Table of Contents
Fetching ...

Function Recovery Attacks in Gate-Hiding Garbled Circuits using SAT Solving

Chao Yin, Zunchen Huang, Chenglu Jin, Marten van Dijk, Fabio Massacci

TL;DR

This work analyzes gate-hiding garbled circuits in Semi-PFE and demonstrates that exposing circuit topology enables practical function-recovery of hidden gate types. It introduces topology-preserving simplifications (R-Wave, S-Class, Z-Class, ZS) and an incremental SAT-solving framework to dramatically prune the gate-type search space, enabling efficient recovery from IO observations. The authors present a baseline SAT-based decamouflaging approach and an optimized attack that separates candidate generation from discriminating-input searches, extending to scenarios with hidden inputs (Threat Model B). Empirical evaluation on ISCAS89, 2PC cryptographic circuits, and fault-tolerant sensor-fusion MPC circuits shows large speedups (up to $159$-fold) and successful recovery within a 24-hour budget, highlighting topology leakage as a practical vulnerability and motivating countermeasures such as circuit-level redundancy and gate-type simplifications.

Abstract

Semi-Private Function Evaluation enables joint computation while protecting both input data and function logic. A practical instantiation is gate-hiding garbled circuits, which conceal gate functionalities while revealing the circuit topology. Existing security definitions intentionally exclude leakage through circuit topology, leaving the concrete impact of such leakage on function privacy insufficiently understood. We analyze the empirical security of gate hiding under two adversarial models that capture realistic computational capabilities. We present a SAT-based function-recovery attack that reconstructs hidden gate operations from a circuit's public topology. To enable recovery on larger and more complex circuits, we develop an incremental SAT-solving framework combined with a set of composable, topology-preserving simplification theorems. These techniques jointly reduce the SAT instance size and progressively constrain the search space across repeated solving iterations. We evaluate our attack on ISCAS benchmarks, representative secure computation circuits, and fault-tolerant sensor fusion circuits under a fixed 24-hour recovery budget. Compared to baseline approaches, our optimized attack achieves up to a 159-fold speedup in recovery time without increasing the number of oracle queries. Our results demonstrate that topology leakage alone can enable effective function recovery in practice.

Function Recovery Attacks in Gate-Hiding Garbled Circuits using SAT Solving

TL;DR

This work analyzes gate-hiding garbled circuits in Semi-PFE and demonstrates that exposing circuit topology enables practical function-recovery of hidden gate types. It introduces topology-preserving simplifications (R-Wave, S-Class, Z-Class, ZS) and an incremental SAT-solving framework to dramatically prune the gate-type search space, enabling efficient recovery from IO observations. The authors present a baseline SAT-based decamouflaging approach and an optimized attack that separates candidate generation from discriminating-input searches, extending to scenarios with hidden inputs (Threat Model B). Empirical evaluation on ISCAS89, 2PC cryptographic circuits, and fault-tolerant sensor-fusion MPC circuits shows large speedups (up to -fold) and successful recovery within a 24-hour budget, highlighting topology leakage as a practical vulnerability and motivating countermeasures such as circuit-level redundancy and gate-type simplifications.

Abstract

Semi-Private Function Evaluation enables joint computation while protecting both input data and function logic. A practical instantiation is gate-hiding garbled circuits, which conceal gate functionalities while revealing the circuit topology. Existing security definitions intentionally exclude leakage through circuit topology, leaving the concrete impact of such leakage on function privacy insufficiently understood. We analyze the empirical security of gate hiding under two adversarial models that capture realistic computational capabilities. We present a SAT-based function-recovery attack that reconstructs hidden gate operations from a circuit's public topology. To enable recovery on larger and more complex circuits, we develop an incremental SAT-solving framework combined with a set of composable, topology-preserving simplification theorems. These techniques jointly reduce the SAT instance size and progressively constrain the search space across repeated solving iterations. We evaluate our attack on ISCAS benchmarks, representative secure computation circuits, and fault-tolerant sensor fusion circuits under a fixed 24-hour recovery budget. Compared to baseline approaches, our optimized attack achieves up to a 159-fold speedup in recovery time without increasing the number of oracle queries. Our results demonstrate that topology leakage alone can enable effective function recovery in practice.
Paper Structure (37 sections, 3 theorems, 27 equations, 7 figures, 2 tables, 4 algorithms)

This paper contains 37 sections, 3 theorems, 27 equations, 7 figures, 2 tables, 4 algorithms.

Key Result

theorem 1

Given any Boolean circuit $C = (\mathcal{N} \cup I \cup O, E, \mathcal{T})$ over the full two-input gate-type library $\mathcal{L}$, there exists a functionally equivalent circuit $C' = (\mathcal{N} \cup I \cup O, E, \mathcal{T'})$ with the same node set and edge set such that every gate $g$ outside where Here, $A$ and $B$ denote the left and right input wires of a two-input gate, respectively. A

Figures (7)

  • Figure 1: Example circuit annotated with S-Class gates ($s_0$), a Z-Class gate ($z_0$), and R-reduced gates ($R_0$). All remaining gates retain the full type library $\mathcal{L}$.
  • Figure 2: Circuit Complexity of the Evaluated Benchmarks. The top plot shows outputs and gates versus inputs; the bottom plot summarizes complexity using gate-to-output and input-to-output ratios.
  • Figure 3: Log-scale recovery runtime on representative MPC functions. Each subplot reports the recovery time as a function of input size for a fixed MPC functionality (Adder, Comparator, Hamming Distance, and SS). Results are shown under both threat models, with Model A in blue and Model B in green, and for four solver configurations: Ours+Simpl, Ours, Baseline+Simpl, and Baseline. The y-axis is plotted on a logarithmic scale.
  • Figure 4: Overall Impact of Simplifications
  • Figure 5: Impact of Baseline vs Optimized Algorithm
  • ...and 2 more figures

Theorems & Definitions (7)

  • definition 1
  • theorem 1: R topology-preserving simplification
  • definition 2: S-Class Gate
  • definition 3: Z-Class Gate
  • theorem 2
  • theorem 3: ZS topology-preserving Simplification
  • Remark 1