Reuse It Or Lose It: More Efficient Secure Computation Through Reuse of Encrypted Values

Two-party secure function evaluation (SFE) has become significantly more feasible, even on resource-constrained devices, because of advances in server-aided computation systems. However, there are still bottlenecks, particularly in the input validation stage of a computation. Moreover, SFE research has not yet devoted sufficient attention to the important problem of retaining state after a computation has been performed so that expensive processing does not have to be repeated if a similar computation is done again. This paper presents PartialGC, an SFE system that allows the reuse of encrypted values generated during a garbled-circuit computation. We show that using PartialGC can reduce computation time by as much as 96% and bandwidth by as much as 98% in comparison with previous outsourcing schemes for secure computation. We demonstrate the feasibility of our approach with two sets of experiments, one in which the garbled circuit is evaluated on a mobile device and one in which it is evaluated on a server. We also use PartialGC to build a privacy-preserving “friend finder” application for Android. The reuse of previous inputs to allow stateful evaluation represents a new way of looking at SFE and further reduces computational barriers.

💡 Research Summary

The paper introduces PartialGC, a practical system that enables the reuse of encrypted wire values generated during garbled‑circuit based two‑party secure function evaluation (2‑P‑SFE). Traditional outsourced SFE schemes, such as the CMTB protocol, require a full recomputation and fresh input validation for every execution, which becomes a severe bottleneck on resource‑constrained devices like smartphones. Moreover, existing garbled‑circuit frameworks lack any notion of state: intermediate results cannot be saved and later used as inputs for subsequent computations.

PartialGC solves both problems by allowing the evaluator (or a cloud service acting on its behalf) to store the encrypted output labels (partial outputs) after a computation and to feed them back as encrypted inputs (partial inputs) for a new garbled circuit. The key technical contribution is the construction of “partial input gates.” For each wire, the generator creates a mapping Δ = w_{t‑1} ⊕ w_t, where w_{t‑1} is the saved label from the previous run and w_t is the label required in the new circuit. The evaluator, possessing w_{t‑1}, obtains Δ from the generator and computes w_t = w_{t‑1} ⊕ Δ, thus obtaining a valid input label without learning any underlying plaintext.

To protect against malicious behavior, PartialGC incorporates a verifiable mapping mechanism. The generator commits to the Δ values before the cut‑and‑choose selection of evaluation and check circuits, and the evaluator runs dedicated check sub‑circuits that confirm the correctness of each Δ. This prevents selective‑failure attacks and ensures that a malicious generator cannot trick the evaluator into accepting malformed inputs. The protocol assumes a standard non‑collusion model: the cloud may be malicious but does not collude with either the generator or the evaluator, and at most one of the three parties can be malicious.

PartialGC builds on the CMTB protocol, adding the sS13 improved input‑validation technique to reduce the number of oblivious transfers and hash checks required during the input‑consistency phase. By moving the storage of intermediate values to the cloud, multiple distinct evaluator devices (e.g., different smartphones) can participate in a long‑running computation without each having to retain the state locally.

The authors implemented a prototype consisting of an Android client, a cloud server, and a generator component. Experiments were conducted in two settings: (1) a mobile scenario where the garbled circuit is evaluated on an Android phone with the cloud handling most of the heavy lifting, and (2) a server‑side scenario where both parties are powerful machines. Results show up to a 96 % reduction in total execution time and up to a 98 % reduction in bandwidth compared with the baseline CMTB approach. The performance gains are primarily due to eliminating repeated input validation and avoiding the transmission of large one‑time pads for each new execution.

To demonstrate real‑world applicability, the authors built a privacy‑preserving “friend finder” application. Users periodically upload encrypted location updates; the cloud stores the encrypted intermediate values, and each new proximity check reuses these values as inputs to a fresh garbled circuit that determines whether two users are in the same map cell, all without revealing raw locations to any party.

In summary, PartialGC is the first practical protocol that enables interactive I/O and stateful computation in the middle of a cut‑and‑choose garbled‑circuit protocol. It dramatically reduces the computational and communication overhead of outsourced SFE, opening the door for privacy‑preserving applications on mobile and IoT devices. Future work includes extending the approach to multi‑party settings, fully malicious security without the non‑collusion assumption, and integrating with ORAM or other secure storage primitives for large‑scale data processing.