Paper 2014/460

FleXOR: Flexible garbling for XOR gates that beats free-XOR

Vladimir Kolesnikov, Payman Mohassel, and Mike Rosulek


Most implementations of Yao's garbled circuit approach for 2-party secure computation use the {\em free-XOR} optimization of Kolesnikov \& Schneider (ICALP 2008). We introduce an alternative technique called {\em flexible-XOR} (fleXOR) that generalizes free-XOR and offers several advantages. First, fleXOR can be instantiated under a weaker hardness assumption on the underlying cipher/hash function (related-key security only, compared to related-key and circular security required for free-XOR) while maintaining most of the performance improvements that free-XOR offers. Alternatively, even though XOR gates are not always ``free'' in our approach, we show that the other (non-XOR) gates can be optimized more heavily than what is possible when using free-XOR. For many circuits of cryptographic interest, this can yield a significantly (over 30\%) smaller garbled circuit than any other known techniques (including free-XOR) or their combinations.

Available format(s)
Cryptographic protocols
Publication info
A major revision of an IACR publication in CRYPTO 2014
garbled circuits
Contact author(s)
rosulekm @ eecs oregonstate edu
2014-06-15: received
Short URL
Creative Commons Attribution


      author = {Vladimir Kolesnikov and Payman Mohassel and Mike Rosulek},
      title = {FleXOR: Flexible garbling for XOR gates that beats free-XOR},
      howpublished = {Cryptology ePrint Archive, Paper 2014/460},
      year = {2014},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.