Paper 2024/2048

How to Compress Garbled Circuit Input Labels, Efficiently

Marian Dietz, ETH Zurich
Hanjun Li, University of Washington
Huijia Lin, University of Washington
Abstract

Garbled circuits are a foundational primitive in both theory and practice of cryptography. Given $(\hat{C}, K[x])$, where $\hat{C}$ is the garbling of a circuit C and $K[x] = \{K[i, x_i]\}$ are the input labels for an input $x$, anyone can recover $C(x)$, but nothing else about the input $x$. Most research efforts focus on minimizing the size of the garbled circuit $\hat{C}$. In contrast, the work by Applebaum, Ishai, Kushilevitz, and Waters (CRYPTO' 13) initiated the study of minimizing the cost for transferring the input labels $K[x]$. Later improved in a follow-up by Applebaum et al. (STOC' 23), the state-of-the-art techniques allow compressing the input labels to the optimal rate of $1 + o(1)$. That is, each input label can be transferred by essentially sending 1 bit. However, existing solutions are computationally expensive, requiring large numbers of public-key operations (such as RSA exponentiation). In this work, we present an efficient input label compression technique based on Ring-LWE. We achieve the same optimal rate of $1 + o(1)$, by making use of additional communication in an offline stage (before the input $x$ becomes known), a paradigm that has already been explored in prior works. A novel feature of the offline communication in our scheme is that the information sent is either reusable or compressible using a random oracle, leading to small amortized offline cost $o(|x|)$. We further demonstrate concrete efficiency through an implementation whose online latency out-performs the naive baseline (which sends all of $K[x]$ in the online phase) in a realistic network with a bandwidth of up to 45Mbps. This break-even point could be pushed even further by leveraging the large potential for parallelization of computation. Finally, we apply our techniques to construct maliciously-secure two-party computation protocols with succinct online communication: The online phase starts once the circuit C becomes known, and requires exchanging only $poly(\lambda)$ bits (independent of $|C|$). After inputs $x_A$, $x_B$ arrive, an additional $|x_A| + |x_B | + poly(\lambda)$ bits need to be sent.

Note: Dec. 24, 2024: added acknowledgements. Jan. 07, 2025: added reference to [GS18,GOS18] on pg. 3. Feb. 07, 2025: replace wrong version of abstract on website.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
Preprint.
Keywords
garbled circuitssecure computation
Contact author(s)
marian dietz @ inf ethz ch
hanjul @ cs washington edu
rachel @ cs washington edu
History
2025-02-08: last of 3 revisions
2024-12-19: received
See all versions
Short URL
https://ia.cr/2024/2048
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/2048,
      author = {Marian Dietz and Hanjun Li and Huijia Lin},
      title = {How to Compress Garbled Circuit Input Labels, Efficiently},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/2048},
      year = {2024},
      url = {https://eprint.iacr.org/2024/2048}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.