Cryptology ePrint Archive: Report 2016/685

Overlaying Circuit Clauses for Secure Computation

W. Sean Kennedy and Vladimir Kolesnikov and Gordon Wilfong

Abstract: Given a set S = {C_1,...,C_k } of Boolean circuits, we show how to construct a universal for S circuit C_0, which is much smaller than Valiantís universal circuit or a circuit incorporating all C_1,...,C_k. Namely, given C_1,...,C_k and viewing them as directed acyclic graphs (DAGs) D_1,...,D_k, we embed them in a new graph D_0. The embedding is such that a GC garbling of any of C_1,...,C_k could be implemented by a corresponding garbling of a circuit corresponding to D_0.

We show how to improve Garbled Circuit (GC) and GMW-based secure function evaluation (SFE) of circuits with if/switch clauses using such S-universal circuit.

The most interesting case here is the application to the GMW approach. We provide a novel observation that in GMW the cost of processing a gate is almost the same for 5 (or more) Boolean inputs, as it is for the usual case of 2 Boolean inputs. While we expect this observation to greatly improve general GMW-based computation, in our context this means that GMW gates can be programmed almost for free, based on the secret-shared programming of the clause.

Our approach naturally and cheaply supports nested clauses. Our algorithm is a heuristic; we show that solving the circuit embedding problem is NP-hard. Our algorithms are in the semi-honest model and are compatible with Free-XOR.

We report on experimental evaluations and discuss achieved performance in detail. For 32 diverse circuits in our experiment, our construction results 6.1x smaller circuit than prior techniques.

Category / Keywords: set-universal circuit, secure computation, garbled circuit, GMW

Date: received 7 Jul 2016, last revised 20 Oct 2016

Contact author: kolesnikov at research bell-labs com

Available format(s): PDF | BibTeX Citation

Note: slightly changed flow for clarity

Version: 20161020:131812 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]