Full Description

Garbling. The garbling algorithm $Garble (C)$ is described as follows.

Let $CircuitInputs (C)$ , $CircuitOutputs (C)$ be the set of input and output wires of $C$ , respectively. Given a non-input wire $i$ , let $(a, b) \leftarrow InputWires (C, i)$ denote the two input wires $a, b$ of $i$ associated to an $AND$ or $XOR$ gate. Let $a \leftarrow InputsWires (C, i)$ denote the input wire $a$ of $i$ associated to an $INV$ gate. The garbler maintains three sets $E$ , $D$ and $T$ . The garbler also maintains a $counter$ initiated as $0$ .
Choose a secret global 128-bit string $Δ$ uniformly, and set $LSB (Δ) = 1$ . Let $P = X \oplus Δ$ be the label of public bit $1$ , where $X$ is chosen uniformly at random. Note that $P$ will be sent to the evaluator.
For $i \in CircuitInputs (C)$ , do the following.
- Choose $128$ -bit $X_{i}^{0}$ uniformly at random, and set $X_{i}^{1} = X_{i}^{0} \oplus Δ$ .
- Let $e_{i} = X_{i}^{0}$ and insert it to $E$ .
For any non-input wire $i$ , do the following.
- If the gate associated to $i$ is a $XOR$ gate.
  - Let $(a, b) \leftarrow GateInputs (C, i)$ .
  - Compute $X_{i}^{0} = X_{a}^{0} \oplus X_{b}^{0}$ and $X_{i}^{1} = X_{i}^{0} \oplus Δ$ .
- If the gate associated to $i$ is an $INV$ gate.
  - Let $a \leftarrow GateInputs (C, i)$ ,
  - Compute $X_{i}^{0} = X_{a}^{0} \oplus P$ and $X_{i}^{1} = X_{i}^{0} \oplus Δ$ .
- If the gate associated to $i$ is an $AND$ gate.
  - let $(a, b) \leftarrow GateInputs (C, i)$ ,
  - Let $p_{a} = LSB (X_{a}^{0})$ , $p_{b} = LSB (X_{b}^{0})$ .
  - Compute the first half gate:
  - Let $T_{G} = H (counter, X_{a}^{0}) \oplus H (counter, X_{a}^{1}) \oplus (p_{b} \cdot Δ)$ .
  - Let $X_{G}^{0} = H (counter, X_{a}^{0}) \oplus (p_{a} \cdot T_{G})$ .
  - $counter = counter + 1$ .
  - Compute the second half gate:
  - Let $T_{E} = H (counter, X_{b}^{0}) \oplus H (counter, X_{b}^{1}) \oplus X_{a}^{0}$ .
  - Let $X_{E}^{0} = H (counter, X_{b}^{0}) \oplus p_{b} \cdot (T_{E} \oplus X_{a}^{0})$
  - Let $X_{i}^{0} = X_{G}^{0} \oplus X_{E}^{0}$ , $X_{i}^{1} = X_{i}^{0} \oplus Δ$ and insert the garbled gate $(T_{G}, T_{E})$ to $T$ .
  - $counter = counter + 1$ .
For $i \in CircuitOutputs (C)$ , do the following.
- Compute $d_{i} = LSB (X_{i}^{0})$ .
- Insert $d_{i}$ into $D$ .
The garbler outputs $(G, E, D)$ .

Input Encoding. Given $E = (e_{1}, \dots, e_{ℓ})$ , the garbler encodes the input $(x_{1}, \dots, x_{ℓ}) \in {0, 1}^{ℓ}$ as follows.

For all $1 \leq i \leq ℓ$ , compute $X_{i} = e_{i} \oplus x_{i} Δ$
Outputs $X = (X_{1}, \dots, X_{ℓ})$ .

Evaluating. The evaluating algorithm $Eval (C)$ is described as follows.

The evaluator takes as input the garbled circuit $T$ and the encoded inputs $X$ .
The evaluator obtains the input labels $(X_{1}, \dots, X_{ℓ})$ from $X$ and initiates $counter = 0$ .
For any non-input wire $i$ , do the following.
- If the gate associated to $i$ is a $XOR$ gate.
  - Let $(a, b) \leftarrow GateInputs (C, i)$ .
  - Compute $X_{i} = X_{a} \oplus X_{b}$ .
- If the gate associated to $i$ is an $INV$ gate.
  - Let $a \leftarrow GateInputs (C, i)$ ,
  - Compute $X_{i} = X_{a} \oplus P$ .
- If the gate associated to $i$ is an $AND$ gate.
  - Let $(a, b) \leftarrow GateInputs (C, i)$ ,
  - Let $s_{a} = LSB (X_{a})$ , $s_{b} = LSB (X_{b})$ .
  - Parse $T_{i}$ as $(T_{G}, T_{E})$ .
  - Compute $X_{G} = H (counter, X_{a}) \oplus s_{a} \cdot T_{G}$ .
  - $counter = counter + 1$ .
  - Compute $X_{E} = H (counter, X_{b}) \oplus s_{b} (T_{E} \oplus X_{a})$ .
  - Let $X_{i} = X_{G} \oplus X_{E}$ .
For $i \in CircuitOutputs (C)$ , do the following.
- Let $Y_{i} = X_{i}$ .
- Outputs $Y$ , the set of $Y_{i}$ .

Output Decoding. Given $Y$ and $D$ , the evaluator decodes the labels into outputs as follows.

For any $i$ , compute $y_{i} = d_{i} \oplus LSB (Y_{i})$ .
Outputs all $y_{i}$ .

Mina book

Full Description