Inferensys

Glossary

Garbled Circuits

A cryptographic protocol that enables two-party secure computation by encrypting a boolean circuit gate-by-gate, allowing evaluation without revealing the inputs.
Data scientist reviewing AI evaluation metrics on dashboard, comparison charts visible, casual WeWork analytics setup.
CRYPTOGRAPHIC PROTOCOL

What is Garbled Circuits?

A foundational protocol for secure two-party computation that enables joint function evaluation while keeping each party's input private.

A garbled circuit is a cryptographic protocol that enables two-party secure computation by encrypting a Boolean circuit gate-by-gate, allowing evaluation without revealing the inputs. One party, the garbler, constructs an encrypted version of the circuit and their input, while the evaluator computes the output using oblivious transfer to learn only their designated output.

The protocol represents each wire in the circuit with two random cryptographic labels corresponding to logical 0 and 1. The garbler encrypts the truth table of each gate so the evaluator can decrypt exactly one output label per gate without learning the underlying plaintext values, ensuring input privacy throughout the computation.

CRYPTOGRAPHIC PRIMITIVES

Key Features of Garbled Circuits

Garbled circuits provide a foundational protocol for secure two-party computation, enabling mutually distrustful parties to jointly evaluate a function over their private inputs without revealing those inputs to each other. The following cards break down the core mechanisms and properties that define this technology.

01

Gate-by-Gate Encryption

The fundamental mechanism of a garbled circuit involves treating a boolean function as a logical circuit and encrypting it gate by gate. The garbler assigns two random cryptographic labels to each wire in the circuit, representing the values 0 and 1. For each logic gate, the garbler encrypts the output label using the corresponding input labels as keys. The evaluator can only decrypt the single output label that corresponds to their specific inputs, learning nothing about the alternative path.

02

Oblivious Transfer (OT) Integration

To initiate the protocol without revealing the evaluator's private input, garbled circuits rely on Oblivious Transfer (OT). The evaluator needs the wire labels corresponding to their input bits, but cannot ask the garbler directly without exposing those bits. OT allows the evaluator to select and receive the correct labels for their input from the garbler, while the garbler remains oblivious to which labels were chosen. This ensures the evaluator's input privacy from the very first step.

03

One-Time Use & Non-Reusability

A standard garbled circuit is inherently single-use. The cryptographic keys (wire labels) are generated for a specific execution. If the same garbled circuit were evaluated twice with different inputs, the evaluator could use the labels learned from the first execution to decrypt additional gates in the second, violating the garbler's input privacy. This property necessitates generating a fresh circuit for every computation, which is a primary driver of the protocol's computational overhead.

04

Constant-Round Communication Complexity

A significant advantage of the garbled circuit protocol is its constant number of communication rounds. The interaction between the garbler and evaluator is minimal: the garbler sends the garbled circuit and their input labels, the evaluator performs the OT for their input labels, and finally, the evaluator computes the result. This fixed, low-latency interaction pattern is independent of the circuit's depth, making it highly suitable for high-latency networks where minimizing back-and-forth is critical.

05

Point-and-Permute Optimization

A critical optimization to reduce evaluation cost is the point-and-permute technique. Without it, the evaluator would need to attempt decrypting a gate's ciphertext with multiple key combinations to find the correct one. Point-and-permute appends a random 'pointer' bit to each wire label. The garbler orders the gate's ciphertexts based on these pointer bits, allowing the evaluator to immediately identify which single ciphertext to decrypt using the pointer bits of the input labels they hold, reducing evaluation to one decryption per gate.

06

Security Against Semi-Honest Adversaries

The classic Yao's garbled circuit protocol is proven secure in the semi-honest (or honest-but-curious) security model. This assumes both parties follow the protocol exactly but may try to learn additional information from the messages they receive. It guarantees that the evaluator learns only the final output and their own input, while the garbler learns nothing about the evaluator's input. Extensions using cut-and-choose techniques or zero-knowledge proofs are required to achieve security against malicious adversaries who may deviate from the protocol.

CRYPTOGRAPHIC PROTOCOL COMPARISON

Garbled Circuits vs. Other Secure Computation Techniques

A technical comparison of garbled circuits against homomorphic encryption, secret sharing-based SMPC, and differential privacy across key operational dimensions for privacy-preserving computation.

FeatureGarbled CircuitsFully Homomorphic EncryptionSecret Sharing SMPCDifferential Privacy

Computational Model

Boolean circuit evaluation

Arithmetic circuits on ciphertext

Arithmetic/Boolean circuit sharing

Statistical noise injection

Number of Parties

2 (extendable to N)

1 (computation on encrypted data)

3+ (honest majority typical)

1 (data curator)

Communication Complexity

High (O(n) circuit size)

Low (no interaction during compute)

Very High (O(n) per multiplication)

None (statistical mechanism)

Computation Overhead

Moderate (symmetric key ops)

Extremely High (lattice operations)

Moderate (linear ops fast)

Negligible

Output Accuracy

Exact

Exact

Exact

Approximate (ε, δ bounded)

Resistant to Quantum Attacks

Round Complexity

Constant (1-2 rounds)

1 round (non-interactive)

Linear in circuit depth

Not applicable

Primary Use Case

Private set intersection, auctions

Cloud computation on encrypted data

Statistical analysis, voting

Public dataset release, analytics

GARBLED CIRCUITS EXPLAINED

Frequently Asked Questions

Clear, technically precise answers to the most common questions about Yao's Garbled Circuits protocol, its role in secure two-party computation, and its implementation in modern privacy-preserving systems.

A Garbled Circuit is a cryptographic protocol that enables two mutually distrustful parties to jointly evaluate a function over their private inputs without revealing those inputs to each other. The protocol works by having one party, the Garbler, encrypt a Boolean circuit representation of the function gate-by-gate. For each gate, the Garbler generates a garbled truth table by encrypting the possible output wire labels using the corresponding input wire labels as keys. The second party, the Evaluator, receives the garbled circuit and the wire labels corresponding to its own input via Oblivious Transfer (OT). The Evaluator then evaluates the circuit gate-by-gate, decrypting exactly one row per gate to obtain the output wire label, without learning any intermediate values or the Garbler's input. The final output labels are mapped back to plaintext bits using a decoding table. This construction guarantees semantic security for both parties' inputs, assuming the underlying symmetric encryption scheme is secure and the OT protocol is oblivious.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.