# BMR

Created by Beaver, Micali, and Rogaway in 1990, the BMR protocol is an multi-party computation (MPC) for boolean circuits for greater than 2 parties. It extends upon the core concept of Yao’s Garbled Circuits with its garbled tables and also carries a constant communication cost similar to Yao’s. Note that explanations online on the specifics of the protocol vary due to the more conceptual nature of the [original paper](https://www.cs.ucdavis.edu/~rogaway/papers/bmr90), so we will focus mostly on the explanation outlined [here](https://securecomputation.org/docs/ch3-fundamentalprotocols.pdf). It is heavily recommended you read [Yao's Garbled Circuits ](https://fractalyze.gitbook.io/intro/~/revisions/GBuVDfZJZBNDtoleSgnx/mpc/yaos-garbled-circuits)as a prerequisite.

## Definitions

Let’s start with the basics: the definitions. 

### A wire sublabel for a given value, gate, and party:

$$
w^{b}*{i,j} = \left( k^{b}*{i,j}, p^{b}*{i,j} \right) \in*{\mathbb{R}} {0,1}^{\kappa+1}
$$

$$w$$ = the wire\
$$b$$ = the true value of the wire (0 or 1)\
$$i$$ = the unique wire ID\
$$j$$ = the unique party ID\
$$k$$ = the key to a given value of the wire (length $$\kappa$$)\
$$p$$ = the pointer bit of the given value of the wire (length 1)

Thus, the wire sublabel for a gate by a given party is a set of $$\kappa + 1$$ random bits, $$\kappa$$ of which are the key bits corresponding to a value and 1 of which is the pointer bit used later for shuffling the encrypted tables. Additionally note that the final wire label $$w\_i^b = w\_{i,1}^b || w\_{i,2}^b || \cdots || w\_{i,n-1}^b || w\_{i,n}^b$$, where 1 to $$n$$ denote the parties.

#### More on Pointer Bits

Let’s expand some more on pointer bits. Each party holds a pointer bit share for a wire’s input value. Additionally, all parties’ pointer bit shares are XOR-ed together should create the final desired pointer bit for that wire input value. AKA $$p\_a^0 = p\_{a,1}^0 \oplus p\_{a,2}^0 \oplus p\_{a,3}^0 \oplus \dots \oplus p\_{a,n}^0$$ where $$p\_a^0$$  is the pointer bit for input value 0 on wire $$a$$ and 1 to $$n$$ are the parties. Subsequently, the pointer bit for the opposite input value should be the opposite bit (AKA $$p\_a^1 = 1- p\_a^0$$ or $$p\_a^1 \oplus p\_a^0 = 1$$)

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXeTAKg-kfXlLSBS3suAd005dIvxYTCIV_wOaLx-KxJW1RiwU5L4QJAfgPveVC0HKIN-c6XnxsFBQAahAd0L2g-Yh3F00prL08AVnr7V3BqOmdrVO_gwxK4ZtRCgWzJDRIemIAii4OwXhz_3cpXCqKw?key=-khGs0T8zP29k5iyMMtkN113" alt=""><figcaption><p>The pointer bits for a given gate with 3 wires a, b, and c</p></figcaption></figure>

### Each party’s underlying-MPC input per wire $$w$$:

$$
I\_{i,j} = \left( F(i, w\_{i,j}^{0}), F(i, w\_{i,j}^{1}), p\_{i,j}^{0}, f\_{i,j} \right)
$$

$$I$$ = the gate input\
$$F$$ = A pseudo-random function (PRF) defined as the following:

$$
F : id, {0,1}^{\kappa+1} \mapsto {0,1}^{n \cdot (\kappa+1)}
$$

$$f$$ = the flip bit

For each gate, the input for each party will be the two PRFs of the gate index with the sublabels corresponding to input of 0 or 1, the pointer bit of the true input value, and the flip bit (more on this later).

### Naively encrypted row of table:

$$
e\_{v\_a, v\_b} = w^{v\_c}*{c} \bigoplus\limits*{j=1..n} \left( F(i, w^{v\_a}*{a,j}) \oplus F(i, w^{v\_b}*{b,j}) \right)
$$

$$e\_{v\_a, v\_b}$$ = encrypted row on input values $$v\_a$$ and $$v\_b$$\
$$v\_a$$ = value of input wire $$a$$\
$$v\_b$$ = value of input wire $$b$$\
$$v\_c$$ = value of output wire $$c$$

Note that the first subscript of the wires $$w$$ also indicate the wire ID, where $$a$$ and $$b$$ refer to the input wires of a given gate and $$c$$ refers to the output wire. Therefore, $$w\_c^{v\_c}$$ is the output label of wire $$c$$ of true output value $$v\_c$$, while $$w\_{a,j}^{v\_a}$$ is the sublabel for party $$j$$ of input wire $$a$$ with the true value $$v\_a$$. This encrypted row is a naive implementation not including the use of flip bits to further secure the encryption.

## Creating the Garbled Table Naively

Let’s take another look at the formula to naively creating the encrypted rows of our gate tables from the previous section:

$$
e\_{v\_a, v\_b} = w^{v\_c}*{c} \bigoplus\limits*{j=1..n} \left( F(i, w^{v\_a}*{a,j}) \oplus F(i, w^{v\_b}*{b,j}) \right)
$$

With the 4 possible permutations of $$v\_a$$ and $$v\_b$$ , we get the 4 rows as follows for an AND gate:

$$
\begin{aligned}
e\_{0,0} &= w\_c^{0} \oplus \left\[ F(i, w\_{a,1}^{0}) \oplus F(i, w\_{b,1}^{0}) \right] \oplus \dots \oplus \left\[ F(i, w\_{a,n}^{0}) \oplus F(i, w\_{b,n}^{0}) \right] \\
e\_{0,1} &= w\_c^{0} \oplus \left\[ F(i, w\_{a,1}^{0}) \oplus F(i, w\_{b,1}^{1}) \right] \oplus \dots \oplus \left\[ F(i, w\_{a,n}^{0}) \oplus F(i, w\_{b,n}^{1}) \right] \\
e\_{1,0} &= w\_c^{0} \oplus \left\[ F(i, w\_{a,1}^{1}) \oplus F(i, w\_{b,1}^{0}) \right] \oplus \dots \oplus \left\[ F(i, w\_{a,n}^{1}) \oplus F(i, w\_{b,n}^{0}) \right] \\
e\_{1,1} &= w\_c^{1} \oplus \left\[ F(i, w\_{a,1}^{1}) \oplus F(i, w\_{b,1}^{1}) \right] \oplus \dots \oplus \left\[ F(i, w\_{a,n}^{1}) \oplus F(i, w\_{b,n}^{1}) \right]
\end{aligned}
$$

Note that the output labels are defined as such as well:

$$
\begin{aligned}
w\_c^{0} &= w\_{c,1}^{0} \parallel \dots \parallel w\_{c,n}^{0} \parallel p\_c^{0} \\
w\_c^{1} &= w\_{c,1}^{1} \parallel \dots \parallel w\_{c,n}^{1} \parallel p\_c^{1}
\end{aligned}
$$

Similar to Yao’s, we now “garble” the table. For example, if $$p\_a^0 = 1$$, $$p\_b^1 = 0$$ meaning $$p\_a^1 = 0$$, $$p\_b^0 = 1$$, our table is shuffled as so:

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfoEVSh5OBc1sJROR9wKj-Jqwc59ucrPFfcC3EBle1K4IaiYpwybNspkZHgkd5TTiE4L-d6WyQMc0hbv582hDgYSxbfAZK_vCFKh_Yc43mODFrqdODU1jOlcttScQeI0_JmPuHFMLcC2CLFvBVxSRo?key=-khGs0T8zP29k5iyMMtkN113" alt=""><figcaption><p>Shuffling of encrypted table</p></figcaption></figure>

Now, this is the naive way to create a garbled encrypted table; however, a major flaw that exposes the input values to the evaluator can occur. To prevent this information from being leaked, we use “flip bits.”

TODO(ashjeong): Add explanation of a possible attack for this naive case.

## Creating the Garbled Table Securely with Flip Bits

Flip bits obscure the true input values for the evaluator. Similar to pointer bits, each party creates their own flip bit share for each wire such that for a given wire, the total flip bit is  or all flip bit shares XOR-ed together. Since wire labels and PRF functions result in random strings that are consistent across a binary value, switching the correlations of said labels to their opposite value is fine. Therefore, we instead **encrypt rows** of the encrypted table while obscuring input values with flip bits as shown below:

$$
e\_{v\_a, v\_b} = w\_c^{v\_c \oplus f\_c} \bigoplus\limits\_{j=1..n} \left( F(i, w\_{a,j}^{v\_a \oplus f\_a}) \oplus F(i, w\_{b,j}^{v\_b \oplus f\_b}) \right) \\
$$

Ex. $$f\_a = 0$$, $$f\_b = 1$$, $$f\_c = 1$$ for an AND gate:

$$
\begin{aligned}
e\_{0,0} &= w\_c^{0 \oplus 1} \oplus \left\[ F(i, w\_{a,1}^{0 \oplus 0}) \oplus F(i, w\_{b,1}^{0 \oplus 1}) \right] \oplus \dots \oplus \left\[ F(i, w\_{a,n}^{0 \oplus 0}) \oplus F(i, w\_{b,n}^{0 \oplus 1}) \right]  \\
e\_{0,1} &= w\_c^{0 \oplus 1} \oplus \left\[ F(i, w\_{a,1}^{0 \oplus 0}) \oplus F(i, w\_{b,1}^{1 \oplus 1}) \right] \oplus \dots \oplus \left\[ F(i, w\_{a,n}^{0 \oplus 0}) \oplus F(i, w\_{b,n}^{1 \oplus 1}) \right]  \\
e\_{1,0} &= w\_c^{0 \oplus 1} \oplus \left\[ F(i, w\_{a,1}^{1 \oplus 0}) \oplus F(i, w\_{b,1}^{0 \oplus 1}) \right] \oplus \dots \oplus \left\[ F(i, w\_{a,n}^{1 \oplus 0}) \oplus F(i, w\_{b,n}^{0 \oplus 1}) \right]  \\
e\_{1,1} &= w\_c^{1 \oplus 1} \oplus \left\[ F(i, w\_{a,1}^{1 \oplus 0}) \oplus F(i, w\_{b,1}^{1 \oplus 1}) \right] \oplus \dots \oplus \left\[ F(i, w\_{a,n}^{1 \oplus 0}) \oplus F(i, w\_{b,n}^{1 \oplus 1}) \right]
\end{aligned}
$$

If the flip bit of a wire is 0 such as for wire a shown above, the wire sublabels refer to their corresponding input value (e.g. $$w\_{a,1}^1$$ refers to input value 1). Else, if the flip bit is 1 as in wire $$b$$ above, the wire sublabel refers to the opposite input value (e.g. $$w\_{b,1}^0$$ refers to input value 1).

Flip bits introduce more constrained chaos to prevent values from being exposed. Only 4 possible label permutations of each wire $$a$$, $$b$$, and $$c$$ for its 4 possibilities of input values exist when not using flip bits, yet with its inclusion, the total number of label permutations jumps to 32. Take a look below showing off all possible label permutations for a single input case of a AND gate where the inputs are 1.

<figure><img src="https://755218234-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Frwz1ZAZJtK5FHz4Y1esA%2Fuploads%2Fs7TzPwteEeIQMXwTynnG%2FScreenshot%202025-02-19%20at%206.28.55%E2%80%AFPM.png?alt=media&#x26;token=c1720160-3b60-4dcd-80c5-d360a0dc6323" alt=""><figcaption><p>AND gate possibilities for (1,1) -> 1</p></figcaption></figure>

## BMR Protocol Summary

All Parties:

1. Create their own keys for all possible wires values
2. Create their own pointer bit shares for each wire value (1 for each wire since the other can be simply calculated)
3. Create their own flip bit shares for each wire

For n-MPC:

4. Receive parties’s private input bits
5. Receive MPC inputs of each party  $$I\_{i,j}$$
6. For each gate
   1. Compute total flip bits $$f$$ for each wire
   2. Compute total pointer bits $$p$$ for each wire value
   3. Create the garbled table

One party who is set to be the evaluator:

7. Receive the garbled tables and active wire labels
8. Evaluate garbled circuit re-creating the garbled inputs themselves

## References

* <https://securecomputation.org/docs/ch3-fundamentalprotocols.pdf>
* <https://eprint.iacr.org/2016/1066.pdf>
* <https://www.cs.ucdavis.edu/~rogaway/papers/bmr90>

> Written by [Ashley Jeong](https://app.gitbook.com/u/PNJ4Qqiz7kSxSs58UIaauk95AO43 "mention") of Fractalyze