Analysis on Sliced Garbling via Algebraic Approach

Abstract

Recent improvements to garbled circuits are mainly focused on reducing their size. The state-of-the-art construction of Rosulek and Roy (Crypto 2021) requires \(1.5\kappa \) bits for garbling AND gates in the free-XOR setting. This is below the previously proven lower bound \(2\kappa \) in the linear garbling model of Zahur, Rosulek, and Evans (Eurocrypt 2015). Recently, Ashur, Hazay, and Satish (eprint 2024/389) proposed a scheme that requires \(4/3\kappa + O(1)\) bits for garbling AND gates. Precisely they extended the idea of slicing introduced by Rosulek and Roy to garble 3-input gates of the form \(g(u,v,w) := u(v+w)\). By setting \(w = 0\), it can be used to garble AND gates with the improved communication costs. However, in this paper, we observe that the scheme proposed by Ashur, Hazy, and Satish leaks information on the permute bits, thereby allowing the evaluator to reveal information on the private inputs. To be precise, we show that in their garbling scheme, the evaluator can compute the bits \(\alpha \) and \(\beta + \gamma \), where \(\alpha \), \(\beta \), and \(\gamma \) are the private permute bits of the input labels A, B, and C, respectively.

In this work, we present an attack on a new garbling scheme proposed by Ashur, Hazay, and Satish [1]. Concurrently to our work, we noticed that Fan, Lu, and Zhou [6] also described an attack on their scheme.

T. Kim—Independent Researcher.

Appendices

A How to Randomize the Control Bits

In this section, we explain how the dicing technique works from the algebraic perspective. For the sake of readability, we mainly describe the technique with the example of RR21’s construction.

At the beginning of the dicing technique, the garbler chooses \(( \textbf{R}_A, \textbf{R}_B )\) at random among \(2^{14}\) possible choices. Assume that the choice is

$$ \textbf{R} = [ \textbf{R}_A \vert \textbf{R}_B ] = \left[ \begin{array}{cc|cc} ~0~ & ~0~ & ~ x + \alpha ~ & ~ y + \beta + 1 ~ \\ 0 & 0 & y & x \end{array} \right] . $$

It is chosen by setting all the free variables zero except \(e_3 = 1\).

To send the information on \(\textbf{R}\), the garbler encrypts it column by column. More precisely, say \(\textbf{R} = [ \overrightarrow{r_1}, \dots , \overrightarrow{r_4} ]\), where \(\overrightarrow{r_k}\) is the k-th column of \(\textbf{R}\). The garbler makes random oracle queries and define

$$\begin{aligned} \overrightarrow{S}^{con} := \left( H^c(A^0), H^c(A^1), H^c(B^0), H^c(B^1), H^c(A^0+B^0), H^c(A^0+B^1) \right) ^\top , \end{aligned}$$

where \(H^c\) is a random oracle that returns an 1-bit string (it is usually chosen as the least significant bit of outputs by the random oracle).

Given the column \(\overrightarrow{r_k}\) for each k, choose \(\overrightarrow{z_k} := ( z_{k1}, \dots , z_{k5} )^\top \) such that

$$\begin{aligned} \textbf{V} \overrightarrow{z_k} = \textbf{M} \overrightarrow{S}^{con} + \overrightarrow{r_k}. \end{aligned}$$

(20)

Then it returns the vector \(\overrightarrow{z_k}\) which comprises the ciphertexts encrypting \(\overrightarrow{r_k}\).

For instance, let us take an example of \(\overrightarrow{r_3} = ( x+\alpha , y )^\top \). By comparing both sides, we have

$$ \begin{array}{cl} z_{31} = & H^c(A^0) + H^c(A^0+B^0) + \alpha \\ z_{32} = & H^c(B^0) + H^c(A^0+B^0) \\ z_{33} = & H^c(A^0) + H^c(A^1) + 1 \\ z_{34} = & H^c(B^0) + H^c(B^1) + 1 \\ z_{35} = & H^c(A^0+B^0) + H^c(A^0+B^1). \end{array} $$

Let \(\textbf{V}_{ij}\) be the value of \(\textbf{V}\) evaluated at \((x, y) = (i,j)\). Upon receiving \(\overrightarrow{z_k}\), on input \(A^i\) and \(B^j\), the evaluator computes

$$ \overrightarrow{{ \widetilde{r}}_k} = \textbf{V}_{ij} \overrightarrow{z_k} + \begin{bmatrix} ~1~ & 0 & ~1~ \\ 0 & 1 & 1 \end{bmatrix} \begin{bmatrix} H(A^i) \\ H(B^j) \\ H(A^i+B^j) \end{bmatrix}. $$

It is easily verified that \(\overrightarrow{{ \widetilde{r}}_k}\) is the value of \(\overrightarrow{r_k}\) evaluated at \((x,y) = (i,j)\).

We observe that the above argument works in general not only for RR21’s construction. Actually, the control bit randomization is carried out by encrypting each columns of \(\textbf{R}\), the randomly chosen control bits. Moreover, it is encrypted via the same garbling equation as that used for the original garbling construction. In other words, the matrices \(\textbf{M}\) and \(\textbf{V}\) in Eq. (20) are the same as the original garbling equation. The only condition for the control bits encryption to work, it suffices to see whether \(\overrightarrow{r_k}\) belongs to the same space spanned by the columns of \(\textbf{M}\) or \(\textbf{V}\). And it turns out to be equivalent that \(\overrightarrow{r_k}\) satisfies the relation \(\pi _{\textbf{V}}\) in Sect. 5. Recall that \(\overrightarrow{r_k}\) is the column of \(\textbf{R}\). We observe that \(\textbf{R}\), thus each of its columns, satisfies the relation \(\pi _{\textbf{V}}\) which is the desired result. Henceforth, we argue that the control bit randomization is always possible with its original garbling equation.

To help readers’ understanding, let us call back the previous example of the RR21 construction. In this case, the relation \(\pi \) is equivalent to say that the y-coefficient on the top is the same as the x-coefficient of the bottom. We see that, for each \(\overrightarrow{r_k}\), it satisfies the condition.

Let us consider why this technique does not reveal the information on \(\alpha \) and \(\beta \). We see that the entire value of \(\textbf{R}\) will definitely disclose the permute bits. Observe that \(\overrightarrow{z_k}\)’s are encrypting the coefficients of the polynomials in \(\textbf{R}\) using \(\overrightarrow{S}^{con}\). And the decryption only reveals the value of the polynomials in \(\textbf{R}\) evaluated at \((x,y)= (i,j)\). Without knowing the wire labels other than \(A_i\) and \(B_j\), the evaluator cannot evaluate the polynomials outside of (i, j). Thus, it does not disclose the entire information on \(\textbf{R}\).

One might observe that the number of additional ciphertexts required to encrypt the control matrices can be further reduced in RR21’s construction. Let us consider the control matrices given by

$$ \begin{bmatrix} \textbf{R}_A \mid \textbf{R}_B \end{bmatrix} = \left[ \begin{array}{cc|cc} r_1 & r_2 & r_2 + x & r_1 + r_2 + y \\ r_2 & r_1 + r_2 & r_1 + r_2 & r_1 + x \end{array} \right] $$

where \(r_1(x, y) := \alpha x + (\beta +1) y + c\) and \(r_2(x, y) := (\beta + 1) x + (\alpha + \beta + 1) y + e\) are the polynomials in \({\mathbb {F}}_2[x,y]\), and the bits c and e are randomly chosen. It can be readily verified that the above control matrices yield a correct garbling scheme for RR21’s construction. Thus, it is enough to send only the encryption of \((r_1, r_2)^\top \), instead of sending entire encryptions of all columns. Therefore, it reduces the number of ciphertexts garbling the control bits.

B How to Choose Control Matrices

Given the matrix \(\textbf{V}\) as defined in Eq. (13), for any vector \(\boldsymbol{\nu }= \boldsymbol{\nu }_0 + \boldsymbol{\nu }_1 x + \boldsymbol{\nu }_2 y + \boldsymbol{\nu }_3 z \in span(\textbf{V})\), we obtain \(\pi _{\textbf{V}}(\boldsymbol{\nu }_1, \boldsymbol{\nu }_2, \boldsymbol{\nu }_3) = \textbf{P}_1 \boldsymbol{\nu }_1 + \textbf{P}_2 \boldsymbol{\nu }_2 + \textbf{P}_3 \boldsymbol{\nu }_3 = 0\), where

$$\begin{aligned} \textbf{P} = \left[ \textbf{P}_1 \mid \textbf{P}_2 \mid \textbf{P}_3 \right] = \left[ \begin{array}{ccc|ccc|ccc} 1~ & 0~ & 1~ & ~0~ & 0~ & 0~ & ~0~ & 0~ & 0~ \\ 0~ & 0~ & 0~ & ~1~ & 1~ & 0~ & ~0~ & 0~ & 0~ \\ 0~ & 0~ & 0~ & ~0~ & 0~ & 0~ & ~0~ & 1~ & 1~ \\ 0~ & 1~ & 0~ & ~0~ & 0~ & 1~ & ~0~ & 0~ & 0~ \\ 0~ & 0~ & 0~ & ~0~ & 0~ & 1~ & ~1~ & 0~ & 0~ \end{array} \right] . \end{aligned}$$

(21)

By computing the control matrices satisfying Eq. (15) and (16), we can provide their explicit formula as follows.

1.1 B.1 Formulas for the Control Matrices

We provide explicit formulas for the control matrices.

$$\begin{aligned} \textbf{R}_A &= \left[ \begin{array}{ccc} a_0 & ~b_0~ & c_0 \\ a_1 & ~b_1~ & c_1 \\ a_0+\beta +\gamma & ~b_0~ & c_0 + \beta + \gamma \end{array} \right] + \left[ \begin{array}{ccc} a_3 & ~b_3~ & c_3 \\ a_4 & ~b_4~ & c_4 \\ a_3 & ~b_3~ & c_3 \end{array} \right] x \nonumber \\ &\quad + \left[ \begin{array}{ccc} a_4 + 1 & ~b_4~ & c_4 + 1 \\ a_4 + 1 & ~b_4~ & c_4 + 1 \\ a_4 & ~b_4~ & c_4 \end{array} \right] y + \left[ \begin{array}{ccc} a_4 & ~b_4~ & c_4 \\ a_4 + 1 & ~b_4~ & c_4 + 1 \\ a_4 + 1 & ~b_4~ & c_4 + 1 \end{array} \right] z\nonumber \\ \textbf{R}_B &= \left[ \begin{array}{ccc} d_0 & ~e_0~ & f_0 \\ d_0 + \alpha & ~e_0 + \alpha ~ & f_0 \\ a_1 + 1 & ~b_1 + \beta + \gamma + 1~ & c_1 + \alpha + 1 \end{array} \right] + \left[ \begin{array}{ccc} a_4 & ~b_4~ & c_4 +1 \\ a_4 + 1 & ~ b_4 + 1~ & c_4 + 1 \\ a_4 & ~b_4~ & c_4 + 1 \end{array} \right] x\nonumber \\ &\quad + \left[ \begin{array}{ccc} d_5 & ~e_5~ & f_5 \\ d_5 & ~e_5~ & f_5 \\ a_4 + 1 & ~b_4 + 1~ & c_4 + 1 \end{array} \right] y+ \left[ \begin{array}{ccc} a_4 + 1 & ~b_4 + 1~ & c_4 + 1 \\ a_4 + 1 & ~b_4 + 1~ & c_4 + 1 \\ a_4 + 1 & ~b_4 + 1~ & c_4 + 1 \end{array} \right] z \nonumber \\ \textbf{R}_C &= \left[ \begin{array}{ccc} a_1 + \alpha + 1 & ~b_1 + \beta + \gamma + 1~ & c_1 + 1 \\ g_1 & ~ h_1 ~ & i_1 \\ g_1 & ~ h_1 + \alpha ~ & i_1 + \alpha \end{array} \right] + \left[ \begin{array}{ccc} a_4 + 1 & ~b_4~ & c_4 \\ a_4 + 1 & ~ b_4 + 1~ & c_4 + 1 \\ a_4 + 1 & ~b_4~ & c_4 \end{array} \right] x\nonumber \\ &\quad + \left[ \begin{array}{ccc} a_4 + 1 & ~b_4 + 1~ & c_4 + 1 \\ a_4 + 1 & ~b_4 + 1~ & c_4 + 1 \\ a_4 + 1 & ~b_4 + 1~ & c_4 + 1 \end{array} \right] y + \left[ \begin{array}{ccc} a_4 + 1 & ~b_4 + 1~ & c_4 + 1 \\ g_6 & ~ h_6 ~ & i_6 \\ g_6 & ~ h_6 ~ & i_6 \end{array} \right] z, \end{aligned}$$

(22)

where all of the entries are binary elements. We observe that the set of the pairs of \((\textbf{R}_A, \textbf{R}_B, \textbf{R}_C)\) is isomorphic to 24-dimensional subspace.