## FleXOR: Flexible garbling for XOR gates that beats free-XOR

Vladimir Kolesnikov, Payman Mohassel, Mike Rosulek
CRYPTO 2014 [pdf]

When garbling a circuit, suppose an XOR gate has input wire labels ⚠️{$(A, A\oplus \Delta_A)$} and ⚠️{$(B, B\oplus \Delta_B)$} and we would like the output wire to have labels ⚠️{$(C, C\oplus \Delta_C)$} for some value ⚠️{$C$}. The case of ⚠️{$\Delta_A = \Delta_B = \Delta_C$} corresponds to free XOR, since we can simply set ⚠️{$C = A \oplus B$}.

Flexible XOR (fleXOR) is an approach for garbling XOR gates that works with any ⚠️{$\Delta_A, \Delta_B, \Delta_C$} values (these ⚠️{$\Delta$} values are called offsets). Roughly speaking, the garbler chooses random labels ⚠️{$A', B'$} and includes the following ciphertexts:

1. encryption of ⚠️{$A'$} under ⚠️{$A$}
2. encryption of ⚠️{$A' \oplus \Delta_C$} under ⚠️{$A \oplus \Delta_A$}
3. encryption of ⚠️{$B'$} under ⚠️{$B$}
4. encryption of ⚠️{$B' \oplus \Delta_C$} under ⚠️{$B \oplus \Delta_B$}

Hence, the evaluator can open up exactly one of ciphertexts 1/2, and one of ciphertexts 3/4. This effectively translates ⚠️{$(A, A\oplus \Delta_A)$} labels to ⚠️{$(A', A'\oplus \Delta_C)$}, and translates ⚠️{$(B, B\oplus \Delta_B)$} labels to ⚠️{$(B', B'\oplus \Delta_C)$}. Since the "translated" labels have the same desired offset ⚠️{$\Delta_C$}, we can now do the free-XOR trick of setting ⚠️{$C = A' \oplus B'$}.

Using garbled row-reduction, ciphertexts 1 & 3 can be removed (by choosing ⚠️{$A'$} and ⚠️{$C'$} implicitly and pseudorandomly). Further, if ⚠️{$\Delta_A = \Delta_C$} then ciphertext 2 is not needed; if ⚠️{$\Delta_B = \Delta_C$}, then ciphertext 4 is not needed. Overall, the fleXOR method results in a garbled gate consisting of ⚠️{$|\{\Delta_A, \Delta_B, \Delta_C\}| - 1$} ciphertexts.

By choosing ⚠️{$\Delta$} offsets for each wire in different ways, different properties can be achieved:

• By setting ⚠️{$\Delta$} to be the same for all wires, the construction collapses to standard Free-XOR
• It is possible to set the ⚠️{$\Delta$} values to avoid the circularity problem of Free-XOR, pointed out by CKKZ12. With appropriate choice of offsets, fleXOR can be instantiated under a weaker (related-key, non-circular) hardness assumption.
• Free-XOR is compatible with 4-to-3 garbled row-reduction applied to non-XOR gates, but it is incompatible with the 4-to-2 variant described in PSSW09. Hence, with free-XOR the XOR gates cost nothing (in terms of garbled circuit size) while the AND gates cost 3 ciphertexts. With appropriate choice of offsets, fleXOR is compatible with 4-to-2 row reduction of its non-XOR gates. Hence, XOR gates cost 0, 1, or 2 ciphertexts, and non-XOR gates cost 2. For many circuits, this can lead to smaller overall size of garbled circuits than previous methods.