feat(garble): randomize gate id

[themighty1]

This PR implements gate randomization for garbling.

The rationale for it is discussed #7

[th4s]

lgtm 👍

[th4s]

This can be Copy, then we do not need to clone it.

Suggested change

	#[derive(Debug, Clone, Serialize, Deserialize)]
	#[derive(Debug, Clone, Copy, Serialize, Deserialize)]

[sinui0]

I don't think I'm a fan of this change. Reading that paper the issue is the re-use of a tweak (gid). So the task is to ensure that a tweak is never reused. Rather than picking a starting gid for each circuit, I would prefer to maintain a global counter.

[themighty1]

@sinui0, can you elaborate how a global counter would work?
( keeping in mind that gid must be unique even across multiple independent sessions)

[sinui0]

keeping in mind that gid must be unique even across multiple independent sessions

This is not clear to me, I'll need a definition of "session". The paper highlights an attack for recovering R (i.e. Δ) when the tweaks are reused. We never use the same Δ with multiple garbler instances.

It seems to me it is sufficient to maintain the counter per VM instance (what I meant by global) not per circuit. The circuit boundary is unnecessary, we just need to maintain a counter for the total number of AND gates garbled, which can start at 1 and be maintained implicitly by both parties.

If we really want to keep the randomization to mitigate the attack when a Δ is accidentally reused with multiple VMs, we could randomize the initial global counter.

[themighty1]

I see, you are suggesting randomizing the initial gate id and then incrementing per VM instance. That should work.

(the attack works even if different deltas are used across multiple circuits #7 (comment) )

[themighty1]

Closed in favour of #348