AuthOr: Lower Cost Authenticity-Oriented Garbling for Arbitrary Boolean Circuits

TL;DR

AuthOr tackles the cost of authenticity-oriented garbling for arbitrary Boolean circuits by combining information-theoretic garbling with enhanced half-gates in a two-phase forward-backward framework. The scheme exploits FreeXOR compatibility and strategically assigns gates to forward HG/FreeXOR or backward ITAND/ITXOR garbling, achieving significant reductions in garbled-circuit size while preserving verification and security guarantees under CCR. Theoretical results show authenticity and verifiability hold, built on the security of prior HG and IT garblings, and practical experiments demonstrate substantial GC-size savings (up to around 98% in some circuits) with competitive computation costs. Overall, AuthOr delivers a bandwidth-efficient authenticity-oriented garbling approach with strong practical potential for verifiable outsourced computation and ZKP integrations. The work also provides a detailed implementation and empirical evaluation across circuit families, highlighting the dependence of gains on circuit structure and gate connectivity.

Abstract

Authenticity-oriented (previously named as \emph{privacy-free}) garbling schemes of Frederiksen et al. Eurocrypt '15 are designed to satisfy only the authenticity criterion of Bellare et al. ACM CCS '12, and to be more efficient compared to full-fledged garbling schemes. In this work, we improve the state-of-the-art authenticity-oriented version of half gates (HG) garbling of Zahur et al. Crypto '15 by allowing it to be bandwidth-free if any of the input wires of an AND gate is freely settable by the garbler. Our full solution AuthOr then successfully combines the ideas from information-theoretical garbling of Kondi and Patra Crypto '17 and the HG garbling-based scheme that we obtained. AuthOr has a lower communication cost (i.e. garbled circuit or GC size) than HG garbling without any further security assumption. Theoretically, AuthOr's GC size reduction over HG garbling lies in the range between 0 to 100%, and the exact improvement depends on the circuit structure. We have implemented our scheme and conducted tests on various circuits that were constructed by independent researchers. Our experimental results show that in practice, the GC size gain may be up to roughly 98%.

Figures (5)

• Figure 1: The impact of using $\mathsf{HG0}$, $\mathsf{HG1}$ and $\mathsf{ITAND}$ on the garbled circuit. The circuits are in topological order, left to right .
• Figure 2: Example formations of $\mathsf{TypeF}$ wires and $\mathsf{TypeB}$ wires upon $\mathsf{Ga}$ executions on example $f_1$, $f_2$, and $f_3$ (left to right in topological order).
• Figure 3: An example circuit with size $g$ obtained by repeating $\mathsf{A}$-boxes $g/6$ times. $\mathsf{A}$-box construction is also shown. Circuits are left to right in topological order.
• Figure 4: The effect of using HGx gates for garbling a generic circuit and their impact on the size of the encoded text.
• Figure 5: Examples Formations of $\mathsf{TypeF}$ wires and $\mathsf{TypeB}$ wires upon $\mathsf{Ga}$ executions on example $f_1$, $f_2$, and $f_3$ (left to right in topological order).

Theorems & Definitions (23)

• definition 1: Correctness
• definition 2: Authenticity
• definition 3: Verifiability
• theorem 1
• proof
• theorem 2
• theorem 3
• proof
• lemma 1
• proof