A Garbled Circuit is constructed by one party, the garbler, who transforms a Boolean circuit representing the desired function into an encrypted version. Each logic gate's truth table is replaced with encrypted versions of its output labels, a process known as garbling. The garbler then sends this encrypted circuit and the labels corresponding to its own private input to the second party, the evaluator. The evaluator uses a cryptographic protocol called oblivious transfer to obtain only the labels for its own private input, without the garbler learning which specific input values were selected.
LABS
Glossary
Garbled Circuits
A foundational cryptographic protocol for secure multi-party computation (MPC) that allows parties to jointly compute a function while keeping their individual inputs private.
Chainscore © 2026
definition
CRYPTOGRAPHIC PROTOCOL
What is Garbled Circuits?
Garbled Circuits (GC) is a foundational cryptographic technique that enables secure two-party computation, allowing two mutually distrustful parties to jointly compute a function on their private inputs without revealing those inputs to each other.
The evaluator then proceeds to evaluate the encrypted gate-by-gate, using the garbled truth tables and the input labels. Crucially, at each step, the evaluator can decrypt only one output label per gate, learning nothing about the underlying logic or the other possible outputs. This process continues until the final output labels are produced. The garbler then provides a mapping to translate these final labels back into the plaintext result of the computation, which is shared with both parties. The core security guarantee is that the evaluator learns nothing beyond the final output and what is inherently revealed by it.
Garbled Circuits are a cornerstone of secure multi-party computation (MPC) and are particularly efficient for functions with low circuit depth. Key optimizations like the Free XOR technique and half-gates have dramatically improved their performance, making them practical for real-world applications. Common use cases include privacy-preserving data analytics, secure auctions, genomic testing, and blockchain-based applications like private smart contracts and zk-SNARKs, where they are used within cryptographic primitives to prove correct execution without revealing underlying data.
how-it-works
CRYPTOGRAPHIC PROTOCOL
How Garbled Circuits Work
Garbled Circuits (GC) are a cryptographic technique that enables two or more parties to jointly compute a function on their private inputs without revealing those inputs to each other. It is a cornerstone of secure multi-party computation (MPC).
A Garbled Circuit is a cryptographic protocol that allows two mistrusting parties, often called Alice and Bob, to compute any function f(x, y) where x is Alice's private input and y is Bob's private input. The core innovation is that the function's logic (e.g., an AND or XOR gate) is "garbled" or encrypted by one party, allowing the other to evaluate it on encrypted inputs without learning the underlying truth table or the other party's data. This process ensures that nothing is revealed beyond the final output of the computation, fulfilling the promise of privacy-preserving computation.
The protocol operates in a series of defined steps. First, one party (the garbler) compiles the function f into a Boolean circuit. They then "garble" this circuit by encrypting the truth table of each logic gate: for every possible input wire combination, the corresponding output wire label is doubly encrypted using a symmetric cipher like AES. The garbler sends this encrypted circuit to the other party (the evaluator), along with the garbled labels corresponding to their own private input. The evaluator then obtains the labels for their own input via a 1-out-of-2 Oblivious Transfer protocol, which delivers the correct label without the garbler learning which one was chosen.
With all input labels in hand, the evaluator can now decrypt, gate-by-gate, a single entry in each garbled truth table to propagate the correct output labels through the entire circuit. This process reveals no intermediate values, only the final garbled output labels. The garbler then provides a mapping to translate these final labels back into plaintext results, which are shared with both parties. The security relies on the assumption that the encryption scheme is secure and that the evaluator cannot decrypt more than one row per garbled gate, ensuring semantic security for all non-output values.
While powerful, classical Garbled Circuits have practical limitations, including significant communication overhead for large circuits and being restricted to two-party settings. Modern optimizations like the Free XOR technique, which allows XOR gates to be processed without cryptographic cost, and half-gates for AND gates, have drastically improved performance. Furthermore, frameworks like Yao's Protocol (the two-party case) and its extensions to multi-party computation (MPC) have cemented GCs as a vital tool for building privacy-enhancing applications such as private set intersection, secure auctions, and privacy-preserving machine learning.
key-features
SECURE MULTI-PARTY COMPUTATION
Key Features of Garbled Circuits
Garbled Circuits are a cryptographic protocol enabling two parties to jointly compute a function on their private inputs without revealing those inputs to each other. This glossary breaks down its core mechanisms and properties.
01
Boolean Circuit Foundation
A Garbled Circuit is built upon a Boolean circuit representation of the function to be computed. Each logic gate (AND, OR, XOR) is individually "garbled" by the circuit generator, who creates an encrypted truth table for each gate. This ensures the evaluator can compute the output of each gate without learning the actual input bits.
02
Two-Party Oblivious Transfer
The protocol's security relies on Oblivious Transfer (OT). After garbling the circuit, the generator must send the specific encrypted input wire labels corresponding to the evaluator's private bits. OT allows the evaluator to receive these labels without the generator learning which labels (and thus which input bits) were chosen, and vice versa.
03
Input & Output Privacy
The primary security guarantee is input privacy. Neither party learns anything about the other's input beyond what is revealed by the function's output. Output privacy can also be achieved, where only one party learns the final result. The protocol reveals only the agreed-upon output of the computed function.
04
Computational Overhead
Garbled Circuits are computationally intensive, with overhead scaling with the size of the Boolean circuit. Key costs include:
- Non-interactivity: After the initial OT phase, only one message (the garbled circuit and input labels) is sent.
- Symmetric Crypto: Operations primarily use efficient symmetric-key encryption (e.g., AES).
- Circuit Size: Performance is directly tied to the number of gates in the function.
05
The Garbling Scheme
This is the core algorithm that defines how a circuit is garbled and evaluated. A secure scheme must satisfy:
- Correctness: A correct output is computed if both parties are honest.
- Privacy: The evaluator learns nothing beyond the output.
- Obliviousness: The generator learns nothing from the garbled circuit alone.
- Authenticity: The evaluator cannot forge a valid output for a different input.
06
Free XOR Optimization
A major optimization, Free XOR, allows XOR gates to be garbled and evaluated with virtually no cryptographic cost. It works by assigning wire labels such that the label for a wire carrying value 1 is the exclusive-OR (XOR) of the label for 0 and a fixed global secret (Δ). This drastically improves performance for circuits rich in XOR operations.
etymology-history
ORIGINS
Etymology and History
The development of garbled circuits is a foundational story in cryptography, bridging theoretical computer science with practical secure computation.
The concept of garbled circuits was first introduced in 1986 by computer scientists Andrew Yao in his seminal paper "How to Generate and Exchange Secrets." Yao's pioneering work established the framework for secure two-party computation (2PC), where two distrustful parties can jointly compute a function on their private inputs without revealing those inputs to each other. The term "garbled" refers to the process of encrypting and permuting the values associated with each logic gate's truth table, rendering the circuit's internal workings unintelligible to the evaluator.
For nearly two decades, garbled circuits remained a theoretical construct, considered elegant but too computationally intensive for practical use. This changed in the 2000s with significant optimizations, most notably the point-and-permute technique and free XOR gates introduced by Vladimir Kolesnikov and Thomas Schneider. These breakthroughs drastically reduced the communication and computational overhead, transforming garbled circuits from a cryptographic curiosity into a viable tool for real-world secure multi-party computation (MPC) protocols.
The historical evolution of garbled circuits is marked by a continuous trade-off between security, efficiency, and functionality. Early schemes provided security against semi-honest (passive) adversaries. Later advancements, like the cut-and-choose technique, extended security to malicious (active) adversaries who may deviate from the protocol. Today, garbled circuits are a cornerstone of modern cryptographic libraries and are actively used in privacy-preserving applications such as private set intersection, genomic analysis, and secure auctions, fulfilling the vision first articulated by Yao decades earlier.
common-applications
GARBLED CIRCUITS
Common Applications and Use Cases
Garbled Circuits enable secure multi-party computation by allowing parties to jointly compute a function on their private inputs without revealing them. This foundational cryptographic primitive powers privacy-focused applications across blockchain and beyond.
01
Private Smart Contracts
Garbled Circuits enable the execution of confidential smart contracts where contract logic is processed without exposing the underlying data. This is critical for applications like private auctions, blind voting, or sealed-bid governance, where bid amounts or votes must remain hidden until computation is complete. Protocols can use this to compute outcomes based on secret inputs from multiple participants.
02
Secure Data Analysis
Organizations can perform collaborative data analysis on sensitive datasets without sharing the raw data. For example, two hospitals could compute aggregate statistics on patient records to research a disease, or financial institutions could jointly assess risk without exposing individual client portfolios. The circuit garbles the analysis function, allowing computation on encrypted inputs.
03
Privacy-Preserving Machine Learning
Garbled Circuits facilitate private inference and secure model training. A model owner can provide a garbled version of their trained model, allowing a client to submit an encrypted data sample (e.g., a medical image) and receive a prediction (e.g., a diagnosis) without the model owner learning the input or the client learning the model's weights. This framework is key to federated learning with strong privacy guarantees.
04
Cryptographic Voting Systems
Used to build end-to-end verifiable voting systems that maintain ballot secrecy. Each voter's selection is a private input to a garbled circuit that tallies the votes. The system outputs the final election result while providing a cryptographic proof of correct tabulation, allowing any observer to verify the outcome without learning how any individual voted.
05
Secure Function Evaluation (SFE)
This is the core cryptographic problem Garbled Circuits solve: Secure Function Evaluation. Two parties, Alice and Bob, with private inputs x and y, can compute any function f(x,y) while learning only the output and nothing else about each other's input. This general framework underpins all specific applications, from private set intersection to genomic testing.
06
Limitations & Practical Considerations
While powerful, Garbled Circuits have trade-offs:
- Computational Overhead: The process of garbling, transferring, and evaluating circuits is computationally intensive.
- Function Fixed at Setup: The circuit (function) must be defined and garbled before inputs are known; it cannot be dynamically altered.
- Communication Cost: The garbled circuit itself must be sent to the evaluator, which can be large for complex functions. These factors make them more suitable for functions with lower computational complexity.
PROTOCOL ARCHITECTURE
Comparison with Other MPC Techniques
A feature and performance comparison of Garbled Circuits against other major Multi-Party Computation (MPC) paradigms.
| Feature / Metric | Garbled Circuits (GC) | Secret Sharing (e.g., SPDZ, BGW) | Homomorphic Encryption (FHE/SHE) |
|---|---|---|---|
Cryptographic Primitive | Symmetric-Key (OT) | Information-Theoretic / Arithmetic | Public-Key (Lattice-based) |
Communication Complexity | High (circuit size) | Low (constant rounds) | Very High (ciphertext size) |
Computational Overhead | Moderate | Low | Extremely High |
Native Support for Arbitrary Functions | |||
Native Support for Non-Linear Operations (e.g., comparisons) | |||
Typical Latency Profile | High setup, fast online | Consistent, round-based | Extremely high, all offline |
Primary Use Case | Secure function evaluation for small, complex circuits | High-throughput, repetitive computations | Outsourced computation on encrypted data |
Active Security (Malicious Adversaries) |
security-considerations
GARBLED CIRCUITS
Security Considerations and Limitations
While a powerful tool for privacy-preserving computation, garbled circuits have inherent constraints and security assumptions that must be understood for practical application.
01
Computational vs. Information-Theoretic Security
Garbled circuits provide computational security, relying on cryptographic assumptions like the hardness of the Decisional Diffie-Hellman (DDH) problem. This means security is guaranteed only against computationally bounded adversaries, not against an adversary with unlimited time and resources (information-theoretic security).
02
Malicious vs. Semi-Honest Adversaries
The classic Yao's protocol is secure only against semi-honest (passive) adversaries who follow the protocol but try to learn extra information. Defending against malicious (active) adversaries, who can deviate arbitrarily, requires significant overhead through cut-and-choose techniques, which can increase computation and communication costs by 40-100x.
03
Function-Dependent Preprocessing
A core limitation is that the garbled circuit must be generated for a specific function f before the inputs are known. This makes it inefficient for scenarios requiring dynamic, data-dependent control flow, as the entire circuit logic must be predefined and garbled in advance.
04
Communication and Computation Overhead
The protocol is communication-intensive. For each AND gate in the boolean circuit:
- Transfers two ciphertexts (typically 256 bits total).
- Requires symmetric encryption operations. This makes complex computations with millions of gates impractical for high-latency networks.
05
No Adaptivity or Statefulness
Garbled circuits compute a single function on a fixed input. They cannot natively support:
- Adaptive chosen inputs (reusing the circuit with new inputs requires regenerating it).
- Stateful computations across multiple rounds without complex, inefficient extensions.
06
Trusted Setup and Input Consistency
Security assumes parties provide consistent inputs to the protocol. Without additional mechanisms, a malicious party can use different inputs in different sub-protocols (input consistency attack). Ensuring input validity often requires extra zero-knowledge proofs, adding complexity.
GARBLED CIRCUITS
Technical Details Deep Dive
Garbled Circuits are a foundational cryptographic protocol for secure two-party computation, enabling private function evaluation where neither party learns the other's input. This section explores its mechanics, applications in blockchain, and key security properties.
A Garbled Circuit (GC) is a cryptographic protocol that allows two mutually distrusting parties to jointly compute a function on their private inputs without revealing those inputs to each other. It works by one party, the garbler, encrypting a Boolean circuit representing the function. The garbler creates a garbled table for each logic gate, where each possible combination of encrypted input wires maps to an encrypted output wire label. The other party, the evaluator, then uses oblivious transfer to obtain the encrypted labels corresponding to their private inputs, evaluates the garbled circuit gate-by-gate, and finally shares the result with the garbler to decode the final output.
Key Steps:
- Circuit Creation: The function (e.g.,
f(a, b) = a > b) is represented as a Boolean circuit of logic gates (AND, XOR, NOT). - Garbling: The garbler encrypts this circuit, replacing concrete 0/1 wire values with random cryptographic labels.
- Oblivious Transfer: The evaluator obtains the labels for their inputs without the garbler learning which specific values they chose.
- Evaluation: The evaluator computes the garbled circuit using the provided tables and labels.
- Decoding: The garbler helps map the final output labels back to plaintext 0 or 1.
ecosystem-usage-protocols
PRIVACY AND SCALABILITY
Ecosystem Usage: Protocols and Projects
Garbled Circuits (GC) are a foundational cryptographic primitive enabling secure multi-party computation (MPC). In blockchain, they are primarily leveraged to build privacy-preserving applications and enhance scalability for complex smart contract logic.
01
Privacy-Preserving Smart Contracts
Garbled Circuits enable private smart contracts where inputs and state remain encrypted. This allows for confidential transactions and computations, such as:
- Private voting or auctions where bids are secret.
- Dark pools for decentralized finance (DeFi) that hide order sizes.
- Selective disclosure of credentials in identity systems. Protocols like zkHawk and research into ZEXE explore this paradigm, allowing contract logic to execute without revealing sensitive data to the network.
02
Layer-2 Scaling with zkRollups
While zk-SNARKs and zk-STARKs are more common, Garbled Circuits represent an alternative cryptographic backend for zero-knowledge proofs (ZKPs). They can be used in zkRollups to generate succinct proofs of valid state transitions off-chain. Their use is an active research area for proving the execution of complex, non-arithmetic operations (like comparisons or memory accesses) more efficiently within a ZKP framework, potentially reducing prover time for certain workloads.
03
Secure Multi-Party Computation (MPC) Wallets
GCs are a core protocol for threshold signatures and MPC-based wallets. Multiple parties can collaboratively compute a signature or authorize a transaction without any single party ever reconstructing the full private key.
- Applications: Corporate treasuries, decentralized custody solutions, and cross-chain bridges.
- Key Benefit: Eliminates single points of failure compared to traditional multi-sig, as the secret is never assembled in one place.
04
Private Information Retrieval (PIR)
Garbled Circuits enable Private Information Retrieval, allowing a user to query a database (e.g., a blockchain's state or an oracle) and receive a specific piece of data without the database learning what was queried. This is critical for:
- Confidential price feeds where a DeFi protocol needs an asset price without revealing its trading strategy.
- Private data marketplaces where users can purchase specific datasets without disclosing their interests.
05
Limitations and Practical Challenges
Despite their theoretical power, Garbled Circuits face adoption hurdles:
- High Overhead: They require a communication round for each AND gate in the computed circuit, making complex computations slow.
- Circuit Complexity: Program logic must be compiled into a boolean circuit, which is non-trivial for arbitrary code.
- Preprocessing: Many efficient GC protocols require a costly, circuit-specific setup phase. This makes them less flexible than some homomorphic encryption or ZK-SNARK schemes for general-purpose blockchain computation.
GARBLED CIRCUITS
Common Misconceptions
Garbled circuits are a foundational cryptographic technique for secure multi-party computation, but their role and capabilities are often misunderstood in the context of blockchain and zero-knowledge systems.
No, garbled circuits and Zero-Knowledge Proofs (ZKPs) are distinct cryptographic primitives with different goals. Garbled circuits are a protocol for secure two-party computation (2PC), allowing two parties to jointly compute a function on their private inputs without revealing them. The output is typically revealed to one or both parties. In contrast, a Zero-Knowledge Proof allows one party (the prover) to convince another (the verifier) that a statement is true without revealing any information beyond the truth of the statement itself. While both provide privacy, ZKPs are about proving knowledge or correctness, whereas garbled circuits are about computing a shared result.
GARBLED CIRCUITS
Frequently Asked Questions (FAQ)
Garbled circuits are a foundational cryptographic technique for secure multi-party computation, enabling private computation on encrypted data. These questions address their core concepts, applications, and role in blockchain technology.
A garbled circuit is a cryptographic protocol that allows two or more parties to jointly compute a function on their private inputs without revealing those inputs to each other. It works by one party (the garbler) encrypting or "garbling" a Boolean circuit representing the function, then sending it along with encrypted input labels to the other party (the evaluator). The evaluator uses a cryptographic technique called oblivious transfer to obtain the correct labels for their own private inputs, then evaluates the garbled circuit to produce an encrypted output, which can be decrypted by the garbler. This process ensures that neither party learns anything about the other's input beyond what the output reveals.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall