Point-and-permute

A method to reduce evaluation time for a garbled circuit. In early "textbook" constructions of garbled circuits, the sender randomly permutes the 4 ciphertexts that comprise each garbled gate, and the evaulator would have to decrypt all 4 ciphertexts (with only one ciphertext decrypting properly). This is done so that the ordering of the garbled gate does not leak the truth values of the wire labels. Using point-and-permute, the wire labels for each wire are randomly given select bits 0 and 1. Since the assignment of select bits is independent of the wire labels' association with true and false, the select bits can be safely revealed to the evaluator, typically as the least significant bit of the wire labels. Then the ciphertexts of the garbled gate can be ordered according to the select bits of the input wires. That way, the evaluator can simply use the select bits he sees as pointers to index the appropriate ciphertext rather than performing trial decryption on all 4. [TODO: acknowledge first instance of point-permute]