## On the Security of the "Free-XOR" Technique

Seung Geol Choi, Jonathan Katz, Ranjit Kumaresan, Hong-Sheng Zhou
TCC 2012 [pdf] [bibtex]

This paper shows that a natural variant of correlation-robustness (IKNP03) does not suffice to prove the security of the free-XOR technique KS08.

With free-XOR, a garbled gate is constructed using ciphertexts of the form ⚠️{$H(A\|B\|T) \oplus C$}, where ⚠️{$A,B$} are incoming wire labels and ⚠️{$C$} is an outgoing wire label. When using free-XOR, wire labels on each wire are correlated via a secret and global offset ⚠️{$\Delta$}. Hence we encounter situations where ciphertexts take the form ⚠️{$H(A \oplus \Delta\|B \oplus \Delta\|T) \oplus C \oplus \Delta$}, where ⚠️{$A,B,C,T$} are all known and ⚠️{$\Delta$} is secret. The appearance of ⚠️{$\Delta$} both inside and outside of the call to ⚠️{$H$} require a stronger property of ⚠️{$H$} than simple correlation robustness. Indeed, a black-box separation between free-XOR security and correlation robustness is shown.

The authors propose a slightly stronger notion called circular 2-correlation robustness. A function ⚠️{$H$} satisfies this security definition if, for random choice of ⚠️{$\Delta$}, it is infeasible to distinguish the following oracle from a random function:

⚠️{$\mathcal{O}_\Delta(A,B,T,b_1,b_2,b_3) = H(A \oplus b_1 \Delta \| B \oplus b_2 \Delta \| T) \oplus b_3 \Delta$}

The authors prove that the free-XOR garbling scheme of KS08 is secure when instantiated using a circular 2-correlation robust function.