 And privacy-free garbling schemes essentially aim to achieve only authenticity with increased efficiency. And they do this by sacrificing privacy. Applications of privacy-free garbling include zero knowledge, attribute-based key exchange, and anonymous credentials, among others. And our main result in this work is an information-celerated privacy-free garbling scheme for formulas. Some interesting properties of our construction looking ahead. It leaks both keys on some wires, some intermediate wires in the circuit, and this has no effect on the security of the construction. And there are no cryptographic assumptions with information-celerated, and it produces no psychotechs either. And interestingly, it's linear in the linear garbling model of Zahor and others from the Eurocrypt 15 work, and it overcomes a lower bound that they proved in the privacy-free setting. And our construction composes to garble formulas, and the intuition is that even though we leak some keys on intermediate wires, a key can be leaked on a wire, only if a gate occurring after it topologically has already been evaluated. And by definition, the output gate is last topologically. And unlike information-celerated constructions in the general setting that achieve privacy, our construction doesn't have a key size that's dependent on the depth of the circuit. And also, we score adaptive security in the language of Bellari and others for free as we don't produce any psychotechs. The construction produces no psychotechs. And we introduce efficient threshold gate garbling in the privacy-free setting. There's some background. A garbling scheme consists of a tuple of algorithms. Garble and code evaluate and decode. The garble algorithm takes the circuit description and the security parameter and outputs a garbled circuit encoding information and decoding information. The encoding information is combined with the clear input to give a garbled input, which can then be evaluated on a garbled circuit to produce a garbled output. The garbled output is then decoded to a clear output, and a natural correctness requirement is that the clear output obtained at the end of this procedure is the same as what we would have gotten if we had evaluated in the clear. So privacy informally captures that the information available to an evaluator leaks nothing about the input that was used to generate it. So this is formalized by requiring the existence of a simulator that produces the same values at the garbled circuit, encoded input, and decoding information without access to the actual clear input. So it's computationally indistinguishable from honestly generated values. Authenticity captures the unfoldability of garbled outputs. That is, if we're taking a look at the garbled scheme of flowchart again, if we replace the evaluation box with an adversary who outputs some white tilde, an authentic garbled scheme ensures that any output of an adversary in this case is always the output of honest evaluation and an adversary can't output a rather forged an output that's also valid and also not the output of honest evaluation. So privacy-free garbling. Friedrichs and others ask if we can gain efficiency by sacrificing privacy so that a garbled scheme can achieve authenticity more efficiently. And they find that we can up to 50% better in concrete costs. And the state-of-the-art that's the construction by Zaho and others requires only one ciphertext per AND gate and is optimal in the linear garbling model for privacy-free. And also the current state-of-the-art for general purpose garbling, that's half gates, is built on top of a privacy-free garbling scheme. So that's additional motivation to study the privacy-free setting. So our approach. This is the view of an evaluator and a constructor and a general gate garbling gadget. So the notation is as follows. A gate has two incoming wires, left and right, and an output wire. The left wire has keys L0, L1 corresponding to semantic values 0 and 1. The right incoming wire has R0, R1 corresponding to 0 and 1. And the gate itself has output keys K0, K1. And there are four ciphertexts, each of which use a unique combination of input keys to encrypt the output. The evaluator's view during evaluation is essentially one key on each of the input wires, and this allows them to decrypt any one of the ciphertexts that contains the correct output key. So taking a closer look at the evaluator's view, the general intuition or rather the intuition in the general setting is that all the information available to an evaluator, that is one key each on the left and right wire, should be sufficient to compute only the correct output key and nothing else. So this also implicitly captures that the semantics of the keys that the evaluator has are preserved, I mean are kept private. In the privacy-free setting, we can specify that the nothing else is specifically nothing else useful in forging the opposite key. We aren't concerned about protecting the semantics of the keys that the evaluator has. In fact, we use this to our advantage. So this, in a nutshell, is a core construction for gobbling an AND gate in the privacy-free setting. So all the zero keys are the same. That is... L0, R0, and K0 are essentially the same value, and we maintain that K1 is an additive secret sharing. I mean, it's additively secret shared to produce the input one keys, L1 and R1. So evaluation is quite straightforward. As an evaluator who has a zero key can directly copy that and set it as his output key. And an evaluator who has only one key exhausts them in order to get the output key. So an interesting thing to... an interesting aspect of this construction is consider the case where an evaluator has keys, let's say... L0 and R1. Since L0 is the same as R0 is the same as K0, he now has both keys on the right wire as L0 is the same as R0. So this could pose a problem in the general setting where he has two keys on the right wire and one key on the left wire. So multiple evaluations in the general setting are the problem as they could possibly leak the semantics of the keys that the evaluator has. But in the privacy-free setting, it doesn't matter, because, like I said, semantics are not... semantics of the keys are not something that we're concerned with protecting. So can we make multiple evaluations redundant? What do I mean by this? If we consider an AND gate, if one of the inputs is zero, it doesn't matter what the other input is as the output is always going to be zero. So specifically, if the evaluator has the left zero key, that's L0, whatever value he has on the other wire doesn't matter. As evaluating L0 with R0 is the same as evaluating L0 with R1. And this provides the output key K0. So the takeaway is that if the evaluator has L0, then we can leak both R0 as well as R1. And equivalently, we can leak L0 and L1 when the evaluator has R0. And the security analysis shows that this property is taken advantage of by our scheme. So if an evaluator is given L0, by definition, he's missing L1. So despite the fact that he's able to derive both right keys, K1, which is the opposite output key, stays perfectly hidden. Equivalently, if he's given R0, it doesn't matter what he has on the left wire. Even if he has both left keys, he's missing R1 and K1 is perfectly hidden. And if he has both L1 as well as R1, he's missing both L0 and R0, so K0 is perfectly hidden. So composition is an issue because we leak keys on certain input wires. So it's something we have to consider carefully. So first of all, XOR is the same as free XOR, very similar to free XOR. So one of the effects of leaking the input keys is that we can't reuse the wire keys across different gates. So what this means is that multi-fan out gates are a problem for our construction. So however, we can prove that this construction composes to garble formulas directly, that is circuits where all gates are a fan out one. This is because intuitively, the keys only leak towards the input wires. The keys don't leak towards the outputs. So only if you've evaluated a gate already, can you derive keys on wires before it. So let's take a look at threshold gates, which are another class of gates that we consider. A threshold gate essentially has N inputs and threshold T. The threshold gate outputs one if more than T of the inputs are one and outputs zero otherwise. It's generally interesting to consider to garble natively as DC0 is in a separate complexity class. But why is it interesting in the privacy-free setting? As they allow us to express some statements more naturally in some of their applications. So in zero knowledge, for instance, this means that we can prove statements of the form, I have witnesses for at least T out of these N statements without revealing exactly which statements or even how many statements. And in the case of attribute-based key exchange, we can implement policies of the form user at abuse must satisfy at least T out of these N policies more naturally without revealing exactly which or how many policies. So they were first considered to be garbled natively by Ball and others in the CCS16 work. So let's take a look at the construction, the intuition. So the terminology is as follows. If there are N input wires, the fourth wire has keys K0, K1 corresponding to semantic 0 and 1 on it and the output keys are K0, K1, right? So it's quite simple, really. The one key with K1 is T out of N shared in order to produce the input one keys. So the Ki ones comprise a T out of N sharing of K1. And we also require that the zero key not be accessible unless the evaluator is under the threshold of the ones that he requires. So the Ki zeros comprise an N minus T plus 1 out of N sharing of K0. Now, why do we do this? Let's consider a concrete example where we have N inputs and the threshold is 3, sorry, 9 inputs in the threshold is 3. So the Ki ones comprise a 3 out of 9 sharing of K1 and the Ki zeros comprise a 5 out of 9 sharing of K0. So for argument sake, consider the case where an evaluator has four or more Ki ones, right? So this enables him to reconstruct K1 quite easily, but this also directly implies that he has five or fewer shares of K0 and as K0 is 5 out of 9 shared, this means that it's completely inaccessible to the evaluator and this captures authenticity. Equivalently, if he has six or more shares of K0, that means that he has three or fewer shares of K1, which then does K1 completely inaccessible when he is able to reconstruct K0. So the properties of this construction are somewhat similar to the AND gate garbling that I described earlier. That is, you can clearly see that both keys on many wires are leaked after evaluation as once you reconstructed the curve, you essentially have all the keys for the correct input. And this construction produces no ciphertext either and is information theoretic and achieves adaptive security for this reason. Also, we can show that this composes the garbled threshold gates that are embedded in formulas. And this can be embedded in circuits, assuming very minimal symmetric key assumptions and choosing curves for the Chamee sharing that's required pseudo-randomly kind of enables a garbled row reduction that lets us garble threshold gates that are embedded in Boolean circuits with only n plus 1 ciphertext. Here's some gluing remarks. Generally, what do we do here? We have a better understanding of privacy-free garbling now with our AND and threshold gate garbling schemes. And also the fact that our garbling scheme uses only linear operations information theoretic and doesn't have a blow-up in key size. And despite this, it fits quite well at the model of Zaho and others and still overcomes their once-ciphertext lower bound for the privacy-free setting. We discussed this in more detail in the paper. We now have efficient privacy-free threshold gate garbling for threshold gates in Boolean circuits. And we have more extensions of the scheme and a more detailed discussion on the lower bound in our paper, which I encourage you to read. Some open problems that directly follow from this work can be built on the privacy-free construction for implode garbling in other settings. So, for instance, privacy-free garbling for circuits somehow inspired by the scheme or perhaps implode garbling for formulas in the private setting. And based on how we got around the bound in the privacy-free setting, any lessons to challenge the lower bound for the general setting for garbling schemes. It would be interesting to see if you could derive from this work. And that's it for the talk. Thank you.