Suppose, we have a circuit which outputs a sha256 hash of a concatenation of Alice's input and Bob's input (where Alice is the garbler and Bob is the evaluator).
I am trying to understand what methods can Alice resort to when garbling the circuit maliciously to leak at least one bit of Bob's input into the output. (It is not as important in my case that the circuit's output will be wrong, only that Bob's input is not leaked)
Examining the source code of JIGG I see that Bob receives from Alice garbled truth tables for all AND gates in the circuit. He does not need the truth tables for the XOR gates (because of FreeXOR, I assume).
Am I correct in assuming that "rigging" the AND truth table is the only wiggle room for Alice to influence the output. Can it be rigged to always output e.g. 0 regardless of the input wires to the AND gate?
I did read the whole chapter "Malicious Security" of Pragmatic MPC but it does not cover my specific question, only mentions in passing "The output of the
maliciously-generated garbled circuit may leak more than P 2 has agreed to reveal (for instance, P 2 ’s entire input)."
The book then proceeds to explain how to defend against malicious garbling, it does not explain how exactly the garbler can rig the circuit to leak inputs.