This study investigates whether the public topology of gate-hiding garbled circuits alone is sufficient to recover the hidden functionality, thereby exposing a practical threat to functional privacy through topological leakage. To this end, the authors propose a SAT-based function recovery attack that integrates compositional, topology-preserving formal simplification theorems with an incremental solving strategy, substantially reducing the search space. Experimental evaluations on ISCAS benchmarks, secure computation circuits, and fault-tolerant sensor fusion architectures demonstrate that the method efficiently reconstructs complex circuit functionalities within practical timeframes, achieving up to a 159× speedup over baseline approaches. This work provides the first evidence that topological information alone can effectively enable reverse engineering of concealed logic.

Semi-Private Function Evaluation enables joint computation while protecting both input data and function logic. A practical instantiation is gate-hiding garbled circuits, which conceal gate functionalities while revealing the circuit topology. Existing security definitions intentionally exclude leakage through circuit topology, leaving the concrete impact of such leakage on function privacy insufficiently understood. We analyze the empirical security of gate hiding under two adversarial models that capture realistic computational capabilities. We present a SAT-based function-recovery attack that reconstructs hidden gate operations from a circuit's public topology. To enable recovery on larger and more complex circuits, we develop an incremental SAT-solving framework combined with a set of composable, topology-preserving simplification theorems. These techniques jointly reduce the SAT instance size and progressively constrain the search space across repeated solving iterations. We evaluate our attack on ISCAS benchmarks, representative secure computation circuits, and fault-tolerant sensor fusion circuits under a fixed 24-hour recovery budget. Compared to baseline approaches, our optimized attack achieves up to a 159-fold speedup in recovery time without increasing the number of oracle queries. Our results demonstrate that topology leakage alone can enable effective function recovery in practice.