Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting).

We study the concrete security of high-performance implementations of half-gates garbling, which all rely on (hardware-accelerated) AES. We find that current instantiations using k-bit wire labels can be completely broken—in the sense that the circuit evaluator learns all the inputs of the circuit garbler—in time \\(O(2^k/C)\\), where C is the total number of (non-free) gates that are garbled, possibly across multiple independent executions. The attack can be applied to existing circuit-garbling libraries using \\(k=80\\) when \\(C \\approx 10^9\\), and would require \\(267\\) machine-months and cost about $\\(3500\\) to implement on the Google Cloud Platform. Since the attack can be fully parallelized, it could be carried out in about a month using \\({\\approx }250\\) machines.