What Are Garbled Circuits And Why Are They Important?

COTI
9 min readSep 16, 2024

--

Garbled circuits offer a lightweight, secure, and fast means of carrying out confidential transactions of all kinds over a public blockchain — a prerequisite for large-scale business adoption of crypto technologies.

Privacy has always been important in the crypto world. Bitcoin arose from the cypherpunk movement, and its earliest advocates were libertarians who were concerned about the threat of financial and online surveillance.

However, in the fast-moving field of Web3, privacy solutions haven’t always kept pace with the wider advance of blockchain technology. The transparency of public blockchains has made it challenging to maintain robust privacy for anything but the simplest of token transfers. With the rise of decentralized finance (DeFi) and broader Web3 applications, a more comprehensive approach is needed that protects all kinds of transactions from the attention of malicious parties.

Today’s blockchain platforms are plagued with a series of problems that arise as an unintended consequence of their transparency, including MEV and spear-phishing. It’s vital that changes if blockchain is to fulfill its potential and become the infrastructure for tomorrow’s financial and online services.

The implementation of garbled circuits (GC) pioneered by Dr. Avishay Yanai and Dr. Meital Levy and the team at Soda Labs, in partnership with COTI, offer a powerful means of encrypting on-chain operations, ensuring they are concealed from unwanted onlookers while remaining fully auditable to approved parties. The speed and efficiency of GC over other privacy solutions makes large-scale decentralized confidential computing (DeCC) a reality for the first time, and opens the door to meaningful business adoption of blockchain technology.

Why Is Privacy Important?

Transparency is a core feature of public blockchains, and part of crypto’s unique value proposition. The transparency of the blockchain means that transactions can be monitored and audited by anyone, in real-time, providing a high degree of trust in comparison to opaque Web2 systems. For example, anyone can view the Bitcoin blockchain to check the number of bitcoins in existence.

However, this transparency comes with serious drawbacks. By default, transactions can be seen by everyone. In the DeFi space as it currently exists, this leads to a number of abuses. Because transactions are visible in the mempool (a temporary holding area where new transactions wait to be confirmed), other users can see them and potentially profit from them by ensuring their own transactions are executed first. Large trades may be front-run, or auctions exploited. This problem is known as maximal extractable value (MEV), and costs Ethereum users alone billions of dollars every year.

The blockchain’s transparency also means users can often be identified. This leads to spear-phishing attempts — targeted attacks on businesses and individuals — and even physical threats.

For business applications, confidentiality isn’t just desirable: it is a legal obligation. Data protection laws like GDPR require that organizations protect their users’ personal information. Even aside from this, it is unacceptable that financial and personal information could be publicly available. Not only does this raise the risk of fraud and theft, but it would put businesses at a competitive disadvantage if other organizations could see who they were transacting with.

Confidentiality is therefore a non-negotiable requirement for businesses. However, the combination of private transactions on a public blockchain offers many benefits.

From Privacy Coins To Confidential Computing

Many of Bitcoin’s earliest users were attracted by its perceived anonymity. In practice, the transparency of the blockchain means that it’s often possible to deduce information about the parties to a transaction. A number of privacy-centric coins arose to fill this niche.

The launch of Ethereum and other smart contract platforms introduced the idea of decentralized applications and the new realm of decentralized finance (DeFi). Now, it wasn’t just simple coin transfers that needed to be shielded from outside attention, but complex transactions of all kinds.

Ethereum mainnet, as well as other smart contract platforms and L2 solutions, are fully transparent and therefore vulnerable to MEV attacks and other exploits. Business adoption of crypto technologies is hamstrung by the lack of a confidential blockchain solution. For practical and regulatory reasons, this issue must be solved to unlock blockchain’s full potential. This is the purpose of the new field of Decentralized Confidential Computing (DeCC).

DeCC: The Story So Far

Several different technical approaches have been used to develop DeCC platforms, including:

  • Fully Homomorphic Encryption (FHE): is an instance of an asymmetric-key encryption scheme that produces a ciphertexts in a particular form that preserves their structure even after computation. The ciphertexts can only be viewed by approved users who hold the decryption keys.
  • Trusted Execution Environments (TEEs): a secure area within a hardware device, which is used to execute sensitive operations. This aims to ensure that private data and smart contracts are never exposed to external threats.
  • Zero-Knowledge (ZK) proofs: cryptographic protocols that allow a party to prove the validity of a statement to another party without revealing any underlying information, enhancing the privacy and security of transactions.

Each of these approaches has advantages and disadvantages. FHE, for example, is a flexible and powerful technology that ensures sensitive data remains encrypted, even when operations are being carried out on it. Unfortunately, though, while any solution that entails processing of encrypted data has significant overheads, FHE entails particularly large computational costs and storage requirements, throttling the capacity of on-chain FHE solutions. A recent technical overview estimated that “running FHE on CPU is at least a million times slower than the corresponding unencrypted program”. One solution to this is to employ hardware acceleration (effectively ASIC mining for FHE), but this simply pushes the computational costs one step further out, rather than eliminating them altogether.

The chief issue with TEEs is in the name: users have to trust that these secure enclaves within the chips really are isolated from the outside world. However, there are multiple potential single points of failure along the whole supply chain for the hardware and software for TEEs, and new exploits could be catastrophic for applications that use them. Unfortunately, history shows that TEEs have not always proven as secure as the manufacturers claimed.

ZK proofs are becoming more widely used in the blockchain world, including in several Ethereum scaling solutions. However, they are not suited for applications which involve processing data from several parties. Additionally, they are complicated to work with, and can be computationally expensive (though not to the same degree as FHE systems).

Garbled Circuits: A New Approach To Privacy

While all of these technologies have been implemented by different projects, there are other solutions that offer benefits over existing confidential computing platforms. Garbling-based protocols provide one of the most promising approaches to DeCC. These were first articulated in the 1980s, but recent advances mean it is now viable to implement them on the blockchain, opening up a new arena for confidential transactions.

Garbled Circuits (GC) are the main objects used in garbling-based protocols. In brief, GC are designed for secure multi-party computation (MPC): a means of enabling multiple parties to jointly compute a function using their inputs, while keeping those inputs private from each other at every stage of the operation.

The classic example of garbled circuits is the Millionaire’s Problem, first articulated by Andrew Yao in 1982. In this problem, two people want to determine who is wealthier, but without either of them actually giving away how much money they have. Yao later developed the concept of garbled circuits to solve this problem, and his research laid the foundations for further developments in MPC.

How Do Garbled Circuits Work?

In a blog post four years ago, Ethereum co-founder Vitalik Buterin gave a technical overview of how garbled circuits work. In simplified terms:

  • Any mathematical function (with a few caveats) can be represented as a series of logic gates — AND, OR, NOT, XOR, etc
  • This function or logic “circuit” is encrypted, or “garbled”, so that the different steps that take place inside it cannot be understood from the outside
  • Each gate now takes one or more encrypted inputs, and gives an encrypted output
  • One or more users provide initial encrypted inputs
  • The circuit is executed, with each gate giving an encrypted output that forms one of the encrypted inputs to subsequent gates, until the process reaches the end
  • The circuit gives a final encrypted output — a solution to the function — which can only be decrypted by parties who have the appropriate key
  • Because the initial inputs, the final output, and every stage in between are encrypted, no information is leaked to the outside world at any point in the circuit’s execution

Let’s take a very simple real-world example that provides an analogy for how a garbled circuit works.

  • Alice and Bob want to know which of them is older, but neither want to reveal their age.
  • In secret, they each take a number of identical marbles, matching their age, and place them in a bag.
  • Next, they each put their bag of marbles on either side of a set of old-fashioned kitchen scales.
  • If Alice’s side is heavier, she is older. If Bob’s side is heavier, he is older. If the scales balance, they are the same age.
  • Alice and Bob have determined who is older, without revealing to the other how old they actually are.

In this example, the marbles (inputs) are placed in a bag (“encrypted” or “garbled”) to hide them from the other participant and from outside observers. The circuit (scales) is capable of operating with these garbled inputs, and provides a single output (one or other side is heavier).

Of course, on the blockchain, the inputs and the function computed by garbled circuits can be much more complex — making them suitable for a wide range of decentralized applications.

What Garbled Circuits Bring To The Table

Compared to other approaches to confidential blockchain solutions, garbled circuits have a number of advantages:

  • Lightweight. GC are computationally inexpensive, meaning they can be executed by any computer and do not require specialist hardware.
  • Speed. They are also extremely fast, especially compared to other solutions such as FHE — avoiding any unnecessary delays to transaction confirmations.
  • Secure. All sensitive information remains encrypted at every stage of the process, offering robust privacy from start to finish.
  • Flexibility. GC can be used to jointly compute functions with inputs from several participants.
  • EVM-compatible. COTI’s implementation of GC allows developers to port their smart contracts from Ethereum to COTI without modification, and add privacy features to their contracts with minimal effort.
  • On-chain. Their lightweight nature means garbled circuits can be executed on-chain, so no trust in third parties is required and nothing is left to chance.

Use Cases For GC

All of this means that garbled circuits are ideal for applications where confidentiality, speed, and efficiency are a priority. Just some of the use cases include:

  • DeFi, such as decentralized exchanges that are resistant to front-running.
  • Confidential token transfers. An observer could tell that a given address had interacted with a token contract, but could not tell how many tokens had been moved, to which address they had been sent, or potentially even which token was involved.
  • Decentralized stablecoins that can be minted without revealing the identity of the issuer, and where liquidation of collateral is not susceptible to MEV attacks.
  • Real-world assets (RWA) that preserve the privacy of owners and issuers, maintaining compliance in this key bridge between the TradFi and DeFi economies.
  • On-chain AI and machine-learning applications.

Why Do We Need Garbled Circuits?

Garbled circuits offer an effective solution to the shortcomings of existing Decentralized Confidential Computing platforms. No other technology is yet ready for the demands of large-scale DeCC.

COTI’s on-chain implementation of garbled circuits is dramatically more efficient than other DeCC solutions. Garbled circuits offer computation speeds that are over 1,000 times faster than FHE, with just 0.4% of the on-chain storage requirements. Latency — the time it takes for transactions to be communicated to the network — can be more than 100 times faster than for comparable approaches. No trusted hardware is required, either for secure processing (TEEs) or speeding up complex operations (hardware acceleration for FHE), though if desired it can be added as an extra layer of security. Additionally, GC are ideally suited to computation on shared state, giving them a critical advantage over ZK systems.

By protecting users from the unwanted implications of blockchain transparency while retaining the benefits of decentralized platforms, effective DeCC prepares the crypto sector for wider business adoption — potentially opening the door to trillions of dollars of new capital.

To find out more about garbled circuits you can discuss the latest developments in our dedicated gcEVM Vanguards Telegram group.

by guest writer, Guy B.

For all of our updates and to join the conversation, be sure to check out our channels:

Website: https://coti.io/

X: https://twitter.com/COTInetwork

YouTube: https://www.youtube.com/channel/UCl-2YzhaPnouvBtotKuM4DA

Telegram: https://t.me/COTInetwork

Discord: https://discord.gg/9tq6CP6XrT

GitHub: https://github.com/coti-io

--

--

COTI
COTI

Written by COTI

COTI is the fastest and lightest confidentiality layer in Web3

No responses yet