Rate-1 Arithmetic Garbling From

Homomorphic Secret Sharing

Pierre Meyer1 , Claudio Orlandi1 , Lawrence Roy1 , and Peter Scholl1

Aarhus University, Aarhus, Denmark
{pierre.meyer,orlandi,peter.scholl}@cs.au.dk, [email protected]

Abstract. We present a new approach to garbling arithmetic circuits using techniques from
homomorphic secret sharing, obtaining constructions with high rate that support free addition
gates. In particular, we build upon non-interactive protocols for computing distributed discrete
logarithms in groups with an easy discrete-log subgroup, further demonstrating the versatility
of tools from homomorphic secret sharing. Relying on distributed discrete log for the Damgård-
Jurik cryptosystem (Roy and Singh, Crypto ‘21 ), whose security follows from the decisional
composite residuosity assumption (DCR), we get the following main results:

– Two ciphertexts per multiplication, from IND-CPA security of Damgård-Jurik.

Assuming the Damgård-Jurik cryptosystem is semantically secure (which follows from
DCR), there is a garbling scheme for circuits with B-bounded integer arithmetic using
only two ciphertexts per multiplication. The total bit-size of the resulting garbled circuit
is:
(n + 2s× + 2D× ) · (ζ + 1) · log N
where n is the number of inputs, s× is the number of multiplications, D× is the multi-
plicative depth of the circuit, N is an RSA modulus and N ζ−1 is a rough bound on the
magnitude of wire values in the computation.
– One ciphertext per multiplication, from KDM security of Damgård-Jurik. As-
suming the Damgård-Jurik encryption scheme remains secure given encryption of the key
and its inverse, the construction achieves rate-1. The total bit-size of the resulting garbled
circuit is:
(n + s× + 1) · (ζ + 1) · log N
where the parameters are as above, except N ζ−2 is the magnitude bound.
As a side result, we show that our scheme based on IND-CPA security achieves rate 3/5 for
levelled circuits.
 Table of Contents

1 Introduction 2
1.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Our Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Technical Overview 5
2.1 Arithmetic garbled circuits through the lense of homomorphic secret sharing . . 5
2.2 Achieving rate-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Concrete instantiation using the Damgård-Jurik encryption scheme [DJ01] . . . 7
2.4 Removing the circular-security assumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3 Preliminaries 9
3.1 Arithmetic Garbled Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1.1 Arithmetic circuits with bounded integer computation. . . . . . . . . . . . . . . . . 9
3.1.2 Arithmetic Garbling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2 Damgård-Jurik Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3 IND-KDM Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.4 Distributed Discrete Logarithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4 Arithmetic Garbled Circuits 13

4.1 From KDM security of Damgård-Jurik . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2 From CPA security of Damgård-Jurik . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.2.1 Techniques to remove circular security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.2.2 Formal construction, theorem statement, and proof. . . . . . . . . . . . . . . . . . . 20
4.3 Optimised left-right wire assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.3.1 Reducing left-right assignments to vertex cover. . . . . . . . . . . . . . . . . . . . . . . 24
4.3.2 A constructive upper bound for levelled circuits. . . . . . . . . . . . . . . . . . . . . . 25

1 Introduction

Garbled circuits are a tool commonly used in protocols for secure two-party computation and
other cryptographic applications. Starting with the work of Yao [Yao82], most constructions
of garbled circuits are in the setting of Boolean circuits: they transform a description of a
circuit C : {0, 1}n → {0, 1} into a garbled circuit C, b together with some input encoding
n
information L = {Li,0 , Li,1 }i=1 . For an input x, an evaluator can use the garbled circuit
together with the subset of encoded inputs Lx := {Li,xi }i to learn C(x), but nothing else
about the circuit or the input (besides some structure of C). Yao’s construction, and most
subsequent works, incur a multiplicative overhead O(λ) in the security parameter λ, meaning
that the size of Cb is O(λ) times larger than the number of gates in the original circuit C.
To garble a function containing arithmetic operations such as integer addition and mul-
tiplication, traditionally one would have to first express these operations as Boolean circuits
and then garble the resulting circuit. Known circuits for ℓ-bit integer multiplication have size
O(ℓ log ℓ), and more commonly O(ℓ2 ), which adds a large overhead to the size of the garbled
circuit for these types of operations. This changed with the work of Applebaum, Ishai and
Kushilevitz [AIK11], who gave the first direct methods for garbling arithmetic computations.
They presented constructions in the model of arithmetic circuits for bounded integer com-
putation, where there exists a (possibly exponential) bound B ∈ N such that for any set of
admissible inputs, no wire value in the computation exceeds B in absolute value.
 Their main construction builds upon information-theoretic techniques for garbling low-
depth arithmetic circuits, and combines this with the learning with errors assumption to
support arbitrary polynomial-size circuits. They give an alternative construction (with larger
overhead) based solely on one-way functions, which combines classical Boolean garbled cir-
cuits with the Chinese remainder theorem.

Rate of Arithmetic Garbling. An important efficiency metric of a garbling scheme is the rate,
which measures its bandwidth efficiency. In the model of B-bounded integer computation,
where the bit-length of wire values is ℓ = log(2B + 1), for a circuit with n inputs and |C|
gates and garbled circuit of size size(C)
b bits, the rate is roughly captured by the quantity

(|C| + n)ℓ
rate =
size(C)
b + size(L)

We focus on measuring the rate as the circuit size tends towards infinity faster than the
number of inputs, with worst-case circuits consisting of e.g. predominantly multiplication
gates. We are also interested in the asymptotic behaviour of the rate as ℓ tends to ∞.
Using Yao’s scheme, one can build an arithmetic garbling scheme with rate O(1/(λ log ℓ))
via asymptotically efficient (yet impractical) multiplication algorithms, or O(1/(λℓ)) with
schoolbook multiplication, relying only on the existence of one-way functions. The LWE-based
construction of [AIK11] achieves constant rate for constant-degree polynomials, while for
general circuits obtains rate O(1/λLWE ), where λLWE is the underlying LWE dimension. In very
recent work, Heath [Hea24] gave the first construction of arithmetic garbling with rate O(1/λ)
that solely relies on “Minicrypt”-style assumptions, in this case a circular correlation-robust
hash. Another recent work of Li and Liu [LL24] obtains rate O(1/(λℓ0.5 )) in the random oracle
model, as well as a construction with rate O(log ℓ/(λℓ)) that supports free addition, matching
the asymptotic efficiency of a construction from [BMR16], whilst additionally supporting
improved bit decomposition gates.
The first constant-rate arithmetic garbling scheme for bounded integer computations was
constructed by Ball, Li, Lin and Liu [BLLL23], under the decisional composite residuosity
(DCR) assumption. Their construction uses the Damgård-Jurik [DJ01] extension of Paillier
encryption [Pai99] to construct a more efficient key extension gadget than the LWE-based
one of [AIK11], such that each garbled addition or multiplication gate requires only a con-
stant number of Damgård-Jurik ciphertexts. When the integer bit-length is sufficiently large,
Damgård-Jurik ciphertexts have rate 1 − ε, which leads to a constant-rate garbling scheme.

1.1 Related Work

Goldwasser et al. [GKP+ 13] constructed reusable garbled circuits based on the subexponen-
tial learning with errors assumption, which was later improved to be compact by Boneh et
al. [BGG+ 14]. Compactness means that the size of the garbled circuit only scales polynomially
with the depth of the circuit and not its size (assuming the cleartext circuit is known to the
evaluator). This leads to a garbling scheme for Boolean or arithmetic circuits with rate better
than 1. However, as observed in [BLLL23], the dependence on the circuit depth and security
parameter are both very large (n6 ) and the construction relies on heavy machinery including
fully homomorphic encryption and attributed-based encryption, using subexponentially hard
LWE.
The work of [BLLL23] additionally includes constructions of arithmetic garbling for mod-
ulo p computations, instead of bounded integers. They present constructions based on LWE
and DCR, however, both with a low rate in Õ(1/λ). Li and Liu [LL24] also presented con-
structions based on LWE and DCR, and in particular showed how to obtain free addition

3
under DCR, albeit with worse communication for multiplication gates than [BLLL23]. Both
of these works also present constructions that support bit-decomposition gadgets for mixing
Boolean and arithmetic computations in the same circuit.
Using bilinear maps, [FMS19] gave a construction of arithmetic garbling for inner products
with constant rate. Their construction can be bootstrapped to polynomial-sized circuits using
the CRT-based compiler of [AIK11], however, this results in a poor rate.
Recently, Hazay and Yang [HY24] investigated the feasibility of maliciously secure gar-
bling, building on the semi-honest construction of [BLLL23].

1.2 Our Contributions

We introduce a new approach to garbling arithmetic circuits using techniques from homo-
morphic secret sharing [BGI16, OSY21, RS21]. Unlike prior constructions [AIK11, BLLL23],
which rely on the linearly homomorphic properties of Damgård-Jurik or LWE encryption,
we additionally exploit methods for computing distributed discrete logarithms in groups with
an easy discrete-log subgroup. Through this, we depart from the approach of combining an
information-theoretic randomized encoding with a key-extension gadget [AIK11, BLLL23],
instead giving direct constructions of arithmetic garbling with high rate.
We present two main constructions with security based on the Damgård-Jurik encryption
scheme: (1) a construction with rate 1, based on the key-dependent message (KDM) security
of Damgård-Jurik, and (2) a construction with rate 1/2, based on the decisional composite
residuosity assumption (i.e. the IND-CPA security of Damgård-Jurik). The former result is
the first rate-1 construction of arithmetic garbled circuits that does not rely on heavy tools
such as attribute-based encryption. Both constructions also enjoy free addition gates.
The asymptotic efficiency of our constructions is compared with prior works in Table 1.
We also give concrete examples for ℓ ≈ log N bits, where N is the RSA modulus, The concrete
values for the rate of the [BLLL23] constructions come from [BLLL23, Table 3], which uses
an integer bound of B ≈ 4000 bits and a 4096-bit Paillier modulus N . Notice that our two
constructions achieve concrete rates of 1/4 and 1/6 using the same parameters. As ℓ grows
larger, the rate of our schemes quickly approaches 1 and 1/2, for instance when ℓ ≈ 12000
and log N ≈ 2000, we obtain respective rates 1/2 and 3/10. Meanwhile, the constructions
from [BLLL23] have rate 1/12 at best.

Construction Security Rate Free addition

[AIK11] LWE Θ(1/λLWE ) ✗
Yao+ [HVDH21] OWF Θ(1/λ log ℓ) ✗
[BMR16, LL24] RO Θ(log ℓ/λℓ) ✓
[Hea24] CCR hash Θ(1/λ) ✗
[BLLL23] DCR Θ(1/c)
✗
(e.g. ℓ ≈ log N ) 1/36
[BLLL23] strong DCR Θ(1/c)
✗
(e.g. ℓ ≈ log N ) 1/24
Section 4.1 DCR + KDM 1−ε
✓
(e.g. ℓ ≈ log N ) 1/4
Section 4.2 DCR 1/2 − ε
✓
(e.g. ℓ ≈ log N ) 1/6

Table 1: Summary of bounded integer arithmetic garbling schemes for ℓ-bit integers. N is an
RSA modulus, c > 1 is a constant, ε is a constant approaching zero as ℓ → ∞. “Strong DCR”
is a variant of DCR combined with a DDH-like assumption with small exponent

4
2 Technical Overview

Given x ∈ Z, we call “subtractive shares of x”, denoted ⟨x⟩1 and ⟨x⟩0 , values which satisfy
⟨x⟩1 − ⟨x⟩0 = x. We further use ⟨x⟩ to mean “either ⟨x⟩1 or ⟨x⟩0 , as clear from context”.
In particular, if the evaluator and the garbler hold ⟨x⟩1 and ⟨x⟩0 respectively, then having
parties compute f (⟨x⟩) means having them compute f (⟨x⟩1 ) and f (⟨x⟩0 ) respectively.

In Section 2.1, we present a simple, warm-up construction that shows how to build high-
rate arithmetic garbled circuits using efficient distributed discrete logarithm (DDLog) al-
gorithms. In Section 2.2, we describe an optimised scheme, which achieves rate-(1 − ε) if
the DDLog’s underlying encryption scheme is secure against key-dependent messages (KDM-
secure). In Section 2.3, we instantiate this optimised construction using the Damgård-Jurik
cryptosystem (and associated DDLog). In Section 2.4, we provide a rate- 1−ε
2 garbling scheme,
relying only on semantic security (and not KDM-security) of Damgård-Jurik.

2.1 Arithmetic garbled circuits through the lense of homomorphic secret

sharing

We build arithmetic garbled circuits following the definitional template introduced by Ap-
plebaum, Ishai, and Kushilevitz [AIK11]. The garbler (who knows the circuit but not its
inputs) generates a global key k and a wire-dependent key Kx for each wire x. Each wire x
is then associated with the label Lx = k · x + Kx . Note that this can also be interpreted as a
secret-sharing ⟨k ·x⟩ where ⟨k ·x⟩1 = Lx is known to the evaluator and ⟨k ·x⟩0 = Kx is known
to the garbler. We will exploit this duality to use techniques originating in the homomorphic
secret-sharing (HSS) domain to construct our garbling schemes.
Jumping ahead, the evaluator must be able to retrieve the values corresponding to the
labels of the output wires. To allow this, we let the garbler sample k as a vector whose first
coordinate is 1: it now follows that for each wire x, Lx .fst = x + Kx .fst. For each output
value z, including Kz .fst in the garbled circuit therefore allows the evaluator to retrieve z
from Lz . As it turns out, defining k like this also helps us with the gate-by-gate evaluation.
The wire-dependent key Kx is instead generated uniformly at random for each input x,
and then the garbler proceeds to define the other keys in a gate-by-gate fashion. Considering
the “HSS viewpoint”, our task can then be viewed as having garbler and evaluator non-
interactively convert subtractive shares ⟨k · x⟩ and ⟨k · y⟩ into subtractive shares ⟨k · g(x, y)⟩
for any given gate g ∈ {+, −, ×}.
If g is an addition gate with output z = x + y, the garbler can simply define their share
Kz as Kz := Kx +Ky . This allows the evaluator to compute their share Lz = Lx +Ly , which
equals k · (x + y) + (Kx + Ky ). From the HSS viewpoint, this works since ⟨x + y⟩ = ⟨x⟩ + ⟨y⟩.

If g is a multiplication gate with output z = x · y, we will exploit the following identity:

k · z = kx · y = (kx + Kx ) · (y + Ky .fst) − kx · (Ky .fst) − y · Kx − Kx · (Ky .fst)

= Lx · (Ly .fst) − kx · (Ky .fst) − y · Kx − Kx · (Ky .fst) (1)

The terms Lx ·(Ly .fst) and Kx ·(Ky .fst) can be computed locally by the evaluator and garbler
respectively, but neither can compute kx · (Ky .fst) or y · Kx . We therefore let the garbler
provide appropriate encodings of (Ky .fst) and Kx as part of the garbled circuit, so that the
evaluator can compute shares of these terms, by solving the distributed discrete logarithm
problem (DDLog).

5
Share conversion from distributed discrete logarithm. Without going into details, for
now we assume the existence of a deterministic algorithm DDLog, that both the garbler and
the evaluator can locally execute, satisfying the following property (for some appropriately
chosen encryption scheme):

Let c = Encpk (A) be an encryption of A with decryption key sk, and ⟨sk · B⟩ a sharing
(over Z) of sk · B, then DDLog(c⟨sk·B⟩ ) = ⟨sk · AB⟩ is a subtractive share (over Z) of
sk · AB.
In particular, if c is an encryption of sk−1 (with the inverse taken with respect to the
plaintext modulus) then it holds that DDLog(c⟨sk·B⟩ ) = ⟨B⟩.

(The reader already familiar with homomorphic secret sharing literature may pause here, as
it is more usual for DDLog(Encpk (A)⟨sk·B⟩ ) to be a share of AB, not sk · AB.)

Garbling a multiplication gate. We first specify how k is defined: the garbler samples
a keypair (sk, pk) associated with a DDLog-compatible encryption scheme, then sets k ←
(1, sk). To garble a multiplication gate with input wire keys Kx , Ky , the garbler computes
the following ciphertexts and adds them to the garbled circuit1 :

c ← Encpk (sk−1 ), cy ← Encpk (Ky .fst), and cx ← Encpk (Kx ) .

$ $ $

Using this, the garbler and evaluator can do the following:

1. With their shares ⟨sk · x⟩ (namely, Kx .snd and Lx .snd) and ciphertext cy encrypting
Ky .fst, run DDLog to obtain shares ⟨sk · x · Ky .fst⟩.
2. Using shares ⟨sk · x · Ky .fst⟩ and c encrypting sk−1 , run DDLog to get shares ⟨x · Ky .fst⟩.
3. Concatenate the resulting shares ⟨x · Ky .fst⟩ and ⟨sk · x · Ky .fst⟩, to get ⟨kx · Ky .fst⟩.

Similarly, they can:

4. Use their shares ⟨sk · y⟩ (namely, Ky .snd and Ly .snd) and the encryption cx of Kx , and
run DDLog to compute shares ⟨sk · y · Kx ⟩.
5. Use shares ⟨sk · y · Kx ⟩ and the encryption of sk−1 , the parties compute shares ⟨y · Kx ⟩.
If the garbler and the evaluator define Kz and Lz respectively by offsetting Kx · (Ky .fst)
and Lx · (Ly .fst) by their shares of kx · Ky .fst (step 3) and y · Kx (step 5), then, by Eq. (1),
the invariant “Lz = k · z + Kz ” is maintained.

Summarising, the garbled circuit contains one globally reusable ciphertext (c, the encryp-
tion of sk−1 ), one ciphertext cx per left input-wire to a multiplication, one ciphertext cy per
right input-wire to a multiplication, and one mask Kz .fst per output. Overall, provided the
encryption scheme has rate-1, the garbling scheme has rate close to 1/2 (provided the secret
key is small enough compared to the ring over which the circuit’s arithmetic is performed2 )
and achieves free addition.

2.2 Achieving rate-1

We now show how the above (sketch of a) construction can be adapted to achieve rate-1, while
preserving free addition. There are two key ideas. The first is an alternative identity to Eq. (1)
which breaks the asymmetry between the left and right wires of multiplication gates, which
means all ciphertexts are of the same form. The second is exploiting linear homomorphism
1
Note that the first two ciphertexts encrypt scalars, while the last encrypts a tuple.
2
We need authenticated shares of wire values (i.e. ⟨sk · w⟩) to fit in the plaintext space.

6
of the underlying encryption scheme in order to halve the number of ciphertexts: In the
previous construction, the garbled circuit includes one ciphertext for each input wire to a
multiplication gate. In the following, the garbled circuit only contains one ciphertext for each
multiplication gate (which this time depends on the output wire of the gate), as well as one
ciphertext per input wire.
In the rate-1 construction, k ← sk, Lx and Kx (for each wire x) are now scalars satisfying
k · x = Lx − Kx . We handle addition gates exactly as before. To understand how we support
multiplications, consider Eq. (2):

sk2 · z = sk · x · sk · y = (sk · x + Kx ) · (sk · y + Ky ) − sk · x · Ky − sk · y · Kx − Kx · Ky

= Lx · Ly − sk · x · Ky − sk · y · Kx − Kx · Ky (2)

Including encryptions of Kx and Ky in the garbled circuit allows the garbler and evaluator
to use DDLog to compute shares ⟨sk · x · Ky ⟩ and ⟨sk · y · Kx ⟩ since they hold shares ⟨sk · x⟩
(namely, Lx and Kx ) and ⟨sk · y⟩ (namely, Ly and Ky ). In turn, using Eq. (2), the garbler and
the evaluator can compute shares ⟨sk2 · z⟩ (recall that the garbler can compute Kx · Ky and
the evaluator can compute Lx · Ly ). Finally, including an encryption of sk−1 in the garbled
circuit allows the parties to use their shares ⟨sk2 · z⟩ and DDLog to compute shares ⟨sk · z⟩:
these shares define Kz and Lz . Furthermore, if z is an output gate, the parties can use DDLog
once more, again with the encryption of sk−1 , to compute shares ⟨z⟩; as before, if the gar-
bler publishes its share of z then the evaluator can reconstruct the value of z from the label Lz .

One question remains: how do we obtain the encryptions of Kx and Ky for each mul-
tiplication gate z = x × y, without publishing two ciphertexts per gate? By definition,
Kx+y := Kx + Ky , and therefore if the encryption scheme supports linear homomorphism,
the parties can use encryptions of Kx and Ky to generate an encryption of Kx+y . So, it is
enough for the garbler to send an encryption of Kw for each w which is either an input to the
circuit or the output of a multiplication gate: the parties can then proceed in a gate-by-gate
fashion to reconstruct all the necessary ciphertexts.

2.3 Concrete instantiation using the Damgård-Jurik encryption scheme [DJ01]

Recall that, in the Damgård-Jurik cryptosystem [DJ01], the public key is an RSA modulus
N = p · q (where p and q are large primes) while the secret key is its Euler totient sk =
(p − 1) · (q − 1). The scheme is parameterised by an integer ζ ≥ 2: the plaintext space
is Z/N ζ Z, while the ciphertext space is Z/N ζ+1 Z. The encryption scheme therefore has
rate 1/(1 + 1/ζ) . The scheme is also linearly homomorphic, and Roy and Singh [RS21]
showed there exists a DDLog algorithm satifying the requirements from Section 2.1)3 , so it
can be used to instantiate the arithmetic garbled circuit described in Section 2.2. Because
we need to fit (shares of) sk · w in the plaintext space (of size N ζ ) for each wire w (and sk =
(p − 1) · (q − 1) ≤ p · q = N ), we can set parameters so the arithmetic is performed over a ring
of size N ζ−1 . However, we cannot use this entire plaintext space, due at a failure probability
in DDLog when the underlying plaintexts are too large. This means we get a garbling scheme
for B-bounded integer computation, where B ≈ N ζ−1 /2κ and κ is a statistical correctness
parameter (ensuring correctness with probability 1 − 2−κ per gate). Overall, the garbling
scheme of Section 2.2 has rate (ζ − 1)/(ζ + 1). We can therefore achieve rate-(1 − ε) for an
arbitrarily small constant ε.
Figure 1 summarises how the garbler and the evaluator perform multiplications in the
rate-1 garbling scheme of Section 2.2 as instantiated with Damgård-Jurik (which we assume
3
That is, if c is an encryption of y under public key N , and ⟨sk · x⟩ is a share of sk · x, then DDLog(c⟨sk·x⟩ )
is a share of sk · xy.

7
to be KDM-secure) and Roy-Singh’s DDLog. For clarity, the figure shows the roles of the two
parties as symmetric, but recall that we are instantiating a garbling scheme, where the garbler
can perform all of their garbling operations first, send the garbled circuit to the evaluator,
who then evaluates the gates.

Key/Label for x Key/Label for y

Garbled Table Garbled Table
⟨sk · x⟩ × ⟨sk · y⟩

EncN (Ky ) DDLog DDLog EncN (Kx )

⟨sk · x · Ky ⟩ Equation (2) ⟨sk · y · Kx ⟩

⟨sk2 z⟩

EncN (sk−1 ) DDLog

DDLog ⟨sk · z⟩

Key/Label for z
⟨z⟩

If z is an
output

Fig. 1: Operations performed by the garbler (resp. evaluator) to convert their keys (resp. la-
bels) for wires x and y into a key (resp. label) for wires z = x · y. This requires KDM-security
of Damgård-Jurik encryption; (sk, N ) is the secret/public key pair.

2.4 Removing the circular-security assumption

The security of the scheme in Section 2.3 relies on assuming security of the underlying en-
cryption scheme against key-dependent message attacks (KDM-security). Most visibly, this
is because the garbled circuit contains an encryption of the inverse of the secret key, but
also because the evaluator receives encryptions of shares of the form Encpk (Kx = ⟨sk · x⟩0 )
as well as receiving their share Lx = ⟨sk · x⟩1 of this value. The evaluator may know x, and
x would allow computing Encpk (sk) from Encpk (Kx ) because (Lx − Kx )/x = sk and Enc is
additively homomorphic. Our scheme can be adapted to instead rely on semantic security
(provably implied by the decisional composite residuosity assumption, DCR), but at the cost
of reducing the rate to 1/2 − ε.

Removing the need for EncN (sk−1 ). Without circular security, we can no longer use an
encryption of sk−1 to convert authenticated wire shares ⟨sk·w⟩ into plain shares ⟨w⟩ (which are
required for output wires). Instead, following [RS21], we will use an alternative decryption
key for Damgård-Jurik, which allows directly obtain shares ⟨w⟩ from DDLog without an
encryption of sk−1 :
Let d ← sk · (sk−1 mod N ζ ) and c be a Damgård-Jurik encryption of y under public
key N , then DDLog(c⟨d·x⟩ ) = ⟨x · y⟩ is a share of x · y.
Next, to use this in garbling, we will use a third multiplication identity:4
z = x · y = ⟨x⟩1 · ⟨y⟩1 − x · ⟨y⟩0 − y · ⟨x⟩0 − ⟨x⟩0 · ⟨y⟩0 (3)
4
Recall, we use subtractive share notation, where ⟨x⟩ means that x = ⟨x⟩1 − ⟨x⟩0 .

8
 Assuming the parties’ shares can be derived from their key or label for x, the parties
can locally compute the respective values ⟨x⟩0 · ⟨y⟩0 and ⟨x⟩1 · ⟨y⟩1 . To obtain the missing
cross-terms, the garbler can provide EncN (⟨w⟩0 ) for each wire w (or rather, exploiting linear
homomorphism as in Section 2.2, one ciphertext for each input or output of a multiplication
gate is enough), allowing use of DDLog to obtain shares of the necessary products.
The problem, however, is that we still need to get shares of d · w for each wire w. Trying
to generate these shares in the same way as before runs again into a circularity issue, as an
identity of the form

d · z = ⟨d · x⟩1 · ⟨y⟩1 − dx · ⟨y⟩0 − y · ⟨d · x⟩0 − ⟨d · x⟩0 · ⟨y⟩0

requires the garbler to provide an encryption of ⟨d · x⟩0 . To bypass this problem, we instead
generate a sequence of keypairs, one per multiplicative level of the circuit, and exploit the
idea of key-switching.

Key-switching. Let D be the multiplicative depth of the circuit. For each i ∈ [0, D], we
have the garbler generate a keypair (Ni , ski ) (and set di accordingly). The idea behind key-
switching is to allow the parties to convert shares of di ·w into shares of di+1 ·w (and recursively
into shares of any shares of dj · w for j > i). This can simply be done by having the garbler
provide an encryption of di+1 under keypair (Ni , ski ). Then, the parties can compute shares:
⟨di ·w⟩ $
⟨di+1 · w⟩ ← DDLog(ci ), where c ← EncNi (di+1 ) .

Thanks to this trick, it is now possible to build an arithmetic garbling scheme without
resorting to KDM-style assumptions, at the price of achieving a lower rate 21 − ε. Getting to
the final construction requires taking care of more technical issues, which we explain in detail
in Section 4.2.

3 Preliminaries

3.1 Arithmetic Garbled Circuits

3.1.1 Arithmetic circuits with bounded integer computation. We use a model of
arithmetic circuits consisting of addition, subtraction and (fan-in two) multiplication gates,
all computed over Z. We work in the bounded integer computation model, where there exists
a bound B = B(λ) ∈ N that bounds the magnitude of circuit wire values. For a circuit C
with n input wires, we say that an input vector x ∈ Zn is admissible with respect to bound B
if the inputs, outputs and every intermediate wire value obtained during the evaluation of C
are in the range [−B, B].

3.1.2 Arithmetic Garbling. We define arithmetic garbled circuits, adapting the defini-
tion of [BLLL23].

Definition 1 ((B-bounded) Arithmetic Garbled Circuit). A garbling scheme for a

family of circuits classes C = {Cλ }λ∈N⋆ for B-bounded integer computation with label space
L = L(λ) is a pair of p.p.t. algorithms AGC = (AGC.Garble, AGC.Eval) with the following
syntax and properties:
– Garble(1λ , C) : On input a security parameter 1λ and a circuit C ∈ Cλ with n inputs,
Garble outputs n key pairs (k0i , k1i )i∈[n] ∈ L and a garbled circuit C.
b
b : On input n input labels (Li )i∈[n] ∈ Ln , and a garbled circuit C,
– Eval((Li )i∈[n] , C) b Eval
outputs a value y ∈ [0, B].

9
 – Correctness. A garbling scheme is correct if there exists a negligible function negl such
that for all λ ∈ N, every circuit C ∈ Cλ with n inputs, and every x1 , . . . , xn ∈ X n where
X is the set of admissible inputs of C induced by bound B, the following holds:
 $

((k0i , k1i )i∈[n] , C)
b ← Garble(1λ , C)
Pr Eval((Li )i∈[n] , C) =Z C(x1 , . . . , xn ) :
b ≤ negl(λ) .
Li ← k0i · xi + k1i
– Privacy. A garbling scheme is secure if there exist a p.p.t. simulator S such that for all
sequence of circuits {Cλ }λ∈N , where Cλ ∈ Cλ with n = n(λ) inputs, and every admissible
(with respect to B and Cλ ) sequence of inputs {(x1,λ , . . . , xn,λ )}λ∈N , the following holds:
 $

n o c  ((k0i , k1i )i∈[n] , C
bλ ) ← Garble(1λ , Cλ ) 
S(1λ , Cλ , y) : y ← Cλ (x) ≈ ((Li )i∈[n] , C
bλ ) : Li ← k0i · xi + k1i .
y ← Cλ (x)
 

To measure the efficiency of an arithmetic garbled circuit, we define its rate as follows.
Definition 2 (Rate of Arithmetic Garbled Circuit). Let C be a class of arithmetic
circuits, let AGC be an arithmetic garbling scheme for C with B-bounded computation, and
let ℓ = log(2B + 1). The rate of AGC for C is the quantity:

(|C| + n)ℓ
rate = lim inf min ,
i i
x
P
i size(k0 · xi + k1 )
C∈C size(C)
b +
where the minimum is taken over all admissible inputs to the circuit C, and the limit infimum
is taken over all circuits in C (in the sense of the limit of a net, as we require C to form a
directed set when ordered by inclusion).
We are most interested in the case where the circuit is dominated by gates.5 That is, we
will typically be interested in classes of circuits Cf that contain only circuits where n ≤ f (|C|)
for a sublinear function f . Note that the rate is a worst-case quantity that does not account
for optimizations like free addition gates.
Previously, [BLLL23] define rate to be roughly the inverse of the above quantity, meaning
that typically rate ≥ 1. Our definition is more consistent with the standard concept of the
rate of an encryption scheme, which is at most 1.
When AGC supports arbitrarily large values of ℓ, we are also interested in the asymptotic
behaviour of the rate as ℓ tends to ∞.

3.2 Damgård-Jurik Cryptosystem

The Damgård-Jurik cryptosystem [DJ01] is a generalisation of the Paillier cryptosystem
[Pai99] (which, with the notation of Fig. 2, can be seen as the special case ζ = 1).
Definition 3 (Decision Composite Residuosity Assumption (DCR), [Pai99]). Let
RSA.Gen be a polynomial-time algorithm which, on input a security parameter λ, outputs
(N, p, q) where p and q are λ-bit primes and N = pq. Let λ be a security parameter. We say
that the Decision Composite Residuosity (DCR) problem is hard relative to modulus-sampling
algorithm RSA.Gen if
( ) ( )
$ $
(N, p, q) ← RSA.Gen c (N, p, q) ← RSA.Gen
(N, x) : ≈ (N, xN mod N ) : .
x ← (Z/N 2 Z)× x ← (Z/N 2 Z)×
$ $

5
As an alternative to restricting to circuits with more gates than inputs, we could allow the garbling
scheme to use “compressed inputs”. That is, if k0i is the same for all i, and k1i is sampled randomly by
the functionality (so that it can be replaced by something pseudorandom), then don’t charge for the
size of the input wire labels. There are methods of generating the input wire labels using only sublinear
communication, such as the succinct VOLE of [ARS24]. This modified rate definition would reflect that.

10
Theorem 4 (Damgård-Jurik Cryptosystem [DJ01]). For any choice of the parameter
ζ ≥ 2, the construction of Fig. 2 is a CPA-secure linearly homomorphic encryption scheme
if and only if the DCR assumption holds.

LHE Damgård-Jurik Cryptosystem [DJ01]

Requires:
– RSA.Gen(·) is an RSA modulus generation algorithm which, on input a security pa-
$
rameter 1λ , samples (p, q) ← [2ℓ(λ)−1 , 2ℓ(λ) ] (where ℓ is some polynomial chosen ap-
propriately in order for the cryptosystem to achieve λ bits of security) then computes
N ← p · q, and outputs (N, p, q).
– ζ ≥ 2 is a constant defining the plaintext size.
– Functions exp : (Z/N ζ Z)+ → 1 + N (Z/N ζ+1 Z) and log : 1 + N (Z/N ζ+1 Z) →
(Z/N ζ Z)+ are defined by the following expressions, as in [RS21]:
ζ ζ
X (N x)k X (−N )k−1 xk
exp(x) = and log(1 + N x) =
k! k
k=0 k=1

DJ.KeyGen(1λ ): DJ.EncN,ζ (x):

$
1. Run (N, p, q) ← RSA.Gen(1λ ) 1. Sample r ← (Z/N ζ+1 Z)×
$

ζ
2. Compute φ ← (p − 1) · (q − 1) 2. Compute c ← rN · exp(x)
3. Output (N, φ) 3. Output c

DJ.EvalN,ζ (c1 , c2 , α): DJ.DecN,ζ,φ (c):

// Homomorph. eval. (x, y) 7→ α · x + y 1. Compute ψ as the multiplicative inverse
Compute and output c ← cα · c2 of φ in Z/N ζ Z
1
2. Compute and output x ← ψ · log(cφ )

Fig. 2: The Damgård-Jurik cryptosystem.

3.3 IND-KDM Security

Informally, an encryption scheme is KDM-secure if it remains secure when the plaintext

messages are a function of the secret key.

Definition 5 (Key-dependent message security [BRS03], Special Case). A public-

key encryption scheme PKE = (KeyGen, Enc, Dec), whose private-key and message spaces
are denoted K and M respectively, is secure in the presence of key-dependent messages with
respect to function class F ⊆ K → M (or simply F-KDM-secure) if for every p.p.t. algorithm
A· with oracle queries
h KDM i h KDM i
Pr AOF ,sk,0 (1λ , pk) = 1 : (sk, pk) ← KeyGen(1λ ) − Pr AOF ,sk,1 (1λ , pk) = 1 : (sk, pk) ← KeyGen(1λ ) ≤ negl(λ) ,
$ $

KDM and O KDM are defined in Fig. 3.

where oracles OF ,sk,0 F ,sk,1

11
 Experiment IND-CPA and IND-KDM Security Game
KDM (f )
OF KDM (f )
OF
,sk,0 ,sk,1
if f ∈
/ F return ⊥ if f ∈
/ F return ⊥
else else
c ← Encpk (0|f (sk)| )
$ $
c ← Encpk (f (sk))
return c return c

Fig. 3: Oracles used IND-KDM (Definition 5) security.

Note that in all generality, KDM-security requires we allow the plaintexts to be functions
of multiple secret keys (i.e. F ⊆ Kℓ → M, where ℓ is some parameter, polynomial in the
security parameter) and the encryption to be performed under any one of those keys. For
our purposes however, it suffices to consider the special case ℓ = 1. In fact, whenever we use
KDM-secure encryption in this paper, it will suffice for the encryption scheme to be secure
given encryptions of linear combinations of the key, its inverse, and all constants6 .

3.4 Distributed Discrete Logarithm

We recall in Fig. 4 the definition of distributed discrete logarithm function DDLog introduced
by Roy and Singh [RS21]. The properties of this function which we use in this paper are
stated in lemmata 6, 7, and 8. Note that these are immediate corollaries/reformulations
of [RS21, Theorem 18] and [RS21, Lemma 19]. Throughout, we use the symmetric convention
for the mod operator. Namely, “· mod B” takes values in (−B/2; B/2]. We recall in Fig. 4
the definition of distributed discrete logarithm function DDLog introduced by Roy and Singh
[RS21]. The properties of this function which we use in this paper are stated in lemmata
6, 7, and 8. Note that these are immediate corollaries/reformulations of [RS21, Theorem 18]
and [RS21, Lemma 19]. Throughout, we use the symmetric convention for the mod operator.
Namely, the function “· mod B” takes values in (−B/2; B/2].

DDLOG Damgård-Jurik Distance Function [RS21]

DDLog(N, h) :
h


Compute and output z ← log h mod N

Fig. 4: [RS21]’s distributed discrete logarithm for the Damgård-Jurik cryptosystem [DJ01].

Lemma 6. For all (N, φ) ∈ Supp(DJ.KeyGen), for all exponents ζ ≥ 1, and for all ciphertexts
c ∈ (Z/N ζ+1 Z)× and shares (over Z) ⟨xφ⟩0 , ⟨xφ⟩1 of some x ∈ Z times φ, we have

DDLog(c⟨xφ⟩1 ) − DDLog(c⟨xφ⟩0 ) ≡ DJ.DecN,ζ,φ (c) · x · φ mod N ζ .

Proof. By definition of DJ.Dec we have cφ = exp(DJ.DecN,ζ,φ (c) · φ), so

c⟨xφ⟩1
= cxφ = exp(DJ.DecN,ζ,φ (c) · x · φ).
c⟨xφ⟩0
6
Note that if F includes all constant functions from K to M, then F-KDM security implies CPA security.

12
That is, the inputs of DDLog are multiplicative shares of exp(DJ.DecN,ζ,φ (c)·x·φ). By [RS21,
Theorem 18], the outputs of DDLog are then additive secret shares of DJ.DecN,ζ,φ (c)·x·φ.

Lemma 7. Let ζ ≥ 1. For all (N, φ) ∈ Supp(DJ.KeyGen), let ν = N −ζ mod φ. For all
ciphertexts c ∈ (Z/N ζ+1 Z)× , all x ∈ Z, and all shares (⟨x⟩0 , ⟨x⟩1 ) and (⟨xν⟩0 , ⟨xν⟩1 ) of x
and xν, we have
h ζ ζ
DDLog(c⟨x⟩1 −N ·⟨xν⟩1 ) − DDLog(c⟨x⟩0 −N ·⟨xν⟩0 ) ≡ DJ.DecN,ζ,φ (c) · x mod N ζ .

Proof. Let d = (φ−1 mod N ζ )φ. We use an observation of [RS21]:

1 − N ζ ν ≡ dφ mod N ζ φ,

because they are both 1 modulo N ζ and they are both 0 modulo φ (and because N and φ
are coprime). Now, let ⟨xd⟩0 = ⟨x⟩0 − N ζ · ⟨xν⟩0 and ⟨xd⟩1 = ⟨xd⟩0 + xd. Then

⟨xd⟩1 ≡ ⟨x⟩1 − N ζ · ⟨xν⟩1 mod N ζ

and the multiplicative order of c divides N ζ φ by Euler’s theorem, so for i ∈ {0, 1}

ζ ·⟨xν⟩
DDLog(c⟨x⟩i −N i
) = DDLog(c⟨xd⟩i ).

The result then follows from Lemma 6:

DJ.DecN,ζ,φ (c) · xd · φ ≡ DJ.DecN,ζ,φ (c) · xφ−1 · φ ≡ DJ.DecN,ζ,φ (c) · x mod N ζ .

Lemma 8. For all moduli M > 1 and all modulo M shares ⟨x⟩0 , ⟨x⟩1 ∈ Z/M Z of some
x ∈ Z, we have
 
h i |x|
Pr (⟨x⟩1 + r) mod M − (⟨x⟩0 + r) mod M = x = max 1 − ζ , 0 .
$
r←Z/M Z
N

Proof. This is essentially [RS21, Lemma 19].

4 Arithmetic Garbled Circuits

4.1 From KDM security of Damgård-Jurik

We have already provided a high-level technical overview of this construction in Section 2.2,
and we therefore proceed below with the formal description of our garbling scheme (Fig. 5)
and its proof of correctness and security.
There is only one difficulty which is not addressed by the technical overview, and this is the
reason why our garbling scheme only supports bounded-integer computation, and not full-
blown modular arithmetic. By default, computing a DDLog allows the parties to generate
shares modulo some value, but these shares need to then be converted into shares over Z
before they can be used as input to another DDLog operation. If the shared value is small
enough (which we guarantee by restricting ourselves to B-bounded computation) and the
shares are (pseudo)randomised (which we guarantee by having garbler and evaluator offset
their shares of each wire value using the same PRF key), then taking these shares modulo B
yields correct shares over Z. We note that this trick was previously used in [OSY21].

13
 Arithmetic Garbling AGC from HSS (KDM-secure Damgård-Jurik variant)
Requires:
– DJ = (DJ.KeyGen, DJ.Enc, DJ.Dec) is the Damgård-Jurik cryptosystem of Fig. 2.
– DDLog is the algorithm of Fig. 4.
– (PRFN,ζ,λ )N,ζ,λ∈N3 is a family of pseudorandom functions s.t. PRFN,ζ,λ : {0, 1}λ ×
([N ζ ] × {0, 1}) → [N ζ ].
– ord is an ordering of the gates of the circuit (i.e. a bijection between the set of gates
and [1, s], where s is the number of gates).

The Garbling Scheme (gate-by-gate description): Initially, the garbler sam-

$ $
ples kPRF ← {0, 1}λ and (N, φ) ← DJ.KeyGen(1λ ), sets k ← φ, and computes
c ← DJ.EncN (φ−1 ) (inversion is performed in Z/N ζ Z); for each input wire x, the garbler
$
samples Kx ← [N ζ ], computes cx ← DJ.EncN (Kx ). The label associated with input x is
Lx ← k · x + Kx ∈ [N ζ ].

Addition/Substraction gate z = x ± y: For addition (resp. substraction) gates, at

garbling time, given key pairs (k, Kx ) and (k, Ky ) as well as corresponding ciphertexts
cx and cy , set Kz ← Kx + Ky (resp. Kz ← Kx − Ky ), compute the ciphertext cz ← cx · cy
(resp. cz ← cx /cy ) (cz will be stored in order to compute later keys and tables, but is
not included in the garbled circuit), and produce the key pair (k, Kz ). At evaluation
time, given the labels Lx and Ly , compute the label Lz ← Lx + Ly (resp. Lz ← Lx − Ly )
and the ciphertext cz ← cx · cy (resp. cz ← cx /cy ).

Multiplication gate z = x · y: At garbling time, given key pairs (k, Kx ) and (k, Ky )
as well as the corresponding ciphertexts cx and cy , compute the key pair (k, Kz ), where
Kz is computed as follows:
K
shG y Kx
z ← −DDLog(cx ) − DDLog(cy ) − Kx · Ky + PRFN,ζ,λ (kPRF , ord(z)∥0) mod N
ζ

G
Kz ← DDLog(cshz ) + PRFN,ζ,λ (kPRF , ord(z)∥1) mod N ζ
$
Then produce the ciphertext cz ← EncN (Kz ) (this ciphertext will be included in the
garbled circuit). At evaluation time, given labels Lx and Ly as well as the corresponding
ciphertexts cx and cy , compute the label Lz as follows:
L
shE y Lx
z ← Lx · Ly − DDLog(cx ) − DDLog(cy ) + PRFN,ζ,λ (kPRF , ord(z)∥0) mod N
ζ

E
Lz ← DDLog(cshz ) + PRFN,ζ,λ (kPRF , ord(z)∥1) mod N ζ

Output: For each output z, the garbler computes outG

z ← DDLog(cKz ) +
PRFN,ζ,λ (kPRF , ord(z)∥2) mod N ζ and outputs:
– The garbled circuit including: N , c, cz for each mult. z, and outG
z for each output z.
– The input encoding information: k, and Kx for each input x.
The evaluator runs outE Lz ζ
z ← DDLog(c )+PRFN,ζ,λ (kPRF , ord(z)∥3) mod N and outputs
E G
(outz − outz ) for each output z.

14
Fig. 5: Arithmetic garbled circuit with one ciphertext per multiplication (and free addition)
from KDM-security of Damgård-Jurik (gate-by-gate description).

Theorem 9 (AGC with one ciphertext per multiplication from KDM-secure

Damgård-Jurik, via DDLog). Let λ be a security parameter. Let ζ ≥ 2, assume the
KDM-security7 of the Damgård-Jurik encryption scheme with parameter ζ, and let ℓ(λ) be
the bit-length of the corresponding RSA modulus. Let ε > 0. For every B ≤ 2(ζ−2−ε)·ℓ(λ) , the
construction of Fig. 5 is an arithmetic garbling scheme for B-bounded integer computation.
Moreover, if a circuit C has n inputs, m outputs, and s× multiplication gates then its garbled
circuit has bit-size

(n + s× + 1) · (ζ + 1) · ℓ(λ) + m · ζ · ℓ(λ)
| {z } | {z }
size of a DJ decoding material
ciphertext

while each input label is 2ζ · ℓ(λ) bits.

Proof.

– Correctness. Let us show that the following invariant is maintained with all but negli-
gible probability (w.a.b.n.p.) for each wire w of the circuit: Lw = k · w + Kw . Let us show
(by a case analysis) that for each gate of the circuit, if the invariant holds for the gate’s
input wires then it holds w.a.b.n.p. for its output wires.

• If w is an input wire, then the invariant holds by definition of Lw .

• If w = x ± y, and the invariant holds for x and y, then by definition Lw def
= Lx ± Ly and
def
Kw = Kx ± Ky . Therefore Lw = (k · x + Kx ) + (k · y + Ky ) = k · (x + y) + (Kx + Ky ) =
k · w + Kw .
• If w = x · y, assume the invariant holds for x and y. By correctness of the Damgård-
Jurik cryptosystem, DJ.Dec(cx ) = Kx w.a.b.n.p. By Lemma 6, because Ly −Ky = y·φ,
L K
DDLog(cx y ) − DDLog(cx y ) = (φ · yKx ) mod N ζ w.a.b.n.p. Similarly, DDLog(cLy )−
x

DDLog(cK ζ
y ) = (φ · xKy ) mod N w.a.b.n.p. Therefore,
x

shE E ζ ζ
w − shw =Z Lx · Lw − (φ · yKx mod N ) − (φ · xKy mod N ) − Kx · Ky .

By Eq. (2) (and because Lx = φx + Kx and Ly = φy + Ky ),

shE E 2 2 ζ
w − shw ≡ φ · xy ≡ φ · w mod N . (4)

7
More precisely, the theorem assumes KDM-security with respect to the class containing the following
functions: the inverse function, all linear combinations, and all constant functions. Note that because the
Damgård-Jurik cryptosystem is linearly homomorphic, linear combination are well-defined.

15
 $
b ←
Lemma 10. Over the randomness of (k, (Kxi )i∈[n] , C) Garble(1λ , C); Lxi ←
k · xi + Kxi ,
Pr[shE G 2 ε
w − shw ̸= φ · w] ≤ 1/N + negl(λ) .

Proof of Lemma 10. Let r = PRFN,ζ,λ (kPRF , ord(z)), and obeserve that kPRF is sam-
pled uniformly and only used to generate these r values. Therefore, we can use PRF
security to replace r with a uniformly random value in Z/N ζ Z, and only add a neg-
ligible term to our bound. (The inputs are chosen before the garbled circuit is
output, so it does not matter that kPRF is given to the evaluator as part of the
garbled circuit.)
Next, we want to bound the probability of shE G 2
w − shw ̸= φ · w. Note that shw =
E
E G E G
e + r and shG = sh
sh e + r for some shares sh
e , sh
e independent of r. Recall from
w w w w w
Eq. (4), shE G 2 ζ eE
w and shw are shares of ϕ · w modulo N . It follows that so are shw and
e G . By Lemma 8,
shw

E
e + r) mod N ζ − (sh E
e + r) mod N ζ ̸= φ2 · w] ≤ |φ2 · w|
Pr [(shw w .
$
r←Z/N ζ Z
Nζ

|φ2 ·w|
By B-admissibility, |w| ≤ B, and since B ≤ N ζ−2−ε by assumption, Nζ
≤
1/N ε .

We now resume the proof. By applying Lemma 10, shE G 2

w − shw = φ · w w.a.b.n.p. By cor-
−1
rectness of the Damgård-Jurik cryptosystem, DJ.Dec(c) = φ w.a.b.n.p. and by Lemma 6
DDLog(shE G −1 ζ ζ
w ) − DDLog(shw ) ≡ φ wφ mod N ≡ w mod N . Completely analogously to
Lemma 10, it holds that Lw − Kw = φ · w w.a.b.n.p. Because there are only a polyno-
mial number of gates, and for each one the invariant holds w.a.b.n.p. if it holds for the
gate’s input wires, with all but negligible probability the invariant holds for every wire of
the circuit. In particular, for every output value z, Lz − Kz = φ · z. Because the inputs
of the circuit are B admissible, φ · z ≤ N ζ . By Lemma 6 (and by correctness of the
Damgård-Jurik cryptosystem), outE G
z − outz
– Privacy. Consider the following simulator S which, on input (1λ , Cλ , y = (y1 , . . . , ym )),
$ $
does the following: (1) sample kPRF ← {0, 1}λ and (N, φ) ← DJ.KeyGen(1λ ), (2) sam-
$ $
ple c ← DJ.EncN (0) and, for each input or multiplication z of Cλ , sample cz ←
$ ζ
DJ.EncN (0), (3) if w1 , . . . , wm are the outputs of Cλ , sample outE ζ
w ← (−N /2, ND /2]
$
then set outG E ζ
wi ← outwi − yi , (4) for each input x of Cλ , sample Lx ← [N ], (5) set
Cbλ ← (N, c, (cz )z , (outG
w )w ), and output ((Lx )x , Cλ ).
b
Let us now show, via a hybrid argument, that this simulator satisfies the privacy require-
ment of Definition 1.
1. Starting from the real-world experiment, for each output wire wi we replace outG wi
with outEwi − yi . These two hybrids are statistically indistinguishable by correctness of
the garbling scheme (established earlier in this proof).
2. We now replace ciphertexts given in the garbled circuit with encryptions of 0. This
new hybrid (which is also the ideal world) is indistinguishable from the previous by
KDM security of the Damgård-Jurik cryptosystem. In fact, the two distributions are
indistinguishable even if the inputs to the garbled circuit are made public. Indeed,
otherwise, an adversary tasked with distinguishing OF KDM and O KDM could run the
,sk,0 F ,sk,1
experiment of sampling kPRF , Lx for each input x, and proceed to compute labels in
a gate-by-gate fashion. Whenever the reduction requires a ciphertext in order to then
perform a DDLog operation, it queries the oracle:

16
 • To obtain c (which, in the real world, should be an encryption of the inverse of
the key), it queries the oracle on f : X 7→ X −1 .
• To obtain cw (which, in the real world, should be an encryption of Kw ) for some
wire x for which it already knows the label Lw , it queries the oracle on f : −w ·X +
Lw . By correctness, of the garbling scheme, Kw = −w · φ + Lw = f (φ). Note that
since we assumed the inputs to the circuit were public, the reduction can indeed
compute the value of wire w in the clear.
Observe that this experiment corresponds exactly to either the first hybrid (if the
oracle is OFKDM ) or the second one (if the oracle is O KDM ). It follows that if the
,sk,0 F ,sk,1
two hybrids were not indistinguishable, one could therefore distinguish between oracle
access to OFKDM and O KDM , which would violate KDM security.
,sk,0 F ,sk,1
– Size. The garbled circuit is comprised of (n + s× + 1) Damgård-Jurik ciphertexts (cx for
each input x, cz for each multiplication z, and c), as well as the garbler’s share of each
output (outGz for each output z).

4.2 From CPA security of Damgård-Jurik

In Section 4.2.1 we descibe (in a “overview” style, introducing one technique at a time) the
techniques which allow us to remove the need for KDM security assumptions. We refer to
Section 4.2.2 for a formal treatment, with the resulting construction described in Fig. 7.

4.2.1 Techniques to remove circular security. As discussed in Section 2.4, the main
idea behind removing the dependence on KDM-style assumptions is to use the powerful idea
of key-switching i.e., for each layer of multiplications in the circuit the garbled will generate
a different Damgård-Jurik key-pair, and only encrypt (functions of) the secret-key in layer
i + 1 under the public key of layer i.
Armed with this idea, there are still a few technical issues to address before we are ready to
provide our formal construction. Also, for the construction in this section, keys and labels
are defined in such a way as to maintain the invariant

Lw = (1, di ) · w − Kw ,

where i is the multiplicative depth of wire w.

For each addition gate z = x + y, where x, y, z are at depth i1 , i2 , j (with 0 ≤ i1 < j ≤ D − 1,

0 ≤ i2 < j ≤ D − 1), the parties (1) decompose their labels/keys for x and y as ⟨x⟩∥⟨di1 · x⟩
and ⟨y⟩∥⟨di2 · y⟩, (2) perform key-switches to generate ⟨dj · x⟩ and ⟨dj · y⟩, (3) set their
label/key for z to be (⟨x⟩ + ⟨y⟩)∥(⟨dj · x⟩ + ⟨dj · y⟩) . By linearity, these keys and labels
indeed satisfy Lz = (1, dj ) · z − Kz .

For each multiplication gate z = x · y, where x, y, z are at depth i1 , i2 , j (with 0 ≤ i1 < j ≤

D −1, 0 ≤ i2 < j ≤ D −1), we exploit the identity from Eq. (3) restated here for convenience:

z = ⟨x⟩1 · ⟨y⟩1 − x · ⟨y⟩0 − y · ⟨x⟩0 − ⟨x⟩0 · ⟨y⟩0 (5)

1. Generate ⟨z⟩. The garbler includes in the garbled circuit encryptions of its shares under the
$ $
public key of the final layer D i.e., ciphertexts cx ← EncND (⟨x⟩0 ) and cy ← EncND (⟨y⟩0 ),
and the parties (1) perform key switches to generate ⟨dD · x⟩ and ⟨dD · y⟩, (2) compute
⟨d ·x⟩ ⟨d ·y⟩
⟨x · ⟨y⟩0 ⟩ ← DDLog(cy D ) and ⟨y · ⟨x⟩0 ⟩ ← DDLog(cx D ), (3) use Eq. (5) to compute
shares of z.

17
2. Generate ⟨dj · z⟩. Assume that for i ∈ [0, D − 1], the garbler provided ciphertexts c′i ←
EncNi (d2i+1 ) (these ciphertexts are to be globally reused for every multiplication gate).
The garbler performs key-switches to convert ⟨di1 · x⟩0 to ⟨dj · x⟩0 , and then additionally
$
provides the ciphertext ctx ← EncNj (⟨dj · x⟩0 ). The parties do the following:
(a) perform key switching to compute ⟨dj−1 · x⟩, ⟨dj · x⟩, ⟨dj−1 · y⟩, and ⟨dj · y⟩;
(b) compute ⟨(dj )2 · x⟩ ← DDLog((c′j )⟨dj−1 ·x⟩ ) and ⟨(dj )2 · y⟩ ← DDLog((c′j )⟨dj−1 ·y⟩ );
(c) perform (j − i1 ) key-switches using (ci )ji=i1 to convert ⟨(dj )2 · x⟩ to ⟨dD · dj · x⟩;8
(d) perform (j − i2 ) key-switches using (ci )ji=i2 to convert ⟨(dj )2 · y⟩ to ⟨dD · dj · y⟩;
⟨d ·d x⟩ ⟨d ·y⟩
(e) compute ⟨dj x · ⟨y⟩0 ⟩ ← DDLog(cy D j ) and ⟨y · ⟨dj · x⟩0 ⟩ ← DDLog(ctx D );
(f) use the identity of Eq. (6), ⟨x⟩, ⟨y⟩, ⟨dj x · ⟨y⟩0 ⟩, and ⟨y · ⟨dj · x⟩0 ⟩ to compute ⟨dj · z⟩.

dj · z = ⟨dj · x⟩1 · ⟨y⟩1 − dj x · ⟨y⟩0 − y · ⟨dj · x⟩0 − ⟨dj · x⟩0 · ⟨y⟩0 (6)

With this approach, the garbled circuit contains two ciphertext per multiplication gate (that
is, cx and ctz for z = x · y), plus an additionnal 2D ciphertexts used to perform key switches
(that is, the encryptions of di+1 and d2i+1 under (Ni , ski ) for i ∈ [0, D − 1]).
There is a problem however with the scheme as presented. Because the di can, in all generality,
be as large as N ζ , and we need authenticated shares of the wire values to fit in the plaintext
space, it seems that we can only performe arithmetic over F2 . Fortunately, there is a simple
fix to this last problem.

Replace ⟨d · X⟩ with ⟨ν · X⟩. Roy and Singh [RS21, Section 4.3] introduced a trick in
order to bypass the above problem. If (N, sk) is a keypair for the Damgård-Jurik encryption
scheme, and we define d ← sk · (sk−1 mod N ζ ) and ν ← N −ζ mod sk, then by the Chinese
remainders theorem d ≡ 1 − N ζ ν mod sk · N ζ . Since N ζ is public, this allows parties to locally
convert ν-authenticated shares into d-authenticated ones: ⟨d · X⟩ ← 1 − N ζ · ⟨ν · X⟩. Crucially,
since ν ≤ sk ≤ N , we can encrypt ν-authenticated shares of wire values as large as N ζ−1 . In
turn the garbling scheme has rate (ζ − 1)/(2ζ + 2) (assuming that the multiplicative depth
of the circuit is significantly smaller than its size).
Concretely, key-switches are now performed as follows, given ⟨x⟩, ⟨ν · x⟩, ci def= EncNi (νi+1 ):

1. compute ⟨di · x⟩ ← ⟨x⟩ − Niζ ⟨ν · x⟩;

⟨d ·x⟩
2. compute ⟨νi+1 · x⟩ ← DDLog(ci i );
3. optionally, use ⟨x⟩ again to compute ⟨di+1 · x⟩ and continue key-switching recursively.
We summarise in Figs. 6a and 6b how garbler and evaluator now perform additions and
multiplications.

8
Note that ⟨(dj )2 · x⟩ can be seen as ⟨dj · (dj · x)⟩: the leading dj is the one being “switched out for dD ”.

18
Fig. 6: Operations performed by the garbler (resp. evaluator) to convert their keys (resp. la-
bels) for wires x (at multiplicative depth ℓx ) and y (at multiplicative depth ℓy ) into a key
(resp. label) for wire z = f (x, y) (at multiplicative depth ℓz ), where f ∈ {+, ×}. This only
relies on CPA-security of Damgård-Jurik encryption.

Key/Label for x Key/Label for y

⟨νℓx x⟩ ⟨x⟩ ⟨y⟩ ⟨νℓy y⟩

Garbled Table Garbled Table

 
EncNℓx (νℓx +1 )  EncNℓy (νℓy +1 )
(ℓz − ℓx )× (ℓz − ℓy )×
 
... + ...

 KeySwitch KeySwitch 

EncND−1 (νD ) EncNℓz −1 (νℓz )

⟨νℓz · x⟩ + ⟨νℓz · y⟩

⟨νℓz · z⟩ ⟨z⟩

Key/Label for z = x + y

(a) Addition gates.

Key/Label for x Key/Label for y

⟨νℓx x⟩ ⟨x⟩ ⟨y⟩ ⟨νℓy y⟩

Garbled Table Garbled Table

 
EncNℓx (νℓx +1 ) EncNℓy (νℓy +1 )
(D − ℓx )× (D − ℓy )×
 
... ...

 KeySwitch KeySwitch 

EncND−1 (νD ) EncND−1 (νD )

⟨dℓz −1 · x⟩ ⟨νℓz · x⟩ ⟨dD · x⟩ ⟨dD · y⟩ ⟨dℓz −1 · y⟩ ⟨νℓz · y⟩

EncND (⟨y⟩0 ) EncND (⟨x⟩0 )
EncNℓz −1 ((νℓz )2 ) DDLog DDLog DDLog DDLog EncNℓz −1 (⟨νℓz x⟩0 )

⟨(νℓz )2 · x⟩ ⟨x · ⟨y⟩0 ⟩ ⟨y · ⟨x⟩0 ⟩ ⟨y · ⟨νℓz x⟩0 ⟩


EncNℓz (νℓz +1 )
(D − ℓz )×

... Equation (7)

 KeySwitch
EncND−1 (νD )

⟨dD · νℓz x⟩

EncND (⟨y⟩0 ) DDLog

⟨νℓz x · ⟨y⟩0 ⟩

Equation (8)

⟨νℓz · z⟩ ⟨z⟩

Key/Label for z = xy

Key Identities
z = ⟨x⟩1 · ⟨y⟩1 − x · ⟨y⟩0 − y · ⟨x⟩0 − ⟨x⟩0 · ⟨y⟩0 (7)
νℓz · z = ⟨νℓz · x⟩1 · ⟨y⟩1 − νℓz x · ⟨y⟩0 − y · ⟨νℓz · x⟩0 − ⟨νℓz · x⟩0 · ⟨y⟩0 (8)
(b) Multiplication gates.
19
4.2.2 Formal construction, theorem statement, and proof.

Arithmetic Garbling AGC from HSS (CPA-secure Damgård-Jurik variant)

Requires:
– DJ = (DJ.KeyGen, DJ.Enc, DJ.Dec) is the Damgård-Jurik cryptosystem of Fig. 2.
– DDLog is the algorithm of Fig. 4.
– (PRFN,ζ,λ )N,ζ,λ∈N3 is a family of pseudorandom functions with outputs in [N ζ ].
– ord is an ordering of the gates of the circuit (i.e. a bijection between the set of gates
and [1, s], where s is the number of gates).

The Garbling Scheme (gate-by-gate description): Initially, the garbler samples

kPRF ← {0, 1}λ and (Nℓ , φℓ ) ← DJ.KeyGen(1λ ) then sets νℓ ← N −ζ mod φℓ for each
$ $

ℓ ∈ [0, D] (where D is the multiplicative depth of the circuit). For each ℓ ∈ [0, D − 1],
the garbler computes cℓ ← DJ.EncNℓ (νℓ+1 ) and c′ℓ ← DJ.EncNℓ (νℓ+1 2 ); for each in-
$
put wire x, the garbler samples Kx ← [N0s ]2 . The label associated with input x is
Lx ← (1, ν0 ) · x + Kx ∈ [N0s ]2 .

Addition gate z = x + y: Let ℓx , ℓy , ℓz ∈ [0, D] be the multiplicative depths of wires x,

y, and z respectively (and observe that ℓz = max(ℓx , ℓy )). Let w, W such that {w, W } =
{x, y}, ℓw = min(ℓx , ℓy ) and ℓW = max(ℓx , ℓy ).

Addition – Garbling

At garbling time, given ((1, νℓx ), Kx ) and ((1, νℓy ), Ky ) as well as corresponding
ciphertexts cx and cy :
1. Key switching to lift ⟨dℓw · w⟩ to ⟨dℓz · w⟩. Set ⟨w⟩0 ← Kw .fst and ⟨νdw ·
w⟩0 ← Kw .snd, then, for each ℓ ∈ [ℓw , ℓz − 1], compute ⟨νℓ+1 · w⟩0 and ⟨dℓ · w⟩0
as follows:

⟨dℓ · w⟩0 ← ⟨w⟩0 − Nℓs · ⟨νℓ · w⟩0

⟨νℓ+1 · w⟩0 ← DDLog((cℓ )⟨dℓ ·w⟩0 ) + PRFN,ζ,λ (kPRF , (ord(w), 0, ℓ, 1)) mod N ζ .

2. Homomorphically compute the ciphertext cz ← cx · cy (to be stored, but not

given out as part of the garbled table).
3. Compute Kz ← (Kw .fst + KW .fst, ⟨νℓz · w⟩0 + KW .snd) and output (νℓz , Kz ).

Addition – Evaluation
At evaluation time, given labels Lx and Ly , compute the label Lz as follows:
1. Key switching to lift ⟨dℓw ·w⟩ to ⟨dℓz ·w⟩. Set ⟨w⟩1 ← Lw .fst and ⟨νℓw ·w⟩1 ←
Lw .snd, then, for each ℓ ∈ [ℓw , ℓz −1], compute ⟨νℓ+1 ·w⟩1 and ⟨dℓ ·w⟩1 as follows:

⟨dℓ · w⟩1 ← ⟨w⟩1 − Nℓs · ⟨νℓ · w⟩1

⟨νℓ+1 · w⟩1 ← DDLog((cℓ )⟨dℓ ·w⟩1 ) + PRFN,ζ,λ (kPRF , (ord(w), 0, ℓ, 1)) mod N ζ .

2. Compute and store cz ← cx · cy .

3. Compute and output the label Lz ← (Lw .fst + LW .fst, ⟨νℓz · w⟩1 + LW .snd).

20
Multiplication gate z = x · y: Let ℓx , ℓy , ℓz ∈ [0, D] be the multiplicative depths of
wires x, y, and z respectively (and observe that ℓz = max(ℓx , ℓy ) + 1).

Multiplication – Garbling

At garbling time, given ((1, νℓx ), Kx ) and ((1, νℓy ), Ky ), as well as corresponding
ciphertexts cx and cy , compute Kz as follows:
1. For w ∈ {x, y}, set ⟨w⟩0 ← Kw .fst and ⟨νℓw · w⟩0 ← Kw .snd, then, for each
ℓ ∈ [ℓw , D − 1], compute ⟨νℓ+1 · w⟩0 and ⟨dℓ · w⟩0 as follows:

⟨dℓ · w⟩0 ← ⟨w⟩0 − Nℓs · ⟨νℓ · w⟩0

⟨νℓ+1 · w⟩0 ← DDLog((cℓ )⟨dℓ ·w⟩0 ) + PRFN,ζ,λ (kPRF , (ord(w), 1, ℓ)) mod N ζ .
$
Then, compute ctx ← DJ.EncNℓz −1 (⟨νℓz · x⟩0 ).
2. Compute ⟨z⟩0 as follows:

⟨z⟩0 ← − DDLog((cx )⟨dD ·y⟩0 ) − DDLog((cy )⟨dD ·x⟩0 ) − Kx .fst · Ky .fst

+ PRFN,ζ,λ (kPRF , (ord(w), 2)) mod N ζ .

3. Compute ⟨νℓ2z ·x⟩0 ← DDLog((c′ℓz −1 )⟨dℓz −1 ·x⟩0 )+PRFN,ζ,λ (kPRF , (ord(w), 3)) mod
N ζ then compute (⟨dℓ · νℓz · x⟩0 )D
ℓ=ℓz +1 recursively as:

⟨dℓz · νℓz · x⟩0 ←⟨νℓz · x⟩0 − Nℓs · ⟨νℓ2z · x⟩0

For ℓ ∈ [ℓz , D − 1], ⟨dℓ+1 · νℓz · x⟩0 ← ⟨νℓz · x⟩0 − Nℓs · DDLog((c′ℓ )⟨dℓ ·νℓz ·x⟩0 )
+ PRFN,ζ,λ (kPRF , (ord(w), 4, ℓ)) mod N ζ .

Compute:
⟨dD ·νℓz ·x⟩0 ⟨d ·y⟩0
⟨νℓz · z⟩0 ← − DDLog(cy ) − DDLog(ctx ℓz −1 ) − ⟨νℓz · x⟩0 · (Ky .fst)
+ PRFN,ζ,λ (kPRF , (ord(w), 5)) mod N ζ .

$
Finally, compute cz ← DJ.EncND (Kz .fst).
4. Produce key Kz ← (⟨z⟩0 , ⟨νℓz · z⟩0 ) and garbled table (cz , ctx ).

21
 Multiplication – Evaluation
At evaluation time, given labels Lx and Ly as well as corresponding ciphertexts cx ,
cy , and ctx , compute the label Lz as follows:
1. For w ∈ {x, y}, set ⟨w⟩1 ← Lw .fst and ⟨νℓw · w⟩1 ← Lw .snd, then, for each
ℓ ∈ [ℓw , D − 1], compute ⟨νℓ+1 · w⟩1 and ⟨dℓ · w⟩1 as follows:

⟨dℓ · w⟩1 ← ⟨w⟩1 − Nℓs · ⟨νℓ · w⟩1

⟨νℓ+1 · w⟩1 ← DDLog((cℓ )⟨dℓ ·w⟩1 ) + PRFN,ζ,λ (kPRF , (ord(w), 1, ℓ)) mod N ζ .

2. Compute shz as follows:

⟨z⟩1 ← Lx .fst · Ly .fst − DDLog((cx )⟨dD ·y⟩1 ) − DDLog((cy )⟨dD ·x⟩1 )

+ PRFN,ζ,λ (kPRF , (ord(w), 2, ℓ)) mod N ζ .

3. Compute ⟨νℓ2z ·x⟩1 ← DDLog((c′ℓz −1 )⟨dℓz −1 ·x⟩1 )+PRFN,ζ,λ (kPRF , (ord(w), 3)) mod
N ζ then compute (⟨dℓ · νℓz · x⟩1 )D
ℓ=ℓz +1 recursively as:

⟨dℓz · νℓz · x⟩1 ←⟨νℓz · x⟩1 − Nℓs · ⟨νℓ2z · x⟩1

For ℓ ∈ [ℓz , D − 1], ⟨dℓ+1 · νℓz · x⟩1 ← ⟨νℓz · x⟩1 − Nℓs · DDLog((c′ℓ )⟨dℓ ·νℓz ·x⟩1 )
+ PRFN,ζ,λ (kPRF , (ord(w), 4, ℓ)) mod N ζ .

Compute:
⟨dD ·νℓz ·x⟩1 ⟨dℓz−1 ·y⟩1
⟨νℓz · z⟩1 ← ⟨νℓz · x⟩1 · (Ly .fst) − DDLog(cy ) − DDLog(ctx )
ζ


+ PRFN,ζ,λ (kPRF , (ord(w), 5)) mod N .

4. Produce label Lz ← (⟨z⟩1 , ⟨νℓz · z⟩1 ).

Output: For each output value z, the garbler outputs:

– The garbled circuit, comprised of (Nℓ )ℓ∈[0,D] , (cℓ )ℓ∈[0,D] , cz for each input or multipli-
cation z, ctx for each x which is the left input of a multiplication, and outG z := Kz .fst
for each output z.
– Its state (used to compute the input labels), comprised of (Nℓ , νℓ )ℓ∈[0,D] , and Kx for
each input x.
The evaluator outputs (outE G E
z − outz ) for each output z, where outz := Lz .fst.

Fig. 7: Arithmetic garbled circuit with two ciphertexts per multiplication (and free addition)
from CPA-security of Damgård-Jurik (gate-by-gate description).

Theorem 11 (AGC with two ciphertexts per multiplication from CPA-secure

Damgård-Jurik, via DDLog). Let ε > 0. Let λ be a security parameter. Let ζ ≥ 2,
assume the CPA-security of the Damgård-Jurik encryption scheme with parameter s, and let
ℓ(λ) be the bit-length of the corresponding RSA modulus. For every B ≤ 2(ζ−1−ε)·ℓ(λ) , the
construction of Fig. 7 is an arithmetic garbling scheme for B-bounded integer computation.

22
Moreover, if a circuit C has n inputs, m outputs, s× multiplication gates, and has multiplica-
tive depth D, then its garbled circuit has bit-size

(n + 2s× + 2D) · (ζ + 1) · ℓ(λ) + m · ζ · ℓ(λ)

| {z } | {z }
size of a DJ decoding
ciphertext material

while each input label is 2ζ · ℓ(λ) bits.

Proof. The proof of Theorem 11 follows along the same lines as that of Theorem 9.
– Correctness. As in Theorem 9, it suffices to show that the following invariant is main-
tained:
If w (at multiplicative depth ℓz ) is either an input wire, or a wire whose
two inputs x and y (at multiplicative depth ℓx and ℓy respectively) satisfy
Lx = (1, νℓx ) · x + Kx and Ly = (1, νℓy ) · y + Ky , then: with all but negligi-
ble probability (w.a.b.n.p.), Lz = (1, νℓz ) · y + Kz .
We prove this by a case-by-case analysis.
• If w is an input wire, this is true by definition of Lw .
• If w = x ± y, assume the invariant holds for x and y.
Lemma 12. With all but negligible probabilty, ⟨νℓx +1 · x⟩1 − ⟨νℓx +1 · x⟩0 = νℓx +1 · x .

Proof of Lemma 12. By correctness of the Damgård-Jurik cryptosystem,

⟨d ·x⟩
DJ.DecNℓx ,ζ,φℓx (cℓ ) = νℓ+1 w.a.b.n.p. By Lemma 7, DDLog(cℓxℓx 1 ) −
⟨d ·x⟩
DDLog(cℓxℓx 0 ) = νℓx +1 · x w.a.b.n.p. Analogously to Lemma 10, which
amounts to a variant of Lemma 8 for shares which are only pseudo-random,
⟨νℓx +1 · x⟩1 − ⟨νℓx +1 · x⟩0 = νℓx +1 · x w.a.b.n.p.
We can inductively repeat the steps of the proof of Lemma 12 to show that, w.a.b.n.p.,
⟨νℓw · x⟩1 − ⟨νℓw · x⟩0 = νℓw · x and ⟨νℓw · y⟩1 − ⟨νℓw · y⟩0 = νℓw · y . Note that, since
w is a multiplication gate, one of ℓx or ℓy is equal to ℓw . It follows that Lw − Kw =
(Lx .fst − Kx .fst + Ly .fst − Ky .fst, νℓw · x + νℓw · y) = (1, νℓw ) · w .
• If w = x · y, assume the invariant holds for x and y. Analogously to Lemma 12,
⟨w⟩1 − ⟨w⟩0 = w w.a.b.n.p. Indeed, we can (1) show that DDLog((cx )⟨dD ·y⟩1 ) −
DDLog((cx )⟨dD ·y⟩0 ) ≡ y ·⟨x⟩0 mod NℓζD and DDLog((cy )⟨dD ·x⟩1 )−DDLog((cy )⟨dD ·x⟩0 ) ≡
ζ ζ
x · ⟨y⟩0 mod ND , (2) use Eq. (3) to show that ⟨w⟩1 − ⟨w⟩0 = x · y ≡ w mod ND
w.a.b.n.p., (3) apply the exact techniques of Lemma 10 to show that ⟨w⟩1 −⟨w⟩0 = w .
Analogously (and using Eq. (8)), ⟨νℓw · w⟩1 − ⟨νℓw · w⟩0 = νℓw · w w.a.b.n.p. Therefore,
Lw − Kw = (1, νℓw · w) w.a.b.n.p.
– Privacy. Consider the following simulator S which, on input (1λ , Cλ , y = (y1 , . . . , ym )),
$ $
does the following: (1) sample kPRF ← {0, 1}λ and (Nℓ , φℓ ) ← DJ.KeyGen(1λ ) for ℓ ∈ [D]
then set νℓ ← Nℓ−ζ mod φℓ for ℓ ∈ [D], (2) sample cℓ , c′ℓ ← DJ.EncNℓ (0) for ℓ ∈ [D], (3)
$

$
for each input or multiplication w of Cλ , sample cw ← DJ.EncND (0), (4) for each wire
x which is the left input of a multiplication gate w (at multiplicative depth ℓw ), sample
$ ζ ζ
ctNℓw −1 (0), (5) if w1 , . . . , wm are the outputs of Cλ , sample outE w ← (−ND /2, ND /2]
$ ζ
then set outG E
wi ← outwi − yi , (6) for each input x of Cλ , sample Lx ← [N1 ], (7) set
Cbλ ← ((Nℓ )ℓ∈[D] , (cℓ )ℓ∈[D] , (c′ )ℓ∈[D] , (cw )w , (ctw )w , (outG
w )w ), and output ((Lx )x , Cλ ).
b
ℓ
Let us show, via a hybrid argument, that this simulator satisfies the privacy requirement
of Definition 1.
1. Starting from the real-world experiment, for each output wire wi we replace outG wi
with outE wi − yi . These two hybrids are statistically indistinguishable by correctness of
the garbling scheme (established earlier in this proof).

23
 2. For ℓ = 1 to D (in this order), we can switch out all encryptions performed under key
Nℓ with encryptions of 0, by CPA security of the Damgård-Jurik cryptosystem. Once
all these ciphertexts have been switched out, the resulting hybrid coincides with the
ideal world.
– Size. The garbled circuit is comprised of (n + 2s× + 2D) Damgård-Jurik ciphertexts (cx
for each input x, cz for each multiplication z, ctx for each wire x which is the left input of
a multiplication gate, and cℓ and c′ℓ for each of the D multiplicative layers of the circuit),
as well as the garbler’s share of each output (outG z for each output z).

4.3 Optimised left-right wire assignment.

In Sections 4.1 and 4.2, we presented two arithmetic garbling scheme which we now refer to as
“the KDM scheme” and “the CPA scheme”, respectively. Recall that, for each multiplication
gate z = x · y, the garbled circuit for the KDM scheme should contain (the means to
compute) encryptions of the form EncN (⟨φ · x⟩0 ) and EncN (⟨φ · y⟩0 ), while the garbled
circuit for the CPA scheme should contain (the means to compute) encryptions of the form
EncND (⟨x⟩0 ), EncND (⟨y⟩0 ), and EncNℓz −1 (⟨νℓz · x⟩0 ).

On the face of it, the schemes should achieve rate 1/2 and 1/3 respectively. However, we
already presented the following optimisation based on linear homomorphism: if the garbled
circuit contains a ciphertext EncN (⟨φ · w⟩0 ) (for the KDM scheme) or EncND (⟨w⟩0 ) (for the
CPA scheme) for each w which is either an input or the result of a multiplication gate, then
the parties can in fact compute such ciphertexts for every single wire of the circuit—and in
particular for every input of a multiplication gate, which is what they need—(using linear
homomorphism to deal with addition gates). The garbled circuits now contain one (KDM)
or two (CPA) ciphertext per multiplication and one ciphertext per input, and the garbling
schemes therefore have rate 1 (KDM) and 1/2 (CPA).

In the CPA scheme, we only need to give out a ciphertext of the form EncNℓz −1 (⟨νℓz · x⟩0 )
for the left input wire of multiplication z. Because multiplications are commutative, we have
some degree of liberty in deciding which wires are left ones. If a value is used as the input
to many multiplication gates at the same multiplicative depth, it may be beneficial to make
this value the left input to these multiplications, in order to reuse the same ciphertext.

4.3.1 Reducing left-right assignments to vertex cover. In this section, we show how
the problem of choosing which wires should be left or right inputs to multiplication gates in
order to minimise the size of the garbled circuit can be reduced to the problem of finding
(small) vertex covers in some graphs.
Definition 13 (Depth-i multiplication graph of a circuit). Let C be a fan-in two
arithmetic circuit of multiplicative depth D. For each i ∈ [D], we define the depth-i multipli-
cation graph of C as the graph Gi = (V, Ei ) where V is the set of all inputs and computation
gates of C, and Ei is defined by: (x, y) ∈ Ei if and only if there exists a gate z at multiplicative
depth i such that z = x · y.
Lemma 14 (Left-right wire assignment based on vertex covers). Let C be a fan-in
two arithmetic circuit of multiplicative depth D. For i ∈ [D], let Gi be the depth-i multiplica-
tion graph of C, and Fi be a vertex cover of Gi .
Up to permuting the input wires of multiplication gates ( e.g. computing z = x · y as z = y · x),
we can assume that, for every i ∈ [D], all left input wires to a depth-i multiplication gate are
in Fi .

24
Proof. Let i ∈ [D], let z be a depth-i multiplication gate of C, and let x, y be the inputs to
z. By definition of Gi , (x, y) ∈ Ei . By definition of a vertex cover, at least one of (the nodes
of Gi associated with) x or y must be in Fi : we can therefore always ensure the left input
wire is in Fi .

ItPfollows from Lemma 14 and Section 4.2.2 that if we can establish a bound of the form
( D i=1 |Fi |/|C|) ≤ c for every circuit C (from a given class), then assuming the IND-CPA
security of the Damgård-Jurik encryption scheme, there is an arithmetic garbling scheme (for
that class) with rate 1/(1 + c).9

4.3.2 A constructive upper bound for levelled circuits. In this section we show that
the CPA scheme can be adapted to achieve rate 3/5 for levelled circuits10 , but at the cost
of losing free addition. While losing free addition makes the scheme concretely better only
for circuits with at least 83.3̄% of multiplication gates, this tradeoff is still interesting in a
theoretical sense because rate is defined as a worst-case quantity over all circuits (in particular
those containing only multiplication gates).

Lemma 15 (“Caro-Wei theorem”, Bounding the independence number of a graph

in terms of its degree sequence, [Car79, Wei81]). Let G = (V, E) be a simple graph.
Its independence number α(G) satisfies:
X 1
α(G) ≥ .
deg(u) + 1
u∈V

The “Caro-Wei theorem” was originally proven via a probabilistic argument, but a construc-
tive proof was later provided by Murphy [Mur91]. For completeness, we recall this construction
in Fig. 8.

Algorithm IndSet

On input a graph G = (V, E):

1. If V = ∅, return ∅.
2. Else, choose u ∈ V of minimum degree in G.
3. Output {u} ∪ IndSet(G[V ∖NG [u]]).

Fig. 8: Murphy’s [Mur91] greedy recursive algorithm to find an independent set satisfying the
Caro-Wei bound [Car79, Wei81].

Lemma 16 (Two-thirds bound for levelled circuits). Let C be an n-input, m-output,

multiplicative-depth-D levelled circuit. For i ∈ [D], let Gi be the depth-i multiplication graph
of C (Definition 13).
There exists a polynomial-time algorithmPfor finding F1 , . . . , FD such that: (1) for each i ∈
[D], Fi is a vertex cover of Gi , and (2) ( Di=1 |Fi |/|C|) ≤ 2/3 .

Proof. Define the following quantities:

9
Note that if we can provide a bound of the form ( D
P
i=1 |Fi |/s× (C)) ≤ c, where s× (C) is the number of
multiplication gates of circuit C, then the scheme has free addition.
10
A circuit is levelled if its nodes (inputs and computation gates) can be partitioned into layers such that
each edge connects nodes in adjacent layers. The difference between a levelled and a layered circuit is that,
in the latetr, any input to the circuit is allowed to be an input to gates in different layers.

25
 – For each i ∈ [D], Gi is the depth-i multiplication graph of C;
– For each i ∈ [D] and for j ∈ [0, |V |], ni,j := |{u ∈ V : degGi (u) = j}|;
– For each i ∈ [0, D], s×,i (resp. si ) is the size of (resp. the number of multiplication gates
in) the ith layer of C.
Since the number of edges in a graph is twice the sum of the degrees of its nodes,
|V |
X X
∀i ∈ [D], 2 · si ≥ 2 · s×,i = 2 · |Ei | = degGi (u) = j · ni,j . (9)
u∈V j=0

The complement of an independent set P is a vertex cover [Gal59], so, by Lemma 15, Gi admits
a vertex cover Fi of size at most |V | − u∈V deg 1(u)+1 .
Gi

|V |
X 1
 X degGi (u) X j
∀i ∈ [D], |Fi | = 1− = = ni,j · . (10)
degGi (u) + 1 degGi (u) + 1 j+1
u∈V u∈V j=0

|V |
X
∀i ∈ [D], si−1 ≥ ni,j . (11)
j=0
PD 1
By considering the linear combination “ i=1 ( 6 [Eq. (9)]+ 31 [Eq. (11)]−[Eq. (10)])” we obtain
Eq. (12):

!
D D D |V
P|  
sD 2s s0 P P 2si si−1
P j 1 j
3 + 3 + 3 − |Fi | = 6 + 3 − |Fi | ≥ 6 + 3 − j+1 · ni,j
i=1 i=1 i=1 j=0
D |V
P|  
(j−2)(j−1)
(12)
P
= 6(j+1) · ni,j
i=1 j=0
D |V
P|  
P (j−2)(j−1)
= 6(j+1) · ni,j ≥ 0 .
i=1 j=3

Because all gates in the final layer must be outputs, sD ≤ m. Because all gates
PDin the first
layer must be inputs, s0 ≤ n. Combining these facts with Eq. (12), n+m+2s
3 ≥ i=1 |Fi | .

Note that the bound of Lemma 16 P is tight in the sense there exist circuits for which any
vertex covers (Fi )i∈[D] must satisfy i = 1D |Fi | ≥ 2|C|/3 (consider for instance a circuit
such that each Gi is a union of node-disjoint triangles).

Lemma 16 yields an arithmetic garbling scheme with rate 1/(1 + 2/3) = 3/5 for levelled
circuits.

26
Acknowledgments

This research was supported by: the European Research Council (ERC) under the Eu-
ropean Union’s Horizon 2020 research and innovation programme under grant agreement
number 803096 (SPEC); the Danish Independent Research Council under Grant-IDs DFF-
3103-00077B (CryptoDigi) and DFF-0165-00107B (C3PO); and the DARPA SIEVE program
(contract HR001120C0085 “FROMAGER”). Any opinions, findings and conclusions or recom-
mendations expressed in this material are those of the author(s) and do not necessarily reflect
the views of DARPA. Distribution Statement “A” (Approved for Public Release, Distribution
Unlimited).

References
AIK11. Benny Applebaum, Yuval Ishai, and Eyal Kushilevitz. How to garble arithmetic circuits. In Rafail
Ostrovsky, editor, 52nd FOCS, pages 120–129. IEEE Computer Society Press, October 2011.
ARS24. Damiano Abram, Lawrence Roy, and Peter Scholl. Succinct homomorphic secret sharing. In Marc
Joye and Gregor Leander, editors, Advances in Cryptology – EUROCRYPT 2024, pages 301–330,
Cham, 2024. Springer Nature Switzerland.
BGG+ 14. Dan Boneh, Craig Gentry, Sergey Gorbunov, Shai Halevi, Valeria Nikolaenko, Gil Segev, Vinod
Vaikuntanathan, and Dhinakaran Vinayagamurthy. Fully key-homomorphic encryption, arithmetic
circuit ABE and compact garbled circuits. In Phong Q. Nguyen and Elisabeth Oswald, editors,
EUROCRYPT 2014, volume 8441 of LNCS, pages 533–556. Springer, Heidelberg, May 2014.
BGI16. Elette Boyle, Niv Gilboa, and Yuval Ishai. Breaking the circuit size barrier for secure computation
under DDH. In Matthew Robshaw and Jonathan Katz, editors, CRYPTO 2016, Part I, volume
9814 of LNCS, pages 509–539. Springer, Heidelberg, August 2016.
BLLL23. Marshall Ball, Hanjun Li, Huijia Lin, and Tianren Liu. New ways to garble arithmetic circuits. In
Carmit Hazay and Martijn Stam, editors, EUROCRYPT 2023, Part II, volume 14005 of LNCS,
pages 3–34. Springer, Heidelberg, April 2023.
BMR16. Marshall Ball, Tal Malkin, and Mike Rosulek. Garbling gadgets for Boolean and arithmetic circuits.
In Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi,
editors, ACM CCS 2016, pages 565–577. ACM Press, October 2016.
BRS03. John Black, Phillip Rogaway, and Thomas Shrimpton. Encryption-scheme security in the presence
of key-dependent messages. In Kaisa Nyberg and Howard M. Heys, editors, SAC 2002, volume
2595 of LNCS, pages 62–75. Springer, Heidelberg, August 2003.
Car79. Yair Caro. New results on the independence number. Technical report, Technical Report, Tel-Aviv
University, 1979.
DJ01. Ivan Damgård and Mats Jurik. A generalisation, a simplification and some applications of Paillier’s
probabilistic public-key system. In Kwangjo Kim, editor, PKC 2001, volume 1992 of LNCS, pages
119–136. Springer, Heidelberg, February 2001.
FMS19. Nils Fleischhacker, Giulio Malavolta, and Dominique Schröder. Arithmetic garbling from bilinear
maps. In Kazue Sako, Steve Schneider, and Peter Y. A. Ryan, editors, ESORICS 2019, Part II,
volume 11736 of LNCS, pages 172–192. Springer, Heidelberg, September 2019.
Gal59. T Gallai. Clber extreme punkt und kantenmengen. Ann. Univ. Sci. Budapest, E6tv6s Sect. Math,
2, 1959.
GKP+ 13. Shafi Goldwasser, Yael Tauman Kalai, Raluca A. Popa, Vinod Vaikuntanathan, and Nickolai Zel-
dovich. Reusable garbled circuits and succinct functional encryption. In Dan Boneh, Tim Rough-
garden, and Joan Feigenbaum, editors, 45th ACM STOC, pages 555–564. ACM Press, June 2013.
Hea24. David Heath. Efficient arithmetic in garbled circuits. 2024. https://eprint.iacr.org/2024/139.
HVDH21. David Harvey and Joris Van Der Hoeven. Integer multiplication in time o(nlog\,n). Annals of
Mathematics, 193(2):563–617, 2021.
HY24. Carmit Hazay and Yibin Yang. Toward malicious constant-rate 2pc via arithmetic garbling. 2024.
https://eprint.iacr.org/2024/283.
LL24. Hanjun Li and Tianren Liu. How to garble mixed circuits that combine boolean and arithmetic
computations. 2024. https://eprint.iacr.org/2023/1584.
Mur91. Owen Murphy. Lower bounds on the stability number of graphs computed in terms of degrees.
Discrete Mathematics, 90(2):207–211, 1991.
OSY21. Claudio Orlandi, Peter Scholl, and Sophia Yakoubov. The rise of paillier: Homomorphic secret
sharing and public-key silent OT. In Anne Canteaut and François-Xavier Standaert, editors,
EUROCRYPT 2021, Part I, volume 12696 of LNCS, pages 678–708. Springer, Heidelberg, October
2021.

27
Pai99. Pascal Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Jacques
Stern, editor, EUROCRYPT’99, volume 1592 of LNCS, pages 223–238. Springer, Heidelberg, May
1999.
RS21. Lawrence Roy and Jaspal Singh. Large message homomorphic secret sharing from DCR and
applications. In Tal Malkin and Chris Peikert, editors, CRYPTO 2021, Part III, volume 12827 of
LNCS, pages 687–717, Virtual Event, August 2021. Springer, Heidelberg.
Wei81. Victor K Wei. A lower bound on the stability number of a simple graph, 1981.
Yao82. Andrew Chi-Chih Yao. Protocols for secure computations (extended abstract). In 23rd FOCS,
pages 160–164. IEEE Computer Society Press, November 1982.

28