }-i} + 2^{-\ell +1}\) as long as none of the previous queries triggered the same.

Corollary 2

In the same setting as Definition 5, let \(B_{\mathcal{L}^A,\mathcal{L}^B} \subseteq \mathcal{L}^A\times \mathcal{L}^B\) be the ordered set of candidates leading to ‘Bad Event 3’, \(\textsf{L}^{b'}\) and \(\textsf{L}^{a'}\) be the candidate queried in the i-th query, and \(\mathcal{L}_i\subseteq \mathcal{L}^A\times \mathcal{L}^B\) be the set consisting of the previous \(i-1\) queries. For effective key length \(\ell \) of \(\nabla ^g\) it holds that,

$$\begin{aligned} \Pr [\textsf{RO}^g(\textsf{L}^{a'},\textsf{L}^{b'})\circ \nabla ^g\in \{\textsf{L}^g,\textsf{L}^{g*}\}|B_{\mathcal{L}^A,\mathcal{L}^B} \cap \mathcal{L}_i = \varnothing ] \le \frac{1}{2^{\ell }-i-1} + 2^{-\ell +1} \end{aligned}$$

i.e., the probability that the i-th query triggers ‘Bad Event 3’ is upper bounded by \(\frac{1}{2^{\ell }-i} + 2^{-\ell +1}\) as long as none of the previous queries triggered the same.

1.2 B.2 The Complete Proof

Theorem 2 (Honest-but-Curious Adversarial Behaviour)

Let \(\mathcal {A}\) be a PPT adversary. In the privacy game as in Algorithm 1, given \(({\textbf{C}}_0,{\textbf{C}}_1,x^0,x^1)\) of \(\mathcal {A}\)’s choice such that \(\varPhi ({\textbf{C}}_0)=\varPhi ({\textbf{C}}_1)\) and \({\textbf{C}}_0(x^0)={\textbf{C}}_1(x^1)\), the challenge (F, X, d), and H, the set of honest queries only, it holds that,

$$\begin{aligned}&\Pr [F,d\leftarrow \textsf{Gb}({\textbf{C}}_0), X = \textsf{En}(e,x^0)|\mathcal {V}(F,X,d,H)]\\ =&\Pr [F,d\leftarrow \textsf{Gb}({\textbf{C}}_1), X = \textsf{En}(e,x^1)|\mathcal {V}(F,X,d,H)] \end{aligned}$$

Proof:

Before proving the above theorem, consider the following lemmas:

Lemma 2 (Honest Queries reveal only the Active Path)

Let (F, X, d) be the challenge that is output from Algorithm 1. Let H be the set of honest queries and let P be the active path. Then,

$$\mathcal {V}(F,X,d,H)= P$$

Proof:

The proof follows in two steps. First we need to show that P can indeed be derived from \(\mathcal {V}(F,X,d,H)\). That is,

$$ P \subseteq \mathcal {V}(F,X,d,H)$$

This holds by construction. The active path P can be derived from \(\mathcal {V}(F,X,d,H)\) since all of its elements can be determined from H. Recall, H is the set of honest queries to the random oracles that are necessary for computing \(Y=\textsf{Ev}(F,X)\) and \(y=\textsf{De}(Y,d)\) from the challenge. By definition, it has the form,

$$H={\left\{ \begin{array}{ll} \{[g,(\textsf{L}^{A_g},\textsf{L}^{B_g}),X^{AB_g}]\}_{g\in [q]}\\ \{[-,(Y[j],d^j),y_j]\}_{j\in [m]} \end{array}\right. }$$

So (F, X, d, H) does indeed complete all the information in the active path:

$$P=\bigg \{ \big \{ \textsf{L}^{A_g},\textsf{L}^{B_g},X^{AB_g},\textsf{L}^g \big \}_{g\in [q]} \bigcup \big \{ Y[j],d^j,y_j \big \}_{j\in [m]} \bigg \}$$

In order to complete the proof of the theorem, it remains to show that nothing beyond P is revealed from \(\mathcal {V}(F,X,d,H)\). That is,

$$P\supseteq \mathcal {V}(F,X,d,H)$$

We show that P alone can be used to recreate the tuple (F, X, d, H). First, note that X contains the set of active labels for all circuit input wires. This is contained within P. The set \(d=\{d^j\}_{j\in [m]}\) is the decoding information, also contained within P. H can also be determined by P. For each gate g, the elements \((\textsf{L}^{A_g},\textsf{L}^{B_g},X^{AB_g})\in P\) are the query and response for \(\textsf{RO}^g\). The set \(\big \{ Y[j],d^j,y_j \big \}_{j\in [m]}\) is the set of \(\textsf{RO}'\) query and responses in H. Finally, F is a set of gate garblings, \(\nabla ^g\). For each \(g\in [q]\), this can be derived from examining \(X^{AB_g}\) and \(\textsf{L}^g\): \(\nabla ^g\) is set to 1 for only those positions in \(X^{AB_g}\) whose projection gives \(\textsf{L}^g\). This completes the proof.    \(\square \)

Lemma 3 (Active Paths are Identically Distributed)

For the garbling \((F_0,d_0,e)\leftarrow \textsf{Gb}({\textbf{C}}_0)\), let \(X_0=\textsf{En}(e,x^0)\) and let \(P_0\) and \(H_0\) be the corresponding active path and honest queries set. Similarly, For the garbling \((F_1,d_1,e)\leftarrow \textsf{Gb}({\textbf{C}}_1)\), let \(X_1=\textsf{En}(e,x^1)\) and let \(P_1\) and \(H_1\) be the active path and honest queries set. Then if \({\textbf{C}}_0(x^0)={\textbf{C}}_1(x^1)\) and \(\varPhi ({\textbf{C}}_0)=\varPhi ({\textbf{C}}_1)\), it holds that,

$$\{F_0,d_0,X_0,P_0,H_0\}\equiv \{F_1,d_1,X_1,P_1,H_1\}$$

Proof:

The proof for this considers the distribution \(A_0=\{F_0,d_0,X_0,P_0,H_0\}\) that is derived using \({\textbf{C}}_0\) and \(x^0\), and the distribution \(A_1=\{F_1,d_1,X_1,P_1,H_1\}\) that is derived using \({\textbf{C}}_1\) and \(x^1\). Let us examine these distributions:

• In both distributions, the garbling \((F_0,d_0)\in A_0\) and \((F_1,d_1)\in A_1\) are distributed the same way. The garbling \(F_0,d_0\) are a garbling of \({\textbf{C}}_0\), and \(F_1,d_1\) are a garbling of \({\textbf{C}}_1\) using the garbling scheme in Algorithms 2-6. It holds that their topology, \(\varPhi ({\textbf{C}}_0)=\varPhi ({\textbf{C}}_1)\). The garbling produced does not reveal any information beyond \(\varPhi \). This is because the gate garbling \(\nabla ^g\) is distributed the same way regardless of the functionality \(f_g\in \{\textsf{AND},\textsf{XOR}\}\) due to the nature of Algorithm 5 and Table 3, 4.

• Considering the complete challenge \((F_0,d_0,X_0)\in A_0\) and \((F_1,d_1,X_1)\in A_1\), note that the active input labels sets contain labels that are sampled independently and uniformly at random from \(\{0,1\}^\ell \). These distributions, without making any random oracle queries, is also identically distributed since X and F, d are independent when no RO queries are made.

• On evaluating the challenges, note that \({\textbf{C}}_0(x^0)={\textbf{C}}_1(x^1)\) and so the distributions cannot be distinguished on the basis of the output of the evaluation. The honest queries in the set \(H_0\) are determined by \((F_0,X_0,d_0)\). The distribution of these queries is identical to that in \(H_1\) that are determined by \((F_1,X_1,d_1)\). This is because the probability that the random oracle query responses are distributed as in \(H_0\) is the same as the probability of it being as in \(H_1\). Therefore \((F_0,d_0,X_0,H_0)\in A_0\) and \((F_1,d_1,X_1,H_1)\in A_1\) are identically distributed.

• The active paths \(P_0\) and \(P_1\) are determined completely by \(H_0\) and \(H_1\).

Therefore,

$$\{F_0,d_0,X_0,P_0,H_0\}\equiv \{F_1,d_1,X_1,P_1,H_1\}$$

From Lemma 2, given (F, X, d) and the honest queries H only, nothing beyond the active path P is revealed. Lemma 3 shows that the active paths for any \({\textbf{C}}_0,x^0\) and \({\textbf{C}}_1,x^1\) is identically distributed. Therefore, the theorem follows.

Theorem 3 shows a bound on the advantage from a single adversarial query.

Theorem 3 (Advantage of a single malicious query)

Let \(\mathcal {A}\) be a PPT adversary and \(\ell \) be the effective key length. Given the challenge (F, X, d) as in Algorithm 1, \(\mathcal {A}\)’s advantage on a single adversarial query is bounded by,

$$\textsf {Adv}_{|Q|=1}\le 2^{-\ell } + \frac{1}{2^{\ell }-2}$$

Proof:

From Lemma 1 and Corollary 1 and 2, we can conclude that when the adversary \(\mathcal {A}\) makes one adversarial query, it can encounter at most one of the 3 ‘Bad Events’. It can also only gain advantage if the query it makes corresponds to a ‘Bad Event’. Therefore, \(\mathcal {A}\)’s advantage on a single adversarial query is,

$$\textsf {Adv}_{|Q|=1} \le \Pr [\text {Bad Event}] \le \max _{j\in [3]} (\Pr [\text {Bad Event j}]) \le \frac{1}{2^{\ell }-2} + 2^{-\ell }$$

   \(\square \)

Theorem 4 extends the result above to provide a bound on the advantage gained from multiple adversarial queries.

Theorem 4 (Advantage in multiple malicious queries)

Let \(\mathcal {A}\) be a PPT adversary and \(\ell \) be the effective key length. Given (F, X, d) as in Algorithm 1, the honest queries set H, and adversarial queries Q s.t. \(|Q|=s\), \(\mathcal {A}\)’s advantage is,

$$\textsf {Adv}_{|Q|=s} < \frac{s}{2^\ell -2}$$

Proof:

In order to prove the above theorem, note that a query made by an adversary \(\mathcal {A}\) can be broadly classified under one of the following categories:

1. 1.

   An Honest Query where the query and the response for the random oracle lies on the active path of the garbling in the challenge (F, X, d). Theorem 2 shows that given all the queries H in the active path, \(\mathcal {A}\)’s advantage is 0.

2. 2.

   An Adversarial Query yielding a ‘Bad Event’ is a query other than an Honest Query for which the response of the random oracle lies within the garbling in the challenge. This may reveal information about the garbling beyond the active path. On such an event, without loss of generality, we consider privacy as violated. Our proof builds towards bounding the probability of this event.

3. 3.

   An Adversarial Query not yielding a ‘Bad Event’ is a random oracle query and response that can evidently not be involved in the construction of the challenge garbling. Making queries to the RO that yield such responses do not help identify the inactive path and therefore give no advantage. That is, given the honest-query-set H, and adversarial queries that do not lead to a ‘Bad Event’, this will at most help narrow down the domain of the RO. This helps increase the probability of eventually encountering a ‘Bad Event’. However, until the ‘Bad Event’ is encountered this gives \(\mathcal {A}\) no advantage over possessing H.

Let \(q_i\) be the event that the \(i^{th}\) adversarial query takes place given that all \(i-1\) queries before it have not lead to any bad event. We have from Lemma 1, and Corollary 1 and 2 that each of the ‘Bad Events’ 1, 2 and 3 are bounded as,

$$\Pr [\text { Bad Event }\in \{1,2,3\} \big |q_i]\approx \frac{1}{2^{\ell }-i-1}+2^{-\ell }$$

Note that the probability of the ‘Bad Event’ increases with the increase in the number of queries and in each query, the probability of encountering any ‘Bad Event’ at all is calculated as the maximum of these above probabilities. Let us now compute, the probability that a ‘Bad Event’ is encountered given \(|Q|=s\) adversarial queries to the same random oracle:

$$\begin{aligned} \Pr [\text { Bad Event }\big ||Q|=s]&= 1-\Pr [\lnot \text { Bad Event }\big ||Q|=s]\\&= 1-\varPi _{i=1}^s 1-\Pr [\text { Bad Event }\big |q_i]\\&< 1-\varPi _{i=1}^s \bigg (1- \frac{1}{2^{\ell }-i-1}-2^{-\ell } \bigg )\\&\approx 1-\varPi _{i=1}^s \bigg ( \frac{2^{\ell }-i-2}{2^{\ell }-i-1} \bigg )&= \frac{s}{2^\ell -2} \end{aligned}$$

We have seen in the proof for Theorem 3 that one adversarial query can trigger at most 1 ‘Bad Event’ and the adversary \(\mathcal {A}\)’s advantage is bounded by the probability of a ‘Bad Event’ occurring. Given an adversarial query, if the response leads to a ‘Bad Event’, we assume that privacy is violated. If it does not, the views of the adversary are still identical. We therefore need to calculate the probability of at least one ‘Bad Event’ among \(|Q|=s\) adversarial queries.

The above is a bound on the probability of a ‘Bad Event’ on a particular random oracle \(\textsf{RO}\in (\textsf{RO}^g,\textsf{RO}')\). It remains to extend this result to the case where adversarial queries were made to different random oracles across different gate garblings in the circuit. Note that each random oracle used in the construction is independent. So the result of queries to one random oracle do not affect the result of making (even the same) queries to a different random oracle, except for possibly reusing the query space as a result of seeing a query output without triggering a bad event. So the above is an upper bound that also extends to the case where not all of the previous \(i-1\) queries have been made to the same random oracle since all those cases are bounded by this case. Hence it follows again that when \(|Q|=s\), \(\mathcal {A}\)’s advantage is bounded by:

$$\textsf {Adv}_{|Q|=s} < \frac{s}{2^\ell -2}$$

Summing up, the proof of our final theorem follows. \(\square \)

Theorem 1 (Overall advantage of a malicious adversary - Restated)

Let \(\textsf{GS}=(\textsf{Gb},\textsf{En},\textsf{Ev},\textsf{De})\) be a garbling scheme as in Algorithms 2–7. Let \(\kappa \) be a computational security parameter. For every PPT adversary \(\mathcal {A}\) with running time \(t(\kappa )\) having access to all random oracles \(\textsf{RO}\in (\textsf{RO}^g,\textsf{RO}')\), participating in the Privacy game (Definition 2), \(\exists \) negligible function \(\mu \) s.t. \(\mathcal {A}\)’s advantage is,

$$\textsf {Adv}(\kappa ) = \bigg | \Pr [\mathcal {A}^\textsf{RO}({\textbf{C}}_0,{\textbf{C}}_1,x^0,x^1,F,X,d)=b] - \frac{1}{2}\bigg | < \mu (\kappa )$$

Proof:

For a PPT adversary \(\mathcal {A}\) running for \(t(\kappa )\) time steps, \(|Q|\le t(\kappa )\). Setting \(\ell =\kappa \), we have from Theorem 4,

$$\textsf {Adv}_{|Q|=t(\kappa )} < \frac{t(\kappa )}{2^\kappa -2}$$

   \(\square \)