 these garbled gates, okay? So at the moment, I showed you a construction where the garbled gates cost four ciphertext. And if you recall, we chose all the wire labels randomly, but what if I chose the output wire label C0 in this case to be the value that when encrypted under A0, B0 gives the all zeros ciphertext. So by choosing C0 in that way, it ensures that the first ciphertext and this picture is always all zeros all the time. That means I don't really have to send it, right? It can just be understood to be the all zeros ciphertext by the receiver. So I really only have to send three ciphertext. There's another advanced technique that's due to Pinkus at all that further reduces the size of these garbled gates from four to two. I won't tell you how to do it, but for the purposes of the talk, we'll need to know that such a thing exists. So that's one way to reduce the size of a garbled circuit. Another one that I want to talk about is free XOR. So to understand free XOR, let me introduce an additional quantity called, that'll call the offset of a wire. So the XOR of the two wire labels on a wire is the offset and it'll be convenient for us to just give that a special name like Delta. So here are three wires. They have three different offsets, but the idea of free XOR is to arrange things so that every wire in the circuit has the same secret offset that I'll call Delta. And you'll notice that if you take any combination of input wires and XOR them together, there's only two possible things that you get out that I've drawn in the picture here and their logic corresponds to the logic of an XOR gate. So really I don't have to send any ciphertext at all. You evaluate this garbled gate just by XORing the input wire labels. So this is great, XOR gates are free, and, but I still have to garble the other non-XOR gates. Okay, so that's another way to reduce the size of a garbled circuit. And so free XOR is great and it's kind of the, has been the king of garbled circuits for a while, but I'll just wanna point out a couple small limitations. The first is kind of a theoretical concern that namely free XOR requires some sort of strong hardness assumption on the encryption function that you use to generate the garbled gates. I'll come back to that in a second. There is a construction by Applebaum that avoids this, but it somehow, it changes the rules a bit for one thing and it uses kind of a randomized encoding. And it also, its concrete parameters aren't really competitive with block cipher or key derivation function-based garbled circuits. And the other limitation of free XOR is that it's incompatible with this row reduction technique that reduces garbled gates from four to two cipher texts. So if you use free XOR, your XOR gates are free, you can get the other gates to cost three cipher texts but you can't get the other gates to cost two cipher texts and I'll get into more detail about why that is, but it's a limitation of the free XOR technique. So the question that motivates our work is whether we can get the benefits of free XOR as much as possible without these two limitations that I mentioned and I won't leave you in suspense. The answer is yes, we can do this and so for the rest of the talk, I'd like to explain why that is and how we go about doing that. So in this work, we present a new way to garbled XOR gates that I'll call flexible XOR or flexor for short. So it's a way to generate a garbled circuit, a new way to deal with XOR gates in a garbled circuit and so I've drawn an XOR gate here and there are three wires touching it and they have different offsets. You know, if they all had the same offset, I would probably just use the free XOR approach and I'd be happy but this is a new way to deal with what happens when there are different offsets on the different wires. So in my head, I think, well, let me just come up with some, these two input wires don't have good offsets for me, I want them to have offset delta C. Why don't I just imagine a new set of wire labels, I'll just pull them out of the air and these wire labels have the correct offset and so I want the output be offset delta C, I'll just imagine two new pairs of wire labels that have output offset delta C and if I can somehow translate from the old wire labels to these new wire labels, then using the new wire labels I could just use the free XOR trick with no further cryptography. So the question is, how can I get from these old wire labels to these new wire labels and the way to do that is, why don't I just encrypt the old false, encrypt the new false label using the old false labels as a key, encrypt the new true label under the old true label and I'll do that for both of these wires. So I claim that these ciphertexts that I've shown here allow you to go from the old wire labels to the new wire labels on which you'll just do the free XOR trick, right? So if you know exactly one of the input wire labels, you'll be able to open exactly one of the ciphertext and get exactly one of the new labels and then you'll be all set to do the free XOR trick, okay? So this is great and hopefully you're convinced that it works but maybe this is nothing to be very proud about because I've shown you how to garble an XOR gate using four ciphertexts, which is not very good at all but fortunately we can reduce the size of these ciphertext by using this row reduction trick, right? So instead of, in this picture, I'm choosing A star and B star randomly, I don't have to do that, why don't I choose A star and B star to be the values that cause those first ciphertext in each pair to be all zeros, right? I can do that and now I'm only giving you two ciphertexts to garble this XOR gate, okay? That's a little bit better and I'll make one further observation that if this first input wire already had the offset that I needed for the output wire, I don't have to do anything at all, right? The purpose of these two ciphertexts was to translate from one offset to another but if it's already the right offset to begin with, I don't have to give you any ciphertext and same for the bottom wire, right? If all three of the original offsets are the same, I don't have to give you any ciphertext at all and the construction collapses to free XOR in that case. So overall, our flexor construction is a way to garble XOR gates and the size of the garbled gate is zero, one or two ciphertext and that size depends on how many of these different offsets match up, right? So if I could get a lot of offsets to be the same, then I get to include fewer ciphertexts in the final garbled circuit, okay? So you might be wondering at this point where did these offsets come from? They're kind of mysterious. So I wanna talk about that for a second. So let me define a wire ordering as just a way to assign offsets to different wires in the circuit. So I might say that these wires get some offset delta one and these wires get an offset delta two and so on. And if I choose these offsets in different ways, I'll get a garbled circuit of different sizes because that's the way this flexor scheme works. And so we kind of have an optimization problem. We wanna assign offsets to each wire in such a way that it kind of minimizes the total size of the garbled circuit. One way to choose offsets is to just put every wire, say every wire has the same offset and then our construction becomes free XOR. That's one way to do it, but I also want to avoid some of the limitations of free XOR, the two limitations that I mentioned earlier. And I claim that there is a property of these wire orderings such that if you use a wire ordering with that property, you avoid limitation number one and there's another property of wire orderings and if you use our construction with the wire ordering of that property, you avoid limitation number two. And so we end up getting kind of an interesting combinatorial optimization problem. So we wanna find the assignment of offsets to wires in a circuit subject to these combinatorial constraints, which I'll describe that minimizes the total cost of the garbled circuit in the end, okay? So I'm gonna tackle these two points one at a time here. So the first limitation of free XOR is that it requires some kind of circularity assumption on the encryption scheme. So why is that? So recall in free XOR, the XOR gates are free, but an AND gate is not free. You have to generate some ciphertext. So here's a garbled AND gate and I'm in the free XOR context because it's the same delta everywhere. So that's the free XOR setting. And look what we did here. Delta is a secret and I'm using it as a kind of in the key context and kind of in a plain text context. That's a key cycle. So a normal encryption scheme isn't quite secure. Under this usage, you need an assumption of some a circular security assumption, okay? So we wanna avoid that by choosing offsets on the wires in a special way. And how do you avoid a key cycle? Well, we're gonna impose a numbering on all the offsets. I'm gonna make sure that whenever I generate a ciphertext, the index of the key is smaller than the index of the plain text that it's encrypting. I could do that just by having this monotonicity property of the circuit, right? The index of these offsets always increases as I go from inputs to outputs. That means I'm always generating ciphertext that we're kind of obeying a total order. There's never gonna be a cycle. And I'll just point out that for an AND gate, I always encrypt the output wire under the input wire. But for an XOR gate, I don't always generate ciphertext. Like if the input wire label, if the input offset equals the output offset, I don't include a ciphertext in that case. So that's why I have a strict inequality in the first case and a non-strict inequality in the second case, okay? But hopefully it's clear that if the wire ordering satisfies this property, I never generate any sort of key cycles. The keys obey a nice linear order. I can have the proof go through with a standard weaker assumption. So that's what we prove in the paper. So instantiate our flexor construction and garble a circuit. If you're using a monotone wire ordering, you don't need the circularity assumption. You need a weaker related key assumption that turns out to be kind of the same assumption that you use for OT extension. So if you're interested in practical NPC, you're already okay with that assumption. Otherwise you're taking way too long to do lots of OTs. So there are many different wire orderings that satisfy this monotonicity property. We show that it's NP hard to find the optimal one, the one that completely minimizes the size of the garbled circuit. But we have a heuristic that's very simple. It seems to do okay. So let's see exactly how well it does. So as I said, our metric in this talk is the total size of the garbled circuit and I'm measuring it here in ciphertext per gate. So in the classical scheme, you can do every gate using two ciphertexts. In the free XOR scheme, XOR gates are zero. Non-XOR gates are three. So for different circuits, you get different numbers. And our flexor instantiated with a monotone ordering that we can find through a heuristic gives this performance. It's a little bit worse than free XOR. So, but it's kind of comparable, I would say. And I think this is an interesting theoretical question. Like what is the cost of the circularity assumption in this domain? That's kind of an interesting question, but maybe you don't care about hardness assumptions. You just want fast as possible NPC. If you're willing to pay, you know, random oracle model is fine. You just want a small garbled circuit as possible. Then you're really gonna love the next part of the talk, where I talk about, we're gonna revisit this idea of row reduction, okay? So I mentioned that free XOR is incompatible with this really aggressive four to two row reduction that reduces the size of the garbled gates to two ciphertexts. So why is that? And if you remember, the way we got from four to three is by instead of choosing a wire label uniformly at random, we chose it as a fixed function of the input wire labels. We had no control over what this wire label should be. It was totally determined by the input wire labels. And I won't describe what the four to two row reduction is, but the way that it works is by setting both of the output wire labels implicitly as a function of the input wire labels. So when you use this four to two row reduction, you have no control over the output wire labels. That means you have no control over the offset. And that sort of makes it hard to work with free XOR because free XOR says every wire has to have this fixed offset that's not gonna happen here. Okay, but flexor has no such limitation about the offsets. Different wires can have different offsets and we're happy. So imagine you had a wire ordering where you look at all of the AND gates in the circuit and look at all of their output wires and none of them shared the same offset. So that means when I go to garble this first AND gate, I'll use two ciphertext and I'll have no control over the offset. But that's fine. That's the first time I ever used Delta I. And so that'll kind of implicitly set Delta I. It'll set it outside of my control. And that's fine because next time I get to another AND gate and I go to garble it, I'll never be asked to have it match the offset of Delta I. It'll always be a fresh offset that I've never seen before. All right, so that's kind of the idea. All the AND gates outputs have to have different offsets. And there's some fine print that if you're really curious, I encourage you to look at the paper for it. But this is the main idea, is just to ensure that AND gates have distinct offsets. And so we show that if you use a wire ordering of this kind and you garble the circuit with flexor, you can garble AND gates with two ciphertexts and then of course you can garble XOR gates with zero, one or two, right? So that's kind of nice. We don't exactly have a proof of NP completeness or NP hardness. We assume that it's NP hard, but we just don't happen to have a proof in the paper. We have a heuristic that seems to do well. And so I have another slide showing how well it does. So this is the current state of the art in the talk. And now what happens, now that we're able to reduce the size of AND gates as well, we can actually do better than free XOR, which is something that was very surprising to me when I started this project. I didn't think it was possible to have smaller garbled circuits than the top two rows here. But in fact, we can have smaller garbled circuits than free XOR. And I'm almost out of time, but I just want to say a couple of things. First is that these bottom two rows just reflect the heuristics that we were able to find. We don't claim that these are as low as flexor can go. You might be able to find better wire orderings that will decrease the size of the garbled circuits further. And the other thing is I just want to remind you that if you were to implement flexor, which is on our list of things to do, that it collapses to free XOR in a very natural way. So it's not like you have to choose between row two and row four, right? It looks like sometimes free XOR is better, sometimes flexor is better. You're torn about which one you implement in your protocol. Well, if you implement flexor, there's going to be a trivial way to have it give you the minimum of rows two and row four. So it's not like you really have to choose. It kind of subsumes free XOR. So that's all I have to say. I'll just summarize our work. So I described a new way to garble XOR gates that results in a cost of zero one or two ciphertext per gate. And there's a way to instantiate our scheme that avoids this troublesome harness assumption of free XOR. And there's another way to instantiate our scheme that often gives smaller garbled circuits than free XOR. So with that, I'll conclude my talk and thanks for your attention.