Point and Permute

As described in the last subsection, the evaluator has to decrypt all the four ciphertexts of all the garbled gates, and extracts the valid label. This trial decryption results in 4 decryption operations and ciphertext expansion.

The point-and-permute optimization of garbled circuit in BMR90 only needs 1 decryption and no ciphertext expansion. It works as follows.

For the two random labels of each wire, the garbler assigns uniformly random color bits to them. For example for the wire $a$ , the garbler chooses uniformly random labels $X_{a}^{0}, X_{a}^{1}$ , and then sets $LSB (X_{a}^{1}) = 1 \oplus LSB (X_{a}^{0})$ . Note that the random color bits are independent of the truth bits.
Then the garbled gate becomes the following. Suppose the relation of the labels and color bits are $(X_{a}^{0}, X_{a}^{1}) \leftrightarrow (0, 1)$ , $(X_{b}^{0}, X_{b}^{1}) \leftrightarrow (1, 0)$ , $(X_{c}^{0}, X_{c}^{1}) \leftrightarrow (0, 1)$

Color Bits $(a, b, c)$	Garbled Gate
$(0, 1, 0)$	$Enc_{X_{a}^{0}, X_{b}^{0}} (X_{c}^{0})$
$(0, 0, 0)$	$Enc_{X_{a}^{0}, X_{b}^{1}} (X_{c}^{0})$
$(1, 1, 0)$	$Enc_{X_{a}^{1}, X_{b}^{0}} (X_{c}^{0})$
$(1, 0, 1)$	$Enc_{X_{a}^{1}, X_{b}^{1}} (X_{c}^{1})$

Reorder the 4 ciphertexts canonically by the color bits of the input labels as follows.

Color Bits $(a, b, c)$	Garbled Gate
$(0, 0, 0)$	$Enc_{X_{a}^{0}, X_{b}^{1}} (X_{c}^{0})$
$(0, 1, 0)$	$Enc_{X_{a}^{0}, X_{b}^{0}} (X_{c}^{0})$
$(1, 0, 1)$	$Enc_{X_{a}^{1}, X_{b}^{1}} (X_{c}^{1})$
$(1, 1, 0)$	$Enc_{X_{a}^{1}, X_{b}^{0}} (X_{c}^{0})$

When the evaluator gets the input label, say $X_{a}^{1}, X_{b}^{1}$ , the evaluator first extracts the color bits $(LSB (X_{a}^{1}), LSB (X_{b}^{1})) = (1, 0)$ and decrypts the corresponding ciphertext (the third one in the above example) to get a output label.

Encryption Instantiation

The encryption algorithm is instantiated with hash function (modeled as random oracle) and one-time pad. The hash function could be truncated $SHA 256$ . The garbled gate is then as follows.

Color Bits $(a, b, c)$	Garbled Gate
$(0, 0, 0)$	$H (X_{a}^{0}, X_{b}^{1}) \oplus X_{c}^{0}$
$(0, 1, 0)$	$H (X_{a}^{0}, X_{b}^{0}) \oplus X_{c}^{0}$
$(1, 0, 1)$	$H (X_{a}^{1}, X_{b}^{1}) \oplus X_{c}^{1}$
$(1, 1, 0)$	$H (X_{a}^{1}, X_{b}^{0}) \oplus X_{c}^{0}$

For security and efficiency reasons, one usually uses tweakable hash functions: $H (tweak, \cdot)$ , where $tweak$ is public and unique for different groups of calls to $H$ . E.g., $tweak$ could be the gate identifier. Then the garbled gate is as follows. The optimization of tweakable hash functions is given in following subsections.

Color Bits $(a, b, c)$	Garbled Gate
$(0, 0, 0)$	$H (gid, X_{a}^{0}, X_{b}^{1}) \oplus X_{c}^{0}$
$(0, 1, 0)$	$H (gid, X_{a}^{0}, X_{b}^{0}) \oplus X_{c}^{0}$
$(1, 0, 1)$	$H (gid, X_{a}^{1}, X_{b}^{1}) \oplus X_{c}^{1}$
$(1, 1, 0)$	$H (gid, X_{a}^{1}, X_{b}^{0}) \oplus X_{c}^{0}$

Mina book

Point and Permute

Encryption Instantiation