$$\textsf {LogStack}$$: Stacked Garbling with $$O(b \log b)$$ Computation

Abstract

Secure two party computation (2PC) of arbitrary programs can be efficiently achieved using garbled circuits (GC). Until recently, it was widely believed that a GC proportional to the entire program, including parts of the program that are entirely discarded due to conditional branching, must be transmitted over a network. Recent work shows that this belief is false, and that communication proportional only to the longest program execution path suffices (Heath and Kolesnikov, CRYPTO 20, [HK20a]). Although this recent work reduces needed communication, it increases computation. For a conditional with b branches, the players use \(O(b^2)\) computation (traditional GC uses only O(b)).Our scheme \(\textsf {LogStack}\) reduces stacked garbling computation from \(O(b^2)\) to \(O(b \log b)\) with no increase in communication over [HK20a]. The cause of [HK20a]’s increased computation is the oblivious collection of garbage labels that emerge during the evaluation of inactive branches. Garbage is collected by a multiplexer that is costly to generate. At a high level, we redesign stacking and garbage collection to avoid quadratic scaling.Our construction is also more space efficient: [HK20a] algorithms require O(b) space, while ours use only \(O(\log b)\) space. This space efficiency allows even modest setups to handle large numbers of branches.[HK20a] assumes a random oracle (RO). We track the source of this need, formalize a simple and natural added assumption on the base garbling scheme, and remove reliance on RO: \(\textsf {LogStack}\) is secure in the standard model. Nevertheless, \(\textsf {LogStack}\) can be instantiated with typical GC tricks based on non-standard assumptions, such as free XOR and half-gates, and hence can be implemented with high efficiency.We implemented \(\textsf {LogStack}\) (in the RO model, based on half-gates garbling) and report performance. In terms of wall-clock time and for fewer than 16 branches, our performance is comparable to [HK20a]’s; for larger branching factors, our approach clearly outperforms [HK20a]. For example, given 1024 branches, our approach is \(31{\times }\) faster.Keywords2PCGarbled circuitsConditional branchingStacked garbling