## CryptoDB

### Paper: $\mathsf {Free\ }{} \mathtt{IF}$ : How to Omit Inactive Branches and Implement $\mathcal {S}$ -Universal Garbled Circuit (Almost) for Free

Authors: Vladimir Kolesnikov DOI: 10.1007/978-3-030-03332-3_2 Search ePrint Search Google Slides ASIACRYPT 2018 Two-party Secure Function Evaluation (SFE) allows two parties to evaluate a function known to both parties on their private inputs. In some settings, the input of one of the parties is the definition of the computed function, and requires protection as well. The standard solution for SFE of private functions (PF-SFE) is to rely on Universal Circuits (UC), which can be programmed to implement any circuit of size $s$ . Recent UC optimizations report the cost of UC for $s$ -gate Boolean circuits is $\approx 5 s \log s$ .Instead, we consider garbling that allows evaluating one of a given set $\mathcal {S}$ of circuits. We show how to evaluate one of the circuits in $\mathcal {S}$ at the communication cost comparable to that of evaluating the largest circuit in $\mathcal {S}$ . In other words, we show how to omit generating and sending inactive GC branches. Our main insight is that a garbled circuit is just a collection of garbled tables, and as such can be reused to emulate the throw-away computation of an inactive execution branch without revealing to the Evaluator whether it evaluates active or inactive branch.This cannot be proven within the standard BHR garbled circuits framework because the function description is inseparable from the garbling by definition. We carefully extend BHR in a general way, introducing topology-decoupling circuit garbling. We preserve all existing constructions and proofs of the BHR framework, while allowing this and other future constructions which may treat garbled tables separately from function description.Our construction is presented in the semi-honest model.
##### BibTeX
@inproceedings{asiacrypt-2018-29183,
title={
$\mathsf {Free\ }{} \mathtt{IF}$
: How to Omit Inactive Branches and Implement
$\mathcal {S}$