Actively Secure Half-Gates with Minimum Overhead under Duplex Networks

Cui, Hongrui; Wang, Xiao; Yang, Kang; Yu, Yu

doi:10.1007/s00145-025-09539-4

Actively Secure Half-Gates with Minimum Overhead under Duplex Networks

Research Article
Open access
Published: 26 February 2025

Volume 38, article number 19, (2025)
Cite this article

Download PDF

You have full access to this open access article

Journal of Cryptology Aims and scope Submit manuscript

Actively Secure Half-Gates with Minimum Overhead under Duplex Networks

Download PDF

546 Accesses
Explore all metrics

Abstract

Actively secure two-party computation (2PC) is one of the canonical building blocks in modern cryptography. One main goal for designing actively secure 2PC protocols is to reduce the communication overhead, compared to semi-honest 2PC protocols. In this paper, we make significant progress in closing this gap by proposing two new actively secure constant-round 2PC protocols, one with one-way communication of $2\kappa +5$ bits per AND gate (for $\kappa $-bit computational security and any statistical security) and one with total communication of $2\kappa +\rho +5$ bits per AND gate (for $\rho $-bit statistical security). In particular, our first protocol essentially matches the one-way communication of semi-honest half-gates protocol. Our optimization is achieved by three new techniques:

1.
The recent compression technique by Dittmer et al. (Crypto 13510:57–87, 2022) shows that a relaxed preprocessing is sufficient for authenticated garbling that does not reveal masked wire values to the garbler. We introduce a new form of authenticated bits and propose a new technique of generating authenticated AND triples to reduce the one-way communication of preprocessing from $5\rho +1$ bits to 2 bits per AND gate for $\rho $-bit statistical security.
2.
Unfortunately, the above compressing technique is only compatible with a less compact authenticated garbled circuit of size $2\kappa +3\rho $ bits per AND gate. We designed a new authenticated garbling that does not use information-theoretic MACs but rather dual execution without leakage to authenticate wire values in the circuit. This allows us to use a more compact half-gates based authenticated garbled circuit of size $2\kappa +1$ bits per AND gate, and meanwhile keep compatible with the compression technique. Our new technique can achieve one-way communication of $2\kappa +5$ bits per AND gate.
3.
In terms of total communication, we notice that the communication overhead of the consistency checking method by Dittmer et al. (Crypto 13510:57–87, 2022) can be optimized by adding one-round of interaction and utilizing the Free-XOR property. This reduces the online communication from $2\kappa +3\rho $ bits down to $2\kappa +\rho +1$ bits per AND gate. Combined with our first contribution, this yields total amortized communication of $2\kappa +\rho +5$ bits.

Actively Secure Half-Gates with Minimum Overhead Under Duplex Networks

Efficient Multi-party Computation: From Passive to Active Security via Secure SIMD Circuits

Communication-Efficient (Client-Aided) Secure Two-Party Protocols and Its Application

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

1 Introduction

Based on garbled circuits (GCs) [48], constant-round secure two-party computation (2PC) has obtained huge practical improvements in recent years in both communication [5, 34, 39, 49] and computation [6, 26, 27]. However, compared to passively secure (a.k.a., semi-honest) 2PC protocols, their actively secure counterparts require significant overhead. Building upon the authenticated garbling framework [33, 40, 41, 46] and, more generally, working in the BMR family [5, 28, 30, 35, 36], the most recent work by Dittmer, Ishai, Lu and Ostrovsky [19] (denoted as DILO hereafter) is able to bring down the communication cost to $2\kappa +8\rho +O(1)$ bits per AND gate, where $\kappa $ and $\rho $ are the computational and statistical security parameters, respectively.

Although huge progress, there is still a gap between actively secure and passively secure 2PC protocols based on garbled circuits. In particular, the size of a garbled circuit has been recently reduced from $2\kappa $ bits (half-gates [49]) to $1.5\kappa $ bits (three halves [39]) per AND gate, while even the latest authenticated garbling cannot reach the communication efficiency of half-gates. It is possible to close this gap between active and passive security using the GMW compiler [25], and its concrete efficiency was studied in [1]. However, it requires non-black-box use of the underlying garbling scheme and thus requires prohibitive overhead.

Bringing down the cost of authenticated garbling at this stage requires overcoming several challenges. First of all, we need the authenticated GC itself to be as small as the underlying GC construction. This could be achieved for half-gates as Katz et al. [33] (denoted as KRRW hereafter) proposed an authenticated half-gates construction in the two-party setting. However, when it comes to three halves, there is no known construction. These authenticated GCs are usually generated in some preprocessing model, and thus the second challenge is to instantiate the preprocessing with only constant additive overhead. Together with recent works on pseudorandom correlation generators (PCGs) [9,10,11, 15, 47], Katz et al. [33] can achieve $O(\kappa )$ bits per AND gate, while Dittmer et al. [19] can achieve $O(\rho )$ bits per AND gate. However, the latest advancement by Dittmer et al. [19] is not compatible with the optimal authenticated half-gates construction and requires an authenticated GC of size $2\kappa +3\rho $ bits per AND gate.

1.1 Our Contribution

Table 1 Comparing our protocol with prior works in terms of round and communication complexity

Full size table

We make significant progress in closing the communication gap between passive and active GC-based 2PC protocols. We first propose an actively secure 2PC protocol with constant rounds and one-way communication essentially the same as the half-gates 2PC protocol in the semi-honest setting. Toward two-way communication, we optimize the consistency checking protocol in DILO (which is an optimized WRK checking protocol [40] with amortized $3\rho $ bits overhead) and reduce the consistency checking overhead down to $\rho $ bits per AND gate as compared to the semi-honest half-gates protocol.

1.
We manage to securely instantiate the preprocessing phase with O(1) bits per AND gate. Our starting point is the compression technique by Dittmer et al. [19], who showed that in authenticated garbling, the random masks of the evaluator need not be of full entropy and can be compressed with entropy sublinear to the circuit size. This observation leads to an efficient construction from vector oblivious linear evaluation (VOLE) to the desired preprocessing functionality. This reduces the communication overhead of preprocessing to $5\rho + 1$ bits per AND gate. To further reduce their communication, we introduce a new tool called “dual-key authentication.” Intuitively this form of authentication allows two parties to commit to a value that can later be checked against subsequent messages by both parties. Together with a new technique of generating authenticated AND triples from correlated oblivious transfer (COT), we avoid the $\rho $-time blow-up of the DILO protocol, and the one-way communication cost is reduced to 2 bits per AND gate.
2.
As mentioned earlier, the above compression technique is not compatible with KRRW authenticated half-gates; this is because the compression technique requires that the garbler does not learn the masked values since the entropy of wire masks provided by the evaluator is low. We observe that the dual-execution protocol [31, 32] can essentially be used for this purpose, and it is highly compatible with the authenticated garbling technique. In particular, the masked value of each wire is implicitly authenticated by the garbled label. Therefore, we can perform two independent executions and check the actual value of each wire against each other. Since every wire is checked, we are able to eliminate the 1-bit leakage in ordinary dual-execution protocols. The overall one-way communication is $2\kappa + 5$ bits per AND gate.
3.
Toward total communication, we optimize the consistency checking procedure in WRK [40], resulting in a consistency checking protocol compatible with the compression technique [19] with amortized communication of $\rho $ bits, which may be of independent interest. Recall that in WRK we use an additional garbled circuit to evaluate the MAC tag of the masked output wire value for each AND gate. First of all, we notice that in the secure computation scenario, we can settle for evaluating the secret sharing of the MAC tags, whose consistency can be verified using equality checking. This reduces $\rho $ bits of communication. Moreover, notice that 1) we can perform batched MAC checking by checking the random linear combination of all AND gates, and 2) in Free-XOR compatible garbled circuits, the masked wire values of each wire is a public linear combination of previous AND gate outputs and circuit inputs. By changing the summation order, only one multiplication is needed per AND gate and input wire. Together with the distributed half-gate garbling scheme [33] and our preprocessing protocol, we get a circuit evaluation protocol with total amortized communication of $2\kappa + \rho + 5$ bits.

We provide a detailed comparison of our protocol with the literature in Table 1. Notice that in terms of amortized one-way communication, we achieve constant additive overhead (5 bits per AND gate) as compared to the semi-honest half-gates protocol, while for amortized two-way communication, the overhead is $\rho + 4$ bits. Under full-duplex networks (e.g., most wired communication) where communication in both directions can happen simultaneously, the one-way communication is more relevant and the first variant of our protocol effectively imposes no slow down compared to semi-honest half-gates. Nevertheless, even our two-way communication is minimal in the literature; for half-duplex networks (e.g., most wireless communication), we still cannot achieve the same desirable constant additive overhead in communication.

The DILOv2 protocol builds upon doubly authenticated multiplication triples [19]. Compared to DILO, the DILOv2 protocol is less efficient, as DILOv2 requires quasi-linear computational complexity. The reason is that the current instantiation of such doubly authenticated multiplication triples PCG based on Ring-LPN [12] is not on the same efficiency level as the random COT/VOLE PCGs. Moreover, DILOv2 can only generate authenticated triples over $\mathbb {F} _{2^\rho } $, while authenticated garbling requires triples over $\mathbb {F}_2$. This incurs a $\rho $-time overhead when utilizing such triples.

We also would like to stress that our protocol achieves adaptive security without relying on the random oracle model while all previous authenticated garbling protocols with adaptive security [19, 30, 33, 40] need the random oracle model.

2 Preliminaries

2.1 Notation

We use $\kappa $ and $\rho $ to denote the computational and statistical security parameters, respectively. We use $\log $ to denote logarithms in base 2. We write $x \leftarrow S$ to denote sampling x uniformly at random from a finite set S. We define $[a,b)=\{a,\dots , b-1\}$ and write $[a,b]=\{a, \dots , b\}$. We denote $ [n] = [1, n] $. We use bold lower-case letters like ${\varvec{a}}$ for column vectors, and bold upper-case letters like $\textbf{A}$ for matrices. We let $a_i$ denote the i-th component of ${\varvec{a}}$ (with $a_1$ the first entry) and $A_{i,j}$ denote the entry on the i-th row and j-th column of $\textbf{A}$. We use $\{x_i\}_{i \in S}$ to denote the set that consists of all elements with indices in set S. When the context is clear, we abuse the notation and use $\{x_i\}$ to denote such a set. For a string x, we use $\textsf{lsb} (x)$ to denote the least significant bit (LSB) and $\textsf{msb} (x)$ to denote the most significant bit (MSB).

For an extension field $\mathbb {F} _{2^\kappa } $ of a binary field $\mathbb {F} _2$, we fix some monic, irreducible polynomial f(X) of degree $\kappa $ and then write $\mathbb {F} _{2^\kappa } \cong \mathbb {F} _2[X]/f(X)$. Thus, every element $x \in \mathbb {F} _{2^\kappa } $ can be denoted uniquely as $x = \sum _{i \in [0,\kappa )} x_i \cdot X^i$ with $x_i \in \mathbb {F} _2$ for all $i \in [0,\kappa )$. We could view elements over $\mathbb {F} _{2^\kappa } $ equivalently as vectors in $\mathbb {F} _2^\kappa $ or strings in ${{\{0,1\}}^{\kappa }} $, and consider a bit $x \in \mathbb {F} _2$ as an element in $\mathbb {F} _{2^\kappa } $. Depending on the context, we use ${{\{0,1\}} } ^{\kappa }$, $\mathbb {F} _2^{\kappa }$ and $\mathbb {F} _{2^{\kappa }}$ interchangeably, and thus addition in $\mathbb {F} _2^{\kappa }$ and $\mathbb {F} _{2^{\kappa }}$ corresponds to XOR in ${{\{0,1\}} } ^{\kappa }$. We also define two macros to convert between $\mathbb {F} _{2^\kappa }$ and $\mathbb {F} _2^{\kappa }$.

$x \leftarrow \textsf{B2F} ({\varvec{x}})$: Given ${\varvec{x}}=(x_0,...,x_{\kappa -1}) \in \mathbb {F} _2^\kappa $, output $x:= \sum _{i \in [0,\kappa )} x_i \cdot X^i \in \mathbb {F} _{2^\kappa } $.
${\varvec{x}}\leftarrow \textsf{F2B} (x)$: Given $x = \sum _{i \in [0,\kappa )} x_i \cdot X^i \in \mathbb {F} _{2^\kappa } $, output ${\varvec{x}}=(x_0,...,x_{\kappa -1}) \in \mathbb {F} _2^\kappa $.

A Boolean circuit $\mathcal {C} $ consists of a list of gates in the form of (i, j, k, T), where i, j are the indices of input wires, k is the index of output wire, and $T \in \{\oplus ,\wedge \}$ is the type of the gate. In the 2PC setting, we use $\mathcal {I} _\textsf{A}$ (resp., $\mathcal {I} _\textsf{B}$) to denote the set of circuit-input wire indices corresponding to the input of ${\mathsf{P_{A}}} $ (resp., ${\mathsf{P_{B}}} $). We also use $\mathcal {W} $ to denote the set of output wire indices of all AND gates, and $\mathcal {O} $ to denote the set of circuit-output wire indices in the circuit $\mathcal {C} $. We denote by $\mathcal {C} _\textsf{and} $ the set of all AND gates in the form of $(i, j, k, \wedge )$.

Our protocol in the two-party setting is proven secure against static and malicious adversaries in the standard simulation-based security model [13, 24]. We recall the security model, a relaxed equality-check functionality $\mathcal {F}_\mathsf {[}$ EQ] and the coin-tossing functionality $\mathcal {F}_\mathsf {[}$ Rand] in the Appendix and give a summary of the notations and macros used in our protocols in the full version [16].

2.2 Hash Functions

To instantiate our protocol without relying on the random oracle, we require different security properties for various hash functions that appear in our protocol. Here, we recall their definitions. For the circular correlation robust under naturally derived keys ($\textsf{ccrnd}$) and tweakable correlation robust ($\textsf{tcr}$) hash functions, we refer the work by Guo et al. [27] for the respective efficient instantiations in the random permutation model.

In addition to the conceptual benefit of working in a less idealized model, using $\textsf{ccrnd}$ and $\textsf{tcr}$ properties instead of the random oracle model also has an advantage in terms of performance. The random oracle model is usually instantiated by a cryptographic hash function (e.g., SHA256). On the other hand, the random permutation can be instantiated by fixed-key AES and according to the experiments in [27], the AES-based $\textsf{ccrnd}$ hash function (used in circuit garbling) is 13–45 times faster than SHA256.

Tweakable correlation robustness ($\textsf{tcr}$)

We first recall the tweakable correlation robustness property which is used in the reduction from string OT to correlated OT. The hash function has the syntax as $\textsf{H}: {{\{0,1\}} } ^\kappa \times {{\{0,1\}} } ^\kappa \rightarrow {{\{0,1\}} } ^\kappa $, where the first input is the hashed message while the second input is an index that ensures uniqueness of each hash function invocation. We recall the definitions as follows.

Definition 1

Let $\textsf{H}:{{\{0,1\}} } ^{2\kappa }\rightarrow {{\{0,1\}} } ^\kappa $ be a function, and let $\mathcal {R} $ be a distribution on ${{\{0,1\}} } ^\kappa $. For $\varDelta \in {{\{0,1\}} } ^\kappa $, define $\mathcal {O} ^{\textsf{tcr}}_{\varDelta } (x,i) = \textsf{H} (x \oplus \varDelta , i) $. For a distinguisher $\textsf{D} $, we define the following advantage

$$\begin{aligned} \textsf{Adv} _{\textsf{H}, \mathcal {R}}^{\textsf{tcr}}:= \left| \Pr _{\varDelta \leftarrow \mathcal {R}} [\textsf{D} ^{\mathcal {O} ^{\textsf{tcr}}_{\varDelta } (\cdot )}(1^\kappa ) = 1] - \Pr _{f \leftarrow \mathcal {F} _{2\kappa , \kappa }} [\textsf{D} ^{f (\cdot )} (1^\kappa ) = 1] \right| \hspace{5.0pt}, \end{aligned}$$

where $\mathcal {F} _{2\kappa , \kappa }$ denotes the set of all functions mapping $2\kappa $-bit inputs to $\kappa $-bit outputs. We call $\textsf{H} $ $(t,q,\rho ,\epsilon )$-tweakable correlation robust if for all $\textsf{D} $ running in time t and making at most q queries to the oracle and all $\mathcal {R} $ with min-entropy at least $\rho $, it holds that $\textsf{Adv} _{\textsf{H}, \mathcal {R}}^{\textsf{tcr}} \le \epsilon $.

(Circular) correlation robustness under naturally derived keys ($\textsf{ccrnd}$). We require that the hash function $\textsf{H} $ ensures the privacy property in the garbling scheme. During garbling, the queries of $\textsf{H} $ are not adversarially chosen, but generated by the honest party in the garbling process. Queries generated in this way are referred to as “naturally derived” in the literature [27, 49].

Definition 2

Let $\textsf{H}:{{\{0,1\}} } ^{2\kappa }\rightarrow {{\{0,1\}} } ^\kappa $ be a function, and let $\mathcal {R} $ be a distribution on ${{\{0,1\}} } ^\kappa $. For $\varDelta \in {{\{0,1\}} } ^\kappa $, define $\mathcal {O} ^{\textsf{ccrnd}}_{\varDelta } (x,i,b) = \textsf{H} (x \oplus \varDelta , i) \oplus b \cdot \varDelta $. A sequence of queries $\mathcal {Q} = (Q_1,...,Q_q)$ is natural if each query $Q_i$ with response $x_i$ is one of the following:

1.
$x_i \leftarrow {{\{0,1\}} } ^\kappa $.
2.
$x_i = x_{i_1} \oplus x_{i_2}$, where $i_i< i_2 < i$.
3.
$x_i = \textsf{H} (x_{i_1}, i) $, where $i_1 < i$.
4.
$x_i = \mathcal {O} (x_{i_1}, i, b) $, where $i_1 < i$.

Fix some natural sequence $\mathcal {Q} $ of length q. In the real-world experiment, denoted $\textbf{Real} _{\textsf{H},\mathcal {Q},\mathcal {R}}$, a key $\varDelta $ is sampled from $\mathcal {R} $ and then the oracle $\mathcal {O} $ in step 4, above, is set to $\mathcal {O} ^{\textsf{crnd}}$ (resp. $\mathcal {O} ^{\textsf{ccrnd}}$). In the ideal-world experiment, denoted $\textbf{Ideal} _{\textsf{H}, \mathcal {Q}}$, the oracle $\mathcal {O} $ is instead a function chosen uniformly from $\mathcal {F} _{2\kappa ,\kappa }$ (resp. $\mathcal {F} _{2\kappa +1,\kappa }$) ($\mathcal {F} _{n,m}$ denotes the set of all functions mapping n-bit inputs to m-bit outputs). Either experiment defines a distribution (determined by executing the operations in $\mathcal {Q} $ in order) over values $x_1,...,x_q$, which are output by the experiment.

For a distinguisher $\textsf{D} $, we define the following advantage and use superscript to differentiate the two cases.

$$\begin{aligned} \textsf{Adv} _{\textsf{H}, \mathcal {Q}, \mathcal {R}}:= \left| \Pr _{ \{ x_i \} \leftarrow \textbf{Real} _{\textsf{H},\mathcal {Q},\mathcal {R}} } [\textsf{D} ( \{ x_i \} ) = 1] - \Pr _{ \{ x_i \} \leftarrow \textbf{Ideal} _{\textsf{H}, \mathcal {Q}} } [\textsf{D} ( \{ x_i \} ) = 1] \right| \hspace{5.0pt}, \end{aligned}$$

We call $\textsf{H} $ $(t,q,\rho ,\epsilon )$-correlation robust (resp. circular correlation robust) for naturally derived keys if for all $\textsf{D} $ running in time t and all Q of length q, and all $\mathcal {R} $ with min-entropy at least $\rho $, it holds that $\textsf{Adv} _{\textsf{H}, \mathcal {Q}, \mathcal {R}}^{\textsf{crnd}} \le \epsilon $ (resp. $\textsf{Adv} _{\textsf{H}, \mathcal {Q}, \mathcal {R}}^{\textsf{ccrnd}} \le \epsilon $).

2.3 Information-Theoretic Message Authentication Codes

We use information-theoretic message authentication codes (IT-MACs) [7, 38] to authenticate bits or field elements in $\mathbb {F} _{2^\kappa } $. Specifically, let $\varDelta \in \mathbb {F} _{2^\kappa } $ be the global key of $\mathsf P_{A}$. We adopt the notation $[\![x]\!]_{\varDelta } = (\textsf{K}_\textsf{A} [x], \textsf{M}_\textsf{B} [x], x)$ to denote that an element $x \in \mathbb {F} $ (where $\mathbb {F} \in \{\mathbb {F} _2, \mathbb {F} _{2^\kappa }\}$) known by $\mathsf P_{B}$ is authenticated by the other party $\mathsf P_{A}$. Here, $\mathsf P_{A}$ holds the local key $\textsf{K}_\textsf{A} [x] \in \mathbb {F} _{2^\kappa }$, while $\mathsf P_{B}$ holds the tag $\textsf{M}_\textsf{B} [x] = \textsf{K}_\textsf{A} [x] + x \cdot \varDelta \in \mathbb {F} _{2^\kappa } $. The case where values known by $\mathsf P_{A}$ are authenticated by $\mathsf P_{B}$ can be defined symmetrically.

For a constant value $c \in \mathbb {F} _{2^\kappa }$, it is easy to define $[\![c]\!]_{\varDelta } = (c \cdot \varDelta , 0, c)$. It is well known that IT-MACs are additively homomorphic and support public scalar multiplication. That is, given public coefficients $c_0, c_1, \dots , c_\ell \in \mathbb {F} _{2^\kappa } $, two parties can locally compute $[\![y]\!]_{\varDelta }:=[\![c_0]\!]_{\varDelta }+\sum _{i=1}^\ell c_i \cdot [\![x_i]\!]_{\varDelta }.$ We extend the IT-MAC notation to authenticated vectors. Let $ m, \ell \in \mathbb {N} $ be dimension parameters. For a vector ${\varvec{x}}\in \mathbb {F} _{2^\kappa } ^\ell $, we denote by $[\![{\varvec{x}}]\!]_{\varDelta } = ([\![x_1]\!]_{\varDelta },...,[\![x_{\ell }]\!]_{\varDelta })$ a vector of authenticated values. Furthermore, given a public matrix $ \textbf{M}\in \mathbb {F} ^{m \times \ell } $, we use the notation $ [\![{\varvec{y}}]\!]_{\varDelta } = \textbf{M}\cdot [\![{\varvec{x}}]\!]_{\varDelta } $ to denote the matrix multiplication operation on authenticated vectors, where for each $ i \in [m] $, $ [\![y_i]\!]_{\varDelta } = \sum _{j \in [\ell ]} A_{i,j} \cdot [\![x_j]\!]_{\varDelta }$.

For $a_1, b_1, a_2, b_2, a_3, b_3 \in \mathbb {F} _{2^\kappa } $, we refer to $([\![a_1]\!]_{\varDelta _{\textsf{B}}}, [\![b_1]\!]_{\varDelta _{\textsf{A}}}, [\![a_2]\!]_{\varDelta _{\textsf{B}}}, [\![b_2]\!]_{\varDelta _{\textsf{A}}}, [\![a_3]\!]_{\varDelta _{\textsf{B}}}, [\![b_3]\!]_{\varDelta _{\textsf{A}}})$ with $ (a_3 + b_3) = (a_1 + b_1) \cdot (a_2 + b_2) $ as an authenticated multiplication triple. If $a_1, b_1, a_2, b_2, a_3, b_3 \in \mathbb {F}_2$, this tuple is also called authenticated AND triple.

2.3.1 Batch Opening of Authenticated Values

In the following, we describe the known procedure [18, 38] to open authenticated values in a batch. Here, we always assume that $\mathsf P_{A}$ holds the values and MAC tags, and $\mathsf P_{B}$ holds the global and local keys. For the case that $\mathsf P_{B}$ holds the values authenticated by $\mathsf P_{A}$, these procedures can be defined similarly. We first define the following procedure (denoted by $\textsf{CheckZero} $) to check that all values are zero in constant small communication. Notice that we hash the MAC tags to reduce communication [18].

$\textsf{CheckZero} ([\![x_1]\!]_{\varDelta }, \dots , [\![x_\ell ]\!]_{\varDelta })$: On input authenticated values $[\![x_1]\!]_{\varDelta }, \dots , [\![x_\ell ]\!]_{\varDelta }$, $\mathsf P_{A}$ convinces $\mathsf P_{B}$ that $x_i=0$ for all $i \in [\ell ]$ as follows:
1. 1.
  ${\mathsf{P_{A}}} $ sends $h_\textsf{A}:= \textsf{H} ( \textsf{M}_{\textsf{A}}[x_1],..., \textsf{M}_{\textsf{A}}[x_\ell ] )$ to ${\mathsf{P_{B}}} $, where $\textsf{H}: {{\{0,1\}}^{*}} \rightarrow {{\{0,1\}}^{\kappa }} $ is a cryptographic hash function modeled as a random oracle.
2. 2.
  ${\mathsf{P_{B}}} $ computes $h_\textsf{B}:= \textsf{H} ( \textsf{K}_{\textsf{B}}[x_1],..., \textsf{K}_{\textsf{B}}[x_\ell ] )$ and checks that $h_\textsf{A} =h_\textsf{B} $. If the check fails, $\mathsf P_{B}$ aborts.

Following previous works [18, 42], we have the following lemma, which we prove for completeness.

Lemma 1

If $\varDelta \in \mathbb {F} _{2^\kappa } $ is sampled uniformly at random and $ \textsf{H} $ is modeled as a random oracle, then the probability that there exists some $i \in [\ell ]$ such that $x_i \ne 0$ and $\mathsf P_{B}$ accepts in the $\textsf{CheckZero} $ procedure is bounded by $\frac{2}{2^\kappa }$.

Proof

Suppose $x_i \ne 0$ for some $i \in [\ell ]$. Then, the value $ \textsf{K}_\textsf{B} [x_i] = \textsf{M}_\textsf{A} [x_i] + x_i \varDelta $ appear uniformly random to $\mathsf P_{A}$. Consider the following two cases.

If $ h_\textsf{A} $ is returned from a random oracle query, then the probability that it’s preimage corresponds to $ \textsf{K}_\textsf{B} [x_i]$ is bounded by $ 2^{-\kappa } $. Conditioned on this event no happening, $ h_\textsf{A} = h_\textsf{B} $ implies collision of random oracle output on two distinct inputs, and its probability is bounded by $ 2^{-\kappa } $.
If $ h_\textsf{A} $ is not returned by a random oracle query, consider the following two sub-cases. If $ h_\textsf{B} $ appears in the random oracle transcript, then by the definition of this case we have $ h_\textsf{A} \ne h_\textsf{B} $. Otherwise, $ h_\textsf{B} $ has not been sampled yet and we have $ \Pr [h_\textsf{A} = h_\textsf{B} ] = 2^{-\kappa }$.

Therefore, we conclude that if $ \exists i, x_i \ne 0 $, then $\mathsf P_{A}$ passes the test with probability $ \frac{2}{2^{\kappa }}$. $\square $

The above lemma can be relaxed by allowing that $\varDelta $ is sampled uniformly from a set $\mathcal {R} \subset \mathbb {F} _{2^\kappa } $. In this case, the success probability for a cheating party $\mathsf P_{A}$ is at most $\frac{1}{|\mathcal {R} |}+2^{-\kappa }$. Based on the $\textsf{CheckZero} $ procedure, we define the following batch-opening procedure (denoted by $\textsf{Open} $):

$\textsf{Open} ([\![x_1]\!]_{\varDelta }, \dots , [\![x_\ell ]\!]_{\varDelta })$: On input authenticated values $[\![x_1]\!]_{\varDelta }, \dots , [\![x_\ell ]\!]_{\varDelta }$ defined over field $\mathbb {F} _{2^\kappa } $, $\mathsf P_{A}$ opens these values as follows:
1. 1.
  ${\mathsf{P_{A}}} $ sends $(x'_1, \dots , x'_\ell )$ to ${\mathsf{P_{B}}} $ (the purported values of $x_1,...,x_\ell $), and then both parties set $[\![y_i]\!]_{\varDelta }:= [\![x_i]\!]_{\varDelta } + [\![x'_i]\!]_{\varDelta }$ for each $i \in [\ell ]$.
2. 2.
  ${\mathsf{P_{A}}} $ runs $\textsf{CheckZero} ([\![y_1]\!]_{\varDelta }, \dots , [\![y_\ell ]\!]_{\varDelta })$ with $\mathsf P_{B}$. If $\mathsf P_{B}$ does not abort, it outputs $(x'_1, \dots , x'_\ell )$.

2.4 Correlated Oblivious Transfer

Our 2PC protocol will adopt the standard functionality [10, 47] of correlated oblivious transfer (COT) to generate random authenticated bits. This functionality (denoted by $\mathcal {F}_\mathsf {[} COT]$) is shown in Fig. 1 by setting a parameter $L=1$, where the extension phase can be executed multiple times for the same session identifier sid. Based on learning parity with noise (LPN) [8], the recent protocols [9, 10, 15, 47] with sublinear communication and linear computation can securely realize the COT functionality in the presence of malicious adversaries. In particular, these protocols can generate a COT correlation with amortized communication cost of about $0.1 \sim 0.4$ bits.

We also generalize the COT functionality into block COT (bCOT) [19], which allows to generate authenticated bits with the same choice bits and different global keys. Functionality $\mathcal {F}_\mathsf {[} bCOT]^L$ shown in Fig. 1 is the same as the standard COT functionality, except that L vectors (rather than a single vector) of authenticated bits $[\![{\varvec{u}}]\!]_{\varDelta _{1}}, \dots , [\![{\varvec{u}}]\!]_{\varDelta _{L}}$ are generated. Here, the vector of choice bits ${\varvec{u}}$ is required to be identical in different vectors of authenticated bits. It is easy to see that $\mathcal {F}_\mathsf {[} COT]$ is a special case of $\mathcal {F}_\mathsf {[} bCOT]^L$ with $L=1$. The protocol that securely realizes functionality $\mathcal {F}_\mathsf {[} bCOT]^L$ is easy to be constructed by extending the LPN-based COT protocol as described above. Specifically, we set $\varDelta =(\varDelta _{1}, \dots , \varDelta _{L}) \in \mathbb {F} _{2^{\kappa }}^{L} \cong \mathbb {F} _{2^{\kappa L}}$ as the global key in the LPN-based COT protocol, and the resulting choice bits are authenticated over extension field $\mathbb {F} _{2^{\kappa L}}$. Note that the protocol to generate block COTs still has sublinear communication, if L is sublinear to the number of the resulting COT correlations.

While the COT functionality outputs random authenticated bits, we can convert them into chosen authenticated bits via the following procedure (denoted by $\textsf{Fix} $), which is also used in the recent designated-verifier zero-knowledge (DVZK) protocol [4].

$([\![{\varvec{x}}]\!]_{\varDelta _{1}}, \dots , [\![{\varvec{x}}]\!]_{\varDelta _{L}}) \leftarrow \textsf{Fix} (sid, {\varvec{x}})$: On input a session identifier sid of $\mathcal {F}_\mathsf {[} bCOT]$, and a vector ${\varvec{x}}\in \mathbb {F} _2^\ell $ from $\mathsf P_{B}$, two parties $\mathsf P_{A}$ and $\mathsf P_{B}$ execute the following:
1. 1.
  Both parties call $\mathcal {F}_\mathsf {[} bCOT]^L$ on input $(\textsf{extend}, sid, \ell )$ to obtain $([\![{\varvec{r}}]\!]_{\varDelta _{1}}, \dots , [\![{\varvec{r}}]\!]_{\varDelta _{L}})$ with a random vector ${\varvec{r}}\in \mathbb {F} _2^\ell $ held by $\mathsf P_{B}$, where $\mathcal {F}_\mathsf {[} bCOT]^L$ has been initialized by sid and $(\varDelta _{1}, \dots , \varDelta _{L})$.
2. 2.
  ${\mathsf{P_{B}}} $ sends ${\varvec{d}}:= {\varvec{x}}+ {\varvec{r}}$ to ${\mathsf{P_{A}}} $.
3. 3.
  For each $i \in [L]$, both parties set $[\![{\varvec{x}}]\!]_{\varDelta _{i}}:= [\![{\varvec{r}}]\!]_{\varDelta _{i}} + [\![{\varvec{d}}]\!]_{\varDelta _{i}}$.

For a field element $x \in \mathbb {F} _{2^\kappa } $, $\mathsf P_{A}$ and $\mathsf P_{B}$ can run ${\varvec{x}}\leftarrow \textsf{F2B} (x)$, $([\![{\varvec{x}}]\!]_{\varDelta _{1}}, \dots , [\![{\varvec{x}}]\!]_{\varDelta _{L}})$ $\leftarrow \textsf{Fix} (sid, {\varvec{x}})$ and $([\![x]\!]_{\varDelta _{1}}, \dots , [\![x]\!]_{\varDelta _{L}}) \leftarrow \textsf{B2F} ([\![{\varvec{x}}]\!]_{\varDelta _{1}}, \dots , [\![{\varvec{x}}]\!]_{\varDelta _{L}})$ to obtain the corresponding authenticated values. Note that $\textsf{B2F} $ only involves the operations multiplied by public elements $X, \dots , X^{\kappa -1} \in \mathbb {F} _{2^\kappa } $, and thus $([\![x]\!]_{\varDelta _{1}}, \dots , $ $[\![x]\!]_{\varDelta _{L}})$ can be computed locally by running $\textsf{B2F} $. For simplicity, we abuse the $\textsf{Fix} $ notation, and use $([\![x]\!]_{\varDelta _{1}}, \dots ,$ $[\![x]\!]_{\varDelta _{L}}) \leftarrow \textsf{Fix} (sid, x)$ to denote the conversion procedure. The $\textsf{Fix} $ procedure is easy to be generalized to support that the values are defined over any extension field of $ \mathbb {F}_2$ such as $\mathbb {F} _{2^\rho } $. The $\textsf{Fix} $ procedure can be symmetrically defined when $\mathsf P_{B}$ holds $(\varDelta _{1}, \dots , \varDelta _{L})$. We further extend $\textsf{Fix} $ to additionally allow to input vectors of random authenticated bits instead of calling $\mathcal {F}_\mathsf {[} bCOT]^L$, which is denoted by $[\![{\varvec{x}}]\!]_{\varDelta } \leftarrow \textsf{Fix} ({\varvec{x}}, [\![{\varvec{r}}]\!]_{\varDelta })$ for the case of $L=1$.

We note that vector oblivious linear evaluation (VOLE) is an arithmetic generalization of COT, which enables $\mathsf P_{A}$ to obtain $(\varDelta , \textsf{K}_\textsf{A} [{\varvec{u}}]) \in \mathbb {F} \times \mathbb {F} ^\ell $ and $\mathsf P_{B}$ to get $({\varvec{u}}, \textsf{M}_\textsf{B} [{\varvec{u}}]) \in \mathbb {F} ^\ell \times \mathbb {F} ^\ell $ such that $\textsf{M}_\textsf{B} [{\varvec{u}}]=\textsf{K}_\textsf{A} [{\varvec{u}}]+{\varvec{u}}\cdot \varDelta $, where $\mathbb {F} $ is a large field such as $\mathbb {F} =\mathbb {F} _{2^\rho }$. Like COT, VOLE can be generalized to block VOLE and can be generated with sublinear communication and linear computation under the LPN assumption.

2.5 Designated-Verifier Zero-Knowledge Proofs

Based on IT-MACs, a family of streamable designated-verifier zero-knowledge (DVZK) proofs with fast prover time and a small memory footprint has been proposed [2,3,4, 20, 21, 42,43,44,45]. While these DVZK proofs can prove arbitrary circuits, we only need them to prove a simple multiplication relation. Specifically, given a set of authenticated triples $\{([\![x_i]\!]_{\varDelta }, [\![y_i]\!]_{\varDelta }, [\![z_i]\!]_{\varDelta })\}_{i \in [\ell ]}$ over $\mathbb {F} _{2^\kappa } $, these DVZK protocols can enable a prover $\mathcal {P}$ to convince a verifier $\mathcal {V}$ that $z_i = x_i \cdot y_i $ for all $i \in [\ell ]$. This is modeled by an ideal functionality shown in Fig. 2. In this functionality, an authenticated value $[\![x]\!]_{\varDelta }$ is input by two parties $\mathcal {P}$ and $\mathcal {V}$, meaning that $\mathcal {P}$ inputs $(x, \textsf{M})$ and $\mathcal {V}$ inputs $(\textsf{K}, \varDelta )$. We say that $[\![x]\!]_{\varDelta }$ is valid, if $\textsf{M}=\textsf{K}+ x \cdot \varDelta $. Using the recent DVZK proofs, this functionality can be noninteractively realized in the random oracle model using constant small communication (e.g., $2\kappa $ bits in total [45]).

2.6 $(m,L)$-Independent Matrix

We recall the notion of (m, L)-independent matrix below. This notion first appears in [22] and is applied in the authenticated garbling setting in [19].

Definition 3

We call a matrix $\textbf{M}\in \mathbb {F} _2^{n \times L}$ (m, L)-independent if any m rows of $\textbf{M}$ are linearly independent.

In particular, this property guarantees that if $ \textbf{M}\in \mathbb {F} _2^{n \times L} $ satisfies (m, L)-independence and ${\varvec{b}}^*$ is uniformly random over $ \mathbb {F} _2^{L} $, then ${\varvec{b}}:= \textbf{M}\cdot {\varvec{b}}^*$ is m-wise independence. We show in Lemma 2 that if we set $L = {\lceil {\rho + m \cdot \log (\frac{en}{m}) + \frac{\log m}{2}}\rceil }$ then a uniformly random $\textbf{M}$ satisfies (m, L)-independence except with probability $2^{-\rho }$. We give the proof in Appendix Appendix B.1. In the following, we set $L = \lceil 2\rho \log (\frac{en}{\sqrt{2}\rho }) + \frac{\log 2\rho }{2} \rceil $ and assume that a uniformly random $n \times L$ matrix satisfies ($2\rho , L$)-independence.

Lemma 2

Let $L = {\lceil {\rho + m \cdot \log (\frac{en}{m}) + \frac{\log m}{2}}\rceil }$ and let $\textbf{M}$ be a uniformly random matrix over $\mathbb {F} _2^{n \times L}$. $\textbf{M}$ satisfies the (m, L)-independent property except with probability $2^{-\rho }$.

3 Technical Overview

In this section, we give an overview of our techniques. The detailed protocols and their formal proofs are described in later sections. Firstly, we recall the basic approach in the state-of-the-art solution [19].

3.1 Overview of the State-of-the-Art Solution

Recently, Dittmer, Ishai, Lu and Ostrovsky [19] constructed the state-of-the-art 2PC protocol with malicious security (denoted by DILO) from simple VOLE correlations. For one-way communication, this protocol takes $5 \rho + 1$ bits to generate a single authenticated AND triple and $2\kappa +3\rho $ bits per AND gate to produce one distributed garbled circuit. Their approach lies in the authenticated garbling framework, which we recall next.

Authenticated Garbling.

Table 2 An example of semi-honest garbled truth table for AND gate $(i, j, k, \wedge )$

Full size table

Garbled circuit is a classical solution to the two-party computation problem, but the vanilla version guarantees no security against a malicious garbler $\mathsf P_{A}$, as we explain below. Recall that with standard point-and-permute [5] and Free-XOR [34] techniques, each wire $ w $ in a Boolean circuit $ \mathcal {C} $ is associated with a wire mask $ \lambda _w $ known by the garbler $\mathsf P_{A}$ such that if the real value of that wire is $ z_w $ then the evaluator $\mathsf P_{B}$ learns the masked value $ \varLambda _w = z_w \oplus \lambda _w $ during circuit evaluation. Each wire $ w $ is also associated with two labels $ \textsf{L} _{w, 0}, \textsf{L} _{w, 1} = \textsf{L} _{w, 0} \oplus \varDelta _{\textsf{A}} $ sampled by $ {\mathsf{P_{A}}} $ and $\mathsf P_{B}$ will learn the label $ \textsf{L} _{w, \varLambda _w} $ corresponding to the masked wire value during evaluation.

For each AND gate $(i, j, k, \wedge )$, $\mathsf P_{A}$ prepares a garbled truth table as shown in Table 2. With input labels $ \textsf{L} _{i, \varLambda _i}, \textsf{L} _{j, \varLambda _j}$, $\mathsf P_{B}$ can decrypt the ciphertext indexed by $ (\varLambda _i, \varLambda _j) $ to learn the masked value $ \varLambda _k $ and label $ \textsf{L} _{k, \varLambda _k} $ of the next level. Therefore, $\mathsf P_{B}$ can evaluate the entire circuit in a gate-by-gate manner. Nevertheless, a malicious $\mathsf P_{A}$ can perform the following two attacks by choosing erroneous ciphertexts.

$\mathsf P_{A}$ can corrupt some rows of the garbled truth table such that if $\mathsf P_{B}$ uses the corrupted ciphertexts then the garbled execution deviates from the computation of $ \mathcal {C} $. Suppose that such deviation causes observable failures in the protocol (e.g., $\mathsf P_{B}$ aborts) then $\mathsf P_{A}$ can infer which row is chosen w.r.t. the corrupted garbled truth table and learn the masked values $ \varLambda _i, \varLambda _j $. Since $\mathsf P_{A}$ knows the wire masks, it can therefore recover the real values.
$\mathsf P_{A}$ can change the logic of the circuit by encrypting $ ({\bar{\varLambda }}_k, \textsf{L} _{k, \bar{\varLambda }_k}) $ on each row, effectively changing an AND gate to a NAND gate. Since $\mathsf P_{B}$ only learns the overall output of $ \mathcal {C} $, not its intermediate values, $\mathsf P_{B}$ has no way of detecting this change.

To solve these problems, Wang et al. [40] proposed the authenticated garbling framework. Firstly, the wire masks are secret shared between $\mathsf P_{A}$ and $\mathsf P_{B}$. This ensures that even if some rows of a garbled truth table are corrupted, $\mathsf P_{A}$ cannot learn any information from this event since the wire masks are uniformly random in the view of $\mathsf P_{A}$. Moreover, to prevent $\mathsf P_{A}$ from changing the logic of the circuit, we authenticate $\mathsf P_{A}$ ’s wire masks using IT-MAC under the global key of $\mathsf P_{B}$. In this way, the real wire values are essentially committed after $\mathsf P_{B}$ ’s evaluation, making it possible to check for consistency over the committed values.

Additionally, Wang et al. showed that $\mathsf P_{A}$ can use the garbling key $ \varDelta _{\textsf{A}} $ as its IT-MAC global key. Moreover, by authenticating the wire masks, as well as the multiplication of two input wire masks for each AND gate, the two parties can locally derive secret shares of the garbled truth tables, which allows the parties to securely reconstruct the garbled truth table with secret shared wire masks.

Efficient Generation of IT-MACs.

The authenticated garbling framework extensively utilizes IT-MAC as an authentication method and therefore it is crucial to generate IT-MACs efficiently. Let $ [\![{\varvec{x}}]\!]_{\varDelta } $ be a vector of IT-MAC correlation (cf. Sect. 2.3 for more details on this notation), the two-party functionalities of generating $ [\![{\varvec{x}}]\!]_{\varDelta } $ for a random $ {\varvec{x}}$ vector over binary and larger fields are commonly referred to as correlated oblivious transfer (COT) and vector oblivious linear evaluation (VOLE), respectively.

COT and VOLE functionalities can be extended to the block versions where the authentication of the same vector $ {\varvec{x}}$ under $ L $ different global keys $ \varDelta _{1},..., \varDelta _{L} $ are generated in one go. This can be realized by calling the original functionalities with a $ L $-time larger key, and then using the field isomorphism to locally convert the IT-MAC over the large key into $ L $ IT-MACs over small keys.

Building on the learning parity with noise (LPN) assumption [8], recent protocols [9, 10, 15, 47] could realize the COT and VOLE functionalities with communication sublinear to the length of the generated vector. For the sake of this work, we may view (block) COT and VOLE as black boxes and assume that they incur no influence on the amortized communication costs.

Compressed Preprocessing.

In the above authenticated garbling framework, a large portion of the total communication is incurred by the preprocessing phase which generates necessary authentication material for subsequent garbling. Dittmer et al. [19] observed that if the masked wire values are not revealed to $\mathsf P_{A}$ then the wire masks of $\mathsf P_{B}$ are unnecessary to be uniformly random, which would significantly reduce the communication of preprocessing (as indicated by Table 1).

In particular, for the state-of-the-art distributed half-gate scheme in Sect. Appendix C.1, by corrupting a garbled truth table, $\mathsf P_{A}$ has probability 1/2 of causing inconsistency. This implies that for a statistical security parameter $ \rho $, $\mathsf P_{A}$ can only guess at most $\rho -1$ masked wire values. Otherwise, the protocol will abort with probability at least $1-1/2^\rho $. Therefore, it suffices for the mask shares of $\mathsf P_{B}$ to be $ 2\rho $-wise independent since if no more than $ \rho $ gates are corrupted then the corresponding wires masks would be uniformly random due to the $ 2\rho $-wise independence property. If more than $ \rho $ gates are corrupted, $\mathsf P_{B}$ would abort with overwhelming probability.

Dittmer et al. further observed that a $ 2\rho $-wise independent vector can be acquired by expanding a short uniformly random vector with a public random matrix. Therefore, the two parties only need to authenticate a short vector and $\mathsf P_{B}$ ’s wire mask can be expanded using the homomorphism of IT-MAC. Moreover, compressing $\mathsf P_{B}$ ’s wire masks also allow the multiplication of AND gate input wire masks to have a compact representation, enabling a significant improvement of the preprocessing efficiency. In the following, we give an overview of Dittmer et al. ’s approach on how to generate preprocessing information for a circuit with $ n $ AND gates.

1.
$\mathsf P_{A}$ and $\mathsf P_{B}$ generates a vector of authenticated bits $[\![{\varvec{b}}^*]\!]_{\varDelta _{\textsf{A}}}$ with a uniform ${\varvec{b}}^* \in \mathbb {F}_2^L$ by calling $\mathcal {F}_\mathsf {[}$ COT]. Then, both parties define $[\![{\varvec{b}}]\!]_{\varDelta _{\textsf{A}}}:= \textbf{M}\cdot [\![{\varvec{b}}^*]\!]_{\varDelta _{\textsf{A}}}$. (We show in Lemma 2 how to choose the parameter $ L = O(\rho \log (n/\rho ) $.)
2.
Both parties compute authenticated bit $[\![b_{i,j}]\!]_{\varDelta _{\textsf{A}}}$ for each AND gate $(i, j, k, \wedge )$ via running the $\textsf{Fix}$ procedure with input $\{b_{i,j}\}$ where $b_{i,j}:= b_i \cdot b_j$.
3.
$\mathsf P_{B}$ samples $\varDelta _{\textsf{B}}, \gamma \leftarrow \mathbb {F} _{2^\rho }$. Then, both parties initialize two functionalities $\mathcal {F}_\mathsf {[} bCOT]^{L+2}$ and $\mathcal {F}_\mathsf {[} bVOLE]^{L+2}$ with the same global keys $(b_1^* \cdot \varDelta _{\textsf{B}}+\gamma , \dots , b_L^* \cdot \varDelta _{\textsf{B}}+\gamma , \varDelta _{\textsf{B}}+\gamma , \gamma )$, where $\mathcal {F}_\mathsf {[} bVOLE]^{L+2}$ is the same as $\mathcal {F}_\mathsf {[} bCOT]^{L+2}$ except that the outputs are VOLE correlations over $\mathbb {F} _{2^\rho } $ instead of COT correlations. Here, $\gamma $ is necessary to mask $b_i^* \cdot \varDelta _{\textsf{B}}$. In particular, a consistency check in DILO lets $\mathsf P_{B}$ send a hashing of values related to $b_i^* \cdot \varDelta _{\textsf{B}}$ to the malicious party $\mathsf P_{A}$, which may leak the bit $b_i^*$ to $\mathsf P_{A}$. This attack would be prevented by using a uniform $\gamma $ to mask $b_i^* \cdot \varDelta _{\textsf{B}}$. Given $[\![a]\!]_{b_i^*\varDelta _{\textsf{B}}+\gamma }$ and $[\![a]\!]_\gamma $ for any bit a held by $\mathsf P_{A}$, it is easy to locally compute $[\![ab_i^*]\!]_{\varDelta _{\textsf{B}}}$ from the additive homomorphism of IT-MACs. Similarly, given $[\![a]\!]_{\varDelta _{\textsf{B}}+\gamma }$ and $[\![a]\!]_\gamma $, two parties can locally compute $[\![a]\!]_{\varDelta _{\textsf{B}}}$.
4.
$\mathsf P_{A}$ and $\mathsf P_{B}$ calls $\mathcal {F}_\mathsf {[} bCOT]^{L+2}$ to generate the vectors of authenticated bits $[\![{\varvec{a}}]\!]_{\varDelta _{\textsf{B}}}, [\![\hat{{\varvec{a}}}]\!]_{\varDelta _{\textsf{B}}}$ as well as $[\![a_i {\varvec{b}}^*]\!]_{\varDelta _{\textsf{B}}}$ for each $i \in [n]$, where ${\varvec{a}}\in \mathbb {F} _2^n$ (resp., $\hat{{\varvec{a}}} \in \mathbb {F} _2^n$) is used as the vector of random masks $\{a_i\}$ (resp., $\{\hat{a}_k\}$) held by $\mathsf P_{A}$ on the output wires of all AND gates. Then, they can locally compute $[\![a_i b_j]\!]_{\varDelta _{\textsf{B}}}$ and $[\![a_j b_i]\!]_{\varDelta _{\textsf{B}}}$ for each AND gate $(i, j, k, \wedge )$ by calculating $\textbf{M}\cdot [\![a_i {\varvec{b}}^*]\!]_{\varDelta _{\textsf{B}}}$. Both parties run the $\textsf{Fix}$ procedure with input $\{a_{i,j}\}$ to obtain $\{[\![a_{i,j}]\!]_{\varDelta _{\textsf{B}}}\}$, where $a_{i,j}=a_i \wedge a_j$ for each AND gate $(i, j, k, \wedge )$.
5.
$\mathsf P_{A}$ and $\mathsf P_{B}$ call $\mathcal {F}_\mathsf {[} bVOLE]^{L+2}$ to get a vector of authenticated values $[\![\tilde{{\varvec{a}}}]\!]_{\varDelta _{\textsf{B}}}$ with a uniform vector $\tilde{{\varvec{a}}} \in \mathbb {F} _{2^\rho } ^n$. Both parties run the $\textsf{Fix} $ procedure with input $(\varDelta _{\textsf{A}} \cdot {\varvec{a}}, \varDelta _{\textsf{A}} \cdot \hat{{\varvec{a}}}, \{\varDelta _{\textsf{A}} \cdot a_{i,j}\}_{(i,j,*,\wedge ) \in \mathcal {C} _\textsf{and}}, \varDelta _{\textsf{A}})$ and with respect to $\mathcal {F}_\mathsf {[} bVOLE]^{L+2}$ to get the following authentication.
- $ [\![\varDelta _{\textsf{A}} \cdot \hat{{\varvec{a}}}]\!]_{\varDelta _{\textsf{B}}}$.
- $ \{ [\![\varDelta _{\textsf{A}} \cdot a_{i,j}]\!]_{\varDelta _{\textsf{B}}}\}_{(i,j,*,\wedge ) \in \mathcal {C} _\textsf{and}} $
- $ [\![\varDelta _{\textsf{A}} a_i {\varvec{b}}^*]\!]_{\varDelta _{\textsf{B}}}$ for $ i \in [n] $.
- $ [\![\varDelta _{\textsf{A}}]\!]_{\varDelta _{\textsf{B}}} $ and $ [\![\varDelta _{\textsf{A}}]\!]_{b^*_i \varDelta _{\textsf{B}}}$ for $ i \in [L] $, which is equivalent to $ [\![\varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}} $ and $ [\![b^*_i \varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}} $ for $ i \in [L] $.
We use $[\![B_i^*]\!]_{\varDelta _{\textsf{A}}}$ to denote $[\![b_i^* \varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}}$. Furthermore, $\mathsf P_{A}$ and $\mathsf P_{B}$ can locally compute $[\![\varDelta _{\textsf{A}} a_i b_j]\!]_{\varDelta _{\textsf{B}}}$ and $[\![\varDelta _{\textsf{A}} a_j b_i]\!]_{\varDelta _{\textsf{B}}}$ for each AND gate $(i, j, k, \wedge )$ by computing $[\![\varDelta _{\textsf{A}} a_i {\varvec{b}}]\!]_{\varDelta _{\textsf{B}}} = \textbf{M}\cdot [\![\varDelta _{\textsf{A}} a_i {\varvec{b}}^*]\!]_{\varDelta _{\textsf{B}}}$ for each $i \in [n]$.
6.
Parties $\mathsf P_{A}$ and $\mathsf P_{B}$ call $\mathcal {F}_\mathsf {[} DVZK]$ to prove the following relations:
- For each AND gate $(i, j, k, \wedge )$, given $([\![b_i]\!]_{\varDelta _{\textsf{A}}}, [\![b_j]\!]_{\varDelta _{\textsf{A}}}, [\![b_{i,j}]\!]_{\varDelta _{\textsf{A}}})$, prove $b_{i,j}=b_i \wedge b_j$.
- For each AND gate $(i, j, k, \wedge )$, given $([\![a_i]\!]_{\varDelta _{\textsf{B}}}, [\![a_j]\!]_{\varDelta _{\textsf{B}}}, [\![a_{i,j}]\!]_{\varDelta _{\textsf{B}}})$, prove $a_{i,j}=a_i \wedge a_j$.
- For each $i \in [L]$, given $([\![b_i^*]\!]_{\varDelta _{\textsf{A}}}, [\![\varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}}, [\![B_i^*]\!]_{\varDelta _{\textsf{A}}})$, prove $B_i^* = b_i^* \cdot \varDelta _{\textsf{B}}$.
7.
$\mathsf P_{B}$ also executes an efficient verification protocol to convince $\mathsf P_{A}$ that the same global keys are input to different functionalities $\mathcal {F}_\mathsf {[} bCOT]^{L+2}$ and $\mathcal {F}_\mathsf {[} bVOLE]^{L+2}$. It is unnecessary to check the consistency of $\varDelta _{\textsf{A}} \cdot {\varvec{a}}, \varDelta _{\textsf{A}} \cdot \hat{{\varvec{a}}}, \{\varDelta _{\textsf{A}} \cdot a_{i,j}\}, \varDelta _{\textsf{A}}$ input to $\textsf{Fix} $ w.r.t. $\mathcal {F}_\mathsf {[} bVOLE]^{L+2}$. The resulting VOLE correlations on these inputs are used to compute the MAC tags of $\mathsf P_{B}$ on its shares. If these inputs are incorrect, this only leads to these MAC tags, which will be authenticated by $\mathsf P_{A}$, being incorrect. This is harmless for security.
8.
For each AND gate $(i, j, k, \wedge )$, $\mathsf P_{A}$ and $\mathsf P_{B}$ locally compute $[\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{B}}}:= [\![a_{i,j}]\!]_{\varDelta _{\textsf{B}}} + [\![a_i b_j]\!]_{\varDelta _{\textsf{B}}} + [\![a_j b_i]\!]_{\varDelta _{\textsf{B}}} + [\![\hat{a}_k]\!]_{\varDelta _{\textsf{B}}}$ and $[\![{\tilde{B}}_k]\!]_{\varDelta _{\textsf{B}}}:= [\![\varDelta _{\textsf{A}} a_{i,j}]\!]_{\varDelta _{\textsf{B}}} + [\![\varDelta _{\textsf{A}} a_i b_j]\!]_{\varDelta _{\textsf{B}}} + [\![\varDelta _{\textsf{A}} a_j b_i]\!]_{\varDelta _{\textsf{B}}} + [\![\varDelta _{\textsf{A}} \hat{a}_k]\!]_{\varDelta _{\textsf{B}}} + [\![{\tilde{a}}_k]\!]_{\varDelta _{\textsf{B}}}$. Then, $\mathsf P_{A}$ sends a pair of MAC tags $(\textsf{M}_\textsf{A} [{\tilde{b}}_k], \textsf{M}_\textsf{A} [{\tilde{B}}_k])$ to $\mathsf P_{B}$, who computes the following over $\mathbb {F} _{2^\rho }$
$$\begin{aligned} {\tilde{b}}_k:=(\textsf{K}_\textsf{B} [{\tilde{b}}_k] + \textsf{M}_\textsf{A} [{\tilde{b}}_k]) \cdot \varDelta _{\textsf{B}}^{-1} \text { and } {\tilde{B}}_k:=(\textsf{K}_\textsf{B} [{\tilde{B}}_k] + \textsf{M}_\textsf{A} [{\tilde{B}}_k]) \cdot \varDelta _{\textsf{B}}^{-1}. \end{aligned}$$
It is easy to see that ${\tilde{b}}_k=a_{i,j} \oplus a_i b_j \oplus a_j b_i \oplus \hat{a}_k \in \mathbb {F}_2$ and ${\tilde{B}}_k=(a_{i,j} + a_i b_j + a_j b_i + \hat{a}_k)\cdot \varDelta _{\textsf{A}} + {\tilde{a}}_k \in \mathbb {F} _{2^\rho } $, where the randomness ${\tilde{a}}_k \in \mathbb {F} _{2^\rho } $ is crucial to prevent that ${\tilde{B}}_k$ directly reveals $\varDelta _{\textsf{A}}$ in the case of ${\tilde{b}}_k=1$. We observe that both parties now obtain an authenticated bit $[{\tilde{b}}_k]_{\varDelta _{\textsf{A}}}$ by defining its local key $\textsf{K}_\textsf{A} [{\tilde{b}}_k]={\tilde{a}}_k$ and MAC tag $\textsf{M}_\textsf{B} [{\tilde{b}}_k]={\tilde{B}}_k$.
9.
For each AND gate $(i, j, k, \wedge )$, $\mathsf P_{A}$ and $\mathsf P_{B}$ locally compute an authenticated bit $[\![\hat{b}_k]\!]_{\varDelta _{\textsf{A}}}:= [\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{A}}} \oplus [\![b_{i,j}]\!]_{\varDelta _{\textsf{A}}}$. For each AND gate $(i, j, k, \wedge ) $, both parties obtain an authenticated AND triple $([\![a_i]\!]_{\varDelta _{\textsf{B}}}, [\![b_i]\!]_{\varDelta _{\textsf{A}}}, [\![a_j]\!]_{\varDelta _{\textsf{B}}},$ $[\![b_j]\!]_{\varDelta _{\textsf{A}}}, [\![\hat{a}_k]\!]_{\varDelta _{\textsf{B}}}, [\![\hat{b}_k]\!]_{\varDelta _{\textsf{A}}})$.

3.2 Our Solution for Generating Authenticated AND Triples

In the above DILO protocol, the one-way communication cost of generating the authenticated AND triple an AND gate $(i, j, k, \wedge )$ is induced by producing an authenticated bit $[\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{A}}}$ that is in turn used to locally compute $[\![\hat{b}_k]\!]_{\varDelta _{\textsf{A}}}$ with $\hat{b}_k={\tilde{b}}_k \oplus b_i b_j$. DILO generates the authenticated bit $[\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{A}}}=(\textsf{K}_\textsf{A} [{\tilde{b}}_k], \textsf{M}_\textsf{B} [{\tilde{b}}_k], {\tilde{b}}_k)$ by computing authenticated values on ${\tilde{b}}_k$ and $\textsf{M}_\textsf{B} [{\tilde{b}}_k]$ under $\varDelta _{\textsf{B}}$. Specifically, we have the following two parts:

$\mathsf P_{B}$ computes the bit ${\tilde{b}}_k$ from the authenticated bit on ${\tilde{b}}_k$ under $\varDelta _{\textsf{B}}$ and corresponding MAC tag sent by $\mathsf P_{A}$ in communication of $\rho +1$ bits.
$\mathsf P_{B}$ computes the MAC tag $\textsf{M}_\textsf{B} [{\tilde{b}}_k]$ by generating the authenticated value on $\textsf{M}_\textsf{B} [{\tilde{b}}_k]$ under $\varDelta _{\textsf{B}}$ and corresponding MAC tag sent by $\mathsf P_{A}$ in communication of $4\rho $ bits.

We observe that the communication cost of the first part can be further reduced to only 2 bits by setting $\textsf{lsb} (\varDelta _{\textsf{B}})=1$. In particular, $\mathsf P_{A}$ can send the LSB $x_k$ of the MAC tag w.r.t. $[\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{B}}}$ to $\mathsf P_{B}$ who can compute ${\tilde{b}}_k$ by XORing $x_k$ with the LSB of the local key w.r.t. $[\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{B}}}$. The authentication of $\{{\tilde{b}}_k\}$ can be done in a batch by hashing the MAC tags on these bits. However, the communication cost of the second part is inherent due to the DILO approach of generating the MAC tag $\textsf{M}_\textsf{B} [{\tilde{b}}_k]$. This leaves us a challenge problem: how to generate authenticated bit $[\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{A}}}$ without the $\rho $-time blow-up in communication.

The crucial point for solving the above problem is to generate the MAC tag $\textsf{M}_\textsf{B} [{\tilde{b}}_k]$ with constant communication per triple. In a straightforward way, $\mathsf P_{A}$ and $\mathsf P_{B}$ can run the $\textsf{Fix} $ procedure to generate $[\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{A}}}$ by taking one-bit communication after $\mathsf P_{B}$ has obtained ${\tilde{b}}_k$. However, $\mathsf P_{A}$ has no way to check the correctness of ${\tilde{b}}_k$ implied in $[\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{A}}}$, where $[\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{B}}}$ only allows $\mathsf P_{B}$ to check the correctness of ${\tilde{b}}_k$.

We introduce the notion of dual-key authentication to allow both parties to check the correctness of ${\tilde{b}}_k$, where the bit ${\tilde{b}}_k$ is authenticated under global key $\varDelta _{\textsf{A}} \cdot \varDelta _{\textsf{B}}$ and thus no party can change the bit ${\tilde{b}}_k$ without being detected. We present an efficient approach to generate the dual-key authenticated bit $\langle {{\tilde{b}}_k}\rangle $ with communication of only one bit. By checking the consistency of all values input to the block-COT functionality, we can guarantee the correctness of $\langle {{\tilde{b}}_k}\rangle $, i.e., ${\tilde{b}}_k$ is a valid bit authenticated by both parties. When setting $\textsf{lsb} (\varDelta _{\textsf{A}} \cdot \varDelta _{\textsf{B}})=1$, $\mathsf P_{B}$ can obtain the bit ${\tilde{b}}_k$ by letting $\mathsf P_{A}$ send one-bit message to $\mathsf P_{B}$ (see below for details). By using $\textsf{Fix} $, $\mathsf P_{A}$ and $\mathsf P_{B}$ can generate $[\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{A}}}$. Now, $\mathsf P_{B}$ can check the correctness of ${\tilde{b}}_k$ obtained, and $\mathsf P_{A}$ can verify the correctness of ${\tilde{b}}_k$ implied in $[\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{A}}}$, by using the correctness of $\langle {{\tilde{b}}_k}\rangle $. Particularly, we propose a batch-check technique that enables both parties to check the correctness of $\{{\tilde{b}}_k\}$ in all triples with essentially no communication. In addition, we present two new checking protocols to verify the correctness of global keys and the consistency of values across different functionalities (see below for an overview). Overall, our techniques allow to achieve one-way communication of only 2 bits per triple, and are described below.

Dual-key authentication. We propose the notion of dual-key authentication, meaning that a bit is authenticated by two global keys $\varDelta _{\textsf{A}}, \varDelta _{\textsf{B}} \in \mathbb {F} _{2^\kappa } $ held by $\mathsf P_{A}$ and $\mathsf P_{B}$, respectively. In particular, a dual-key authenticated bit $\langle {x}\rangle =(\textsf{D}_{\textsf{A}}[x], \textsf{D}_{\textsf{B}}[x], x)$ lets $\mathsf P_{A}$ hold $\textsf{D}_{\textsf{A}}[x]$ and $\mathsf P_{B}$ hold $\textsf{D}_{\textsf{B}}[x]$ such that $\textsf{D}_{\textsf{A}}[x]+\textsf{D}_{\textsf{B}}[x]=x \cdot \varDelta _{\textsf{A}} \cdot \varDelta _{\textsf{B}} \in \mathbb {F} _{2^\kappa } $, where $x \in \mathbb {F}_2$ can be known by either $\mathsf P_{A}$ or $\mathsf P_{B}$, or unknown for both parties. From the definition, we have that dual-key authenticated bits are also additively homomorphic, which enables us to use the random linear combination approach to perform consistency checks associated with such bits. We are also able to generalize dual-key authenticated bits to dual-key authenticated values in which x is defined over any field $\mathbb {F} _{2^\kappa } $. This generalization may be useful for the design of subsequent protocols. A useful property is that $\langle {x}\rangle $ can be locally converted into $[\![x \varDelta _{\textsf{A}}]\!]_{\varDelta _{\textsf{B}}}$ or $[\![x \varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}}$ and vice versa.

Let $ x = a \cdot b $ where $\mathsf P_{A}$ holds $a \in \mathbb {F}_2$ and $\mathsf P_{B}$ holds $b \in \mathbb {F}_2$. Without loss of generality, we focus on the case that a is a secret bit. The bit b can be either a secret bit or a public bit 1, where the former means that no party knows x and the latter means that only $\mathsf P_{A}$ knows x. The DILO protocol [19] implicitly generates a dual-key authenticated bit by running $\textsf{Fix} (a \varDelta _{\textsf{A}})$ w.r.t. global keys $b \varDelta _{\textsf{B}}+\gamma , \gamma $ to obtain $[\![a \varDelta _{\textsf{A}}]\!]_{b\varDelta _{\textsf{B}}}=\langle {ab}\rangle =\langle {x}\rangle $, which incurs $\rho $-time blow-up in communication (even if a allows to be a random bit). Our approach can reduce the communication cost to at most one bit. In particular, we first let $\mathsf P_{A}$ and $\mathsf P_{B}$ generate a dual-key authenticated bit $\langle {b}\rangle =(\alpha , \beta , b)$ with $\alpha + \beta = b \cdot \varDelta _{\textsf{A}} \cdot \varDelta _{\textsf{B}} \in \mathbb {F} _{2^\kappa } $, where $\mathsf P_{A}$ gets $\alpha $ and $\mathsf P_{B}$ obtains $\beta $. Then, both parties initialize functionality $\mathcal {F}_\mathsf {[} bCOT]$ with a global key $\beta $. If $a \in \mathbb {F}_2$ allows to be random, both parties call $\mathcal {F}_\mathsf {[} bCOT]$ to generate $[\![a]\!]_\beta $ without communication. Otherwise, both parties run $\textsf{Fix} $ with input a to generate $[\![a]\!]_\beta $ with one bit of communication. Given $[\![a]\!]_\beta =(\textsf{K}_\textsf{B} [a], \textsf{M}_\textsf{A} [a], a)$, $\mathsf P_{A}$ and $\mathsf P_{B}$ can locally compute a dual-key authenticated bit $\langle {a}\rangle $ by letting $\mathsf P_{A}$ compute $\textsf{D}_{\textsf{A}}[x]:= \textsf{M}_\textsf{A} [a] + a \cdot \alpha \in \mathbb {F} _{2^\kappa } $ and $\mathsf P_{B}$ set $\textsf{D}_{\textsf{B}}[x]:= \textsf{K}_\textsf{B} [a] \in \mathbb {F} _{2^\kappa } $. We have that $\textsf{D}_{\textsf{A}}[x]+\textsf{D}_{\textsf{B}}[x] = (\textsf{M}_\textsf{A} [a] + \textsf{K}_\textsf{B} [a]) + a \cdot \alpha = a \cdot (\alpha +\beta ) = a \cdot b \cdot \varDelta _{\textsf{A}} \cdot \varDelta _{\textsf{B}} \in \mathbb {F} _{2^\kappa } $. To guarantee correctness of $\langle {x}\rangle $, we need to check the consistency of $\beta $ input to $\mathcal {F}_\mathsf {[} bCOT]$ and a input to $\textsf{Fix} $, which will be shown below.

Sampling global keys with correctness checking. As described above, we need to generate two global keys $\varDelta _{\textsf{A}}$ and $\varDelta _{\textsf{B}}$ such that $\textsf{lsb} (\varDelta _{\textsf{A}}\cdot \varDelta _{\textsf{B}})=1$, which allows one party to get the bit $x=\textsf{lsb} (\textsf{D}_{\textsf{A}}[x])\oplus \textsf{lsb} (\textsf{D}_{\textsf{B}}[x])$ from a dual-key authenticated bit $\langle {x}\rangle $. To do this, we let $\mathsf P_{A}$ sample $\varDelta _{\textsf{A}} \leftarrow \mathbb {F} _{2^\kappa } $ such that $\textsf{lsb} (\varDelta _{\textsf{A}})=1$. Then, we let $\mathsf P_{B}$ sample $\varDelta _{\textsf{B}} \leftarrow \mathbb {F} _{2^\kappa } $, and make $\mathsf P_{A}$ and $\mathsf P_{B}$ run the $\textsf{Fix} $ procedure w.r.t. $\varDelta _{\textsf{A}}$ with input $\varDelta _{\textsf{B}}$ to generate $[\![\varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}} = \langle {1}\rangle = (\alpha _0, \beta _0, 1)$ (i.e., dual-key authentication of constant 1), where $\alpha _0 \oplus \beta _0=\varDelta _{\textsf{A}} \varDelta _{\textsf{B}}$. $\mathsf P_{A}$ and $\mathsf P_{B}$ can exchange $\textsf{lsb} (\alpha _0)$ and $\textsf{lsb} (\beta _0)$ to decide whether $\textsf{lsb} (\alpha _0) \oplus \textsf{lsb} (\beta _0)=0$. If yes, then $\textsf{lsb} (\varDelta _{\textsf{A}} \varDelta _{\textsf{B}}) = \textsf{lsb} (\alpha _0) \oplus \textsf{lsb} (\beta _0)=0$. In this case, we let $\mathsf P_{B}$ update $\varDelta _{\textsf{B}}$ as $\varDelta _{\textsf{B}} \oplus 1$, which makes $\varDelta _{\textsf{A}} \varDelta _{\textsf{B}}$ be updated as $\varDelta _{\textsf{A}} \varDelta _{\textsf{B}} \oplus \varDelta _{\textsf{A}}$, where $\textsf{lsb} (\varDelta _{\textsf{A}} \varDelta _{\textsf{B}} \oplus \varDelta _{\textsf{A}})=\textsf{lsb} (\varDelta _{\textsf{A}} \varDelta _{\textsf{B}}) \oplus \textsf{lsb} (\varDelta _{\textsf{A}}) =1$. Since $\varDelta _{\textsf{B}}$ is changed as $\varDelta _{\textsf{B}} \oplus 1$, $\alpha _0$ needs to be updated as $\alpha _0 \oplus \varDelta _{\textsf{A}}$ in order to keep correct correlation.

While we adopt the KRRW authenticated garbling [33] in dual executions, some bit of global keys $\varDelta _{\textsf{A}}, \varDelta _{\textsf{B}} \in \mathbb {F} _{2^\kappa } $ is required to be fixed as 1. We often choose to define $\textsf{lsb} (\varDelta _{\textsf{A}})=1$ and $\textsf{lsb} (\varDelta _{\textsf{B}})=1$. While $\textsf{lsb} (\varDelta _{\textsf{A}})=1$ has been satisfied, $\textsf{lsb} (\varDelta _{\textsf{B}})=1$ does not always hold, as $\mathsf P_{B}$ may flip $\varDelta _{\textsf{B}}$ depending on if $\textsf{lsb} (\alpha _0) \oplus \textsf{lsb} (\beta _0)=0$. Thus, we let $\mathsf P_{B}$ set $\textsf{msb} (\varDelta _{\textsf{B}}) = 1$ for ease of remembering. More importantly, $\textsf{msb} (\varDelta _{\textsf{B}}) = 1$ has no impact on setting $\textsf{lsb} (\varDelta _{\textsf{A}}\varDelta _{\textsf{B}})=1$.

To ensure that neither party can guess the value of $ \varDelta _{\textsf{A}} \cdot \varDelta _{\textsf{B}} $, we need to ensure that $ \varDelta _{\textsf{A}} \ne 0 $ and $ \varDelta _{\textsf{B}} \ne 0 $. We notice that this requirement is implied by the aforementioned constraints of circuit garbling ($\textsf{lsb} (\varDelta _{\textsf{A}})=1$ and $\textsf{msb} (\varDelta _{\textsf{B}})=1$) and satisfied in the previous sampling process. Therefore, we show how to check these two constraints below. To enable $\mathsf P_{B}$ to check $\textsf{lsb} (\varDelta _{\textsf{A}})=1$, both parties can generate random authenticated bits $[\![r_1]\!]_{\varDelta _{\textsf{A}}}, \dots , [\![r_\rho ]\!]_{\varDelta _{\textsf{A}}}$, and then $\mathsf P_{A}$ sends $\textsf{lsb} (\textsf{K}_\textsf{A} [r_i])$ for $i \in [\rho ]$ to $\mathsf P_{B}$ who checks that $\textsf{lsb} (\textsf{K}_\textsf{A} [r_i]) \oplus \textsf{lsb} (\textsf{M}_\textsf{B} [r_i])=r_i$ for all $i \in [\rho ]$. A malicious $\mathsf P_{A}$ can cheat successfully if and only if it guesses correctly all random bits $r_1, \dots , r_\rho $, which happens with probability $1/2^\rho $. The correctness check of $\textsf{msb} (\varDelta _{\textsf{B}})=1$ can be done in a totally similar way. Furthermore, we need also to check $\textsf{lsb} (\varDelta _{\textsf{A}} \varDelta _{\textsf{B}})=1$, and otherwise a selective failure attack may be performed on secret bit ${\tilde{b}}_k$. We first let $\mathsf P_{B}$ check $\textsf{lsb} (\varDelta _{\textsf{A}} \varDelta _{\textsf{B}})=1$ by interacting with $\mathsf P_{A}$. We make $\mathsf P_{A}$ and $\mathsf P_{B}$ generate random dual-key authenticated bits $\langle {s_1}\rangle , \dots , \langle {s_\rho }\rangle $. Then, the check of $\textsf{lsb} (\varDelta _{\textsf{A}} \varDelta _{\textsf{B}})=1$ can be done similarly, by letting $\mathsf P_{A}$ send $\textsf{lsb} (\textsf{D}_{\textsf{A}}[s_i])$ to $\mathsf P_{B}$ who checks that $\textsf{lsb} (\textsf{D}_\textsf{A} [s_i]) \oplus \textsf{lsb} (\textsf{D}_\textsf{B} [s_i])=s_i$ for all $i \in [\rho ]$. To produce $\langle {s_1}\rangle , \dots , \langle {s_\rho }\rangle $, $\mathsf P_{A}$ and $\mathsf P_{B}$ can call $\mathcal {F}_\mathsf {[} COT]$ to generate random authenticated bits $[\![s_1]\!]_{\varDelta _{\textsf{A}}}, \dots , [\![s_\rho ]\!]_{\varDelta _{\textsf{A}}}$, and then run the $\textsf{Fix} $ procedure w.r.t. $\varDelta _{\textsf{A}}$ on input $(s_1 \varDelta _{\textsf{B}}, \dots , s_\rho \varDelta _{\textsf{B}})$ to generate $[\![s_1 \varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}}, \dots , [\![s_\rho \varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}}$ that are equivalent to $\langle {s_1}\rangle , \dots , \langle {s_\rho }\rangle $. Then, the correctness of the input $(s_1 \varDelta _{\textsf{B}}, \dots , s_\rho \varDelta _{\textsf{B}})$ needs to be verified by $\mathsf P_{A}$ via letting $\mathsf P_{B}$ prove that $([\![s_i]\!]_{\varDelta _{\textsf{A}}}, [\![\varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}}, [\![s_i \varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}})$ for all $i \in [\rho ]$ satisfy the multiplication relationship using $\mathcal {F}_\mathsf {[} DVZK]$. Due to the dual execution, $\mathsf P_{A}$ needs also to symmetrically check $\textsf{lsb} (\varDelta _{\textsf{A}} \varDelta _{\textsf{B}})=1$ by interacting with $\mathsf P_{B}$.

Generating compressed authenticated AND triples. As described above, for generating a compressed authenticated AND triple $([\![a_i]\!]_{\varDelta _{\textsf{B}}}, [\![b_i]\!]_{\varDelta _{\textsf{A}}}, [\![a_j]\!]_{\varDelta _{\textsf{B}}}, [\![b_j]\!]_{\varDelta _{\textsf{A}}}, [\![\hat{a}_k]\!]_{\varDelta _{\textsf{B}}}, [\![\hat{b}_k]\!]_{\varDelta _{\textsf{A}}})$, the crucial step is to generate a dual-key authenticated bit $\langle {{\tilde{b}}_k}\rangle $ with ${\tilde{b}}_k=\hat{b}_k \oplus b_i b_j$. From the definition of ${\tilde{b}}_k$, we know that $\langle {{\tilde{b}}_k}\rangle = \langle {a_{i,j}}\rangle \oplus \langle {a_i b_j}\rangle \oplus \langle {a_j b_i}\rangle \oplus \langle {\hat{a}_k}\rangle $. We use the above approach to generate the dual-key authenticated bits $\langle {a_{i,j}}\rangle , \langle {\hat{a}_k}\rangle $ and $\langle {a_i {\varvec{b}}^*}\rangle $ for $i \in [n]$ that can be locally converted to $\langle {a_i b_j}\rangle , \langle {a_j b_i}\rangle $ by multiplying a public matrix $\textbf{M}$. Then, we combine all the dual-key authenticated bits to obtain $\langle {{\tilde{b}}_k}\rangle $. From $\textsf{lsb} (\varDelta _{\textsf{A}} \varDelta _{\textsf{B}}) = 1$, we can let $\mathsf P_{A}$ send $\textsf{lsb} (\textsf{D}_\textsf{A} [{\tilde{b}}_k])$ to $\mathsf P_{B}$ who is able to recover ${\tilde{b}}_k=\textsf{lsb} (\textsf{D}_\textsf{A} [{\tilde{b}}_k]) \oplus \textsf{lsb} (\textsf{D}_\textsf{B} [{\tilde{b}}_k])$. By running the $\textsf{Fix} $ procedure with input ${\tilde{b}}_k$, both parties can generate $[\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{A}}}$, which can be in turn locally converted into $[\![\hat{b}_k]\!]_{\varDelta _{\textsf{A}}}$. More details are shown as follows.

1.
As in the DILO protocol [19], we let $\mathsf P_{A}$ and $\mathsf P_{B}$ obtain $[\![{\varvec{b}}^*]\!]_{\varDelta _{\textsf{A}}}$ and $\{[\![b_{i,j}]\!]_{\varDelta _{\textsf{A}}}\}$ by calling $\mathcal {F}_\mathsf {[} COT]$ and running $\textsf{Fix} $ with input $b_{i,j}=b_i b_j$. Then, both parties compute $[\![{\varvec{b}}]\!]_{\varDelta _{\textsf{A}}}:= \textbf{M}\cdot [\![{\varvec{b}}^*]\!]_{\varDelta _{\textsf{A}}}$ to obtain $[\![b_i]\!]_{\varDelta _{\textsf{A}}}, [\![b_j]\!]_{\varDelta _{\textsf{A}}}$ for each AND gate $(i,j,k,\wedge )$.
2.
$\mathsf P_{A}$ and $\mathsf P_{B}$ have produced $\langle {1}\rangle =(\alpha _0, \beta _0, 1)$ such that $\alpha _0 + \beta _0 = \varDelta _{\textsf{A}} \cdot \varDelta _{\textsf{B}} \in \mathbb {F} _{2^\kappa } $. For each $i \in [L]$, both parties can further generate a dual-key authenticated bit $\langle {b_i^*}\rangle = (\alpha _i, \beta _i, b_i^*)$ with $\alpha _i+\beta _i=b_i^* \cdot \varDelta _{\textsf{A}} \cdot \varDelta _{\textsf{B}} \in \mathbb {F} _{2^\kappa } $ by running $\textsf{Fix} $ w.r.t. $\varDelta _{\textsf{A}}$ with input $B_i^*=b_i^*\varDelta _{\textsf{B}}$. The communication to generate $\langle {b_1^*}\rangle , \dots , \langle {b_L^*}\rangle $ is $L\kappa $ bits and logarithmic to the number n of AND gates due to $L = O(\rho \log (n/\rho ))$.
3.
$\mathsf P_{B}$ and $\mathsf P_{A}$ initialize $\mathcal {F}_\mathsf {[} bCOT]^{L+1}$ with global keys $\beta _1, \dots , \beta _L, \varDelta _{\textsf{B}}$, and then call $\mathcal {F}_\mathsf {[} bCOT]^{L+1}$ to generate $[\![{\varvec{a}}]\!]_{\beta _1}, \dots , [\![{\varvec{a}}]\!]_{\beta _L}$ and $[\![{\varvec{a}}]\!]_{\varDelta _{\textsf{B}}}$. For each tuple $([\![a_i]\!]_{\beta _1}, \dots , [\![a_i]\!]_{\beta _L})$, we can convert it to $\langle {a_i {\varvec{b}}^*}\rangle $. By multiplying the public matrix $\textbf{M}$, both parties can obtain $\langle {a_i b_j}\rangle $ and $\langle {a_j b_i}\rangle $ for each AND gate $(i, j, k, \wedge )$. From $[\![{\varvec{a}}]\!]_{\varDelta _{\textsf{B}}}$, both parties directly obtain $[\![a_i]\!]_{\varDelta _{\textsf{B}}},[\![a_j]\!]_{\varDelta _{\textsf{B}}}$ for each AND gate $(i, j, k, \wedge )$.
4.
$\mathsf P_{B}$ and $\mathsf P_{A}$ initialize $\mathcal {F}_\mathsf {[} bCOT]^{2}$ with global keys $\beta _0, \varDelta _{\textsf{B}}$, and then call $\mathcal {F}_\mathsf {[} bCOT]^{2}$ to generate $[\![\hat{{\varvec{a}}}]\!]_{\beta _0}$ and $[\![\hat{{\varvec{a}}}]\!]_{\varDelta _{\textsf{B}}}$. Both parties further run the $\textsf{Fix} $ procedure with input $a_{i,j}=a_i \wedge a_j$ to generate $[\![a_{i,j}]\!]_{\beta _0}$ and $[\![a_{i,j}]\!]_{\varDelta _{\textsf{B}}}$, where $[\![a_{i,j}]\!]_{\varDelta _{\textsf{B}}}$ will be used to prove validity of $a_{i,j}$. The parties can convert $[\![\hat{{\varvec{a}}}]\!]_{\beta _0}$ and $\{[\![a_{i,j}]\!]_{\beta _0}\}$ into $\langle {\hat{a}_k}\rangle $ and $\langle {a_{i,j}}\rangle $ for each AND gate $(i,j,k,\wedge )$.
5.
Both parties can locally compute $\langle {{\tilde{b}}_k}\rangle :=\langle {a_{i,j}}\rangle \oplus \langle {a_i b_j}\rangle \oplus \langle {a_j b_i}\rangle \oplus \langle {\hat{a}_k}\rangle $. Then, $\mathsf P_{A}$ can send $\textsf{lsb} (\textsf{D}_{\textsf{A}}[{\tilde{b}}_k])$ to $\mathsf P_{B}$, who computes ${\tilde{b}}_k:=\textsf{lsb} (\textsf{D}_{\textsf{A}}[{\tilde{b}}_k]) \oplus \textsf{lsb} (\textsf{D}_{\textsf{B}}[{\tilde{b}}_k])$ due to $\textsf{lsb} (\varDelta _{\textsf{A}}\varDelta _{\textsf{B}})=1$. Both parties run $\textsf{Fix} $ on input ${\tilde{b}}_k$ to generate $[\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{A}}}$.
6.
$\mathsf P_{A}$ and $\mathsf P_{B}$locally compute $[\![\hat{b}_k]\!]_{\varDelta _{\textsf{A}}}:= [\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{A}}} \oplus [\![b_{i,j}]\!]_{\varDelta _{\textsf{A}}}$. Now for each AND gate $(i, j, k, \wedge )$, the parties hold $([\![a_i]\!]_{\varDelta _{\textsf{B}}}, [\![b_i]\!]_{\varDelta _{\textsf{A}}}, [\![a_j]\!]_{\varDelta _{\textsf{B}}}, [\![b_j]\!]_{\varDelta _{\textsf{A}}}, [\![\hat{a}_k]\!]_{\varDelta _{\textsf{B}}}, [\![\hat{b}_k]\!]_{\varDelta _{\textsf{A}}})$.

Consistency check. We have shown how to generate compressed authenticated AND triples. Below, we show how to verify their correctness. We only need to guarantee the consistency of all $\textsf{Fix} $ inputs, all global keys input to the bCOT functionality and all bits sent by $\mathsf P_{A}$ to $\mathsf P_{B}$. When all messages and inputs are consistent, no malicious party can break the correctness of all triples. Specifically, we present the following checks to guarantee the consistency.

1.
Check the correctness of the following authenticated AND triples:
- $([\![b_i]\!]_{\varDelta _{\textsf{A}}}, [\![b_j]\!]_{\varDelta _{\textsf{A}}}, [\![b_{i,j}]\!]_{\varDelta _{\textsf{A}}})$ s.t. $b_{i,j}=b_i \wedge b_j$ for each AND gate $(i, j, k, \wedge )$.
- $([\![a_i]\!]_{\varDelta _{\textsf{B}}}, [\![a_j]\!]_{\varDelta _{\textsf{B}}}, [\![a_{i,j}]\!]_{\varDelta _{\textsf{B}}})$ s.t. $a_{i,j}=a_i \wedge a_j$ for each AND gate $(i, j, k, \wedge )$.
- $([\![b_i^*]\!]_{\varDelta _{\textsf{A}}}, [\![\varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}}, [\![B_i^*]\!]_{\varDelta _{\textsf{A}}})$ s.t. $B_i^* = b_i^* \cdot \varDelta _{\textsf{B}}$ for each $i \in [L]$.
2.
The keys $\beta _0, \beta _1, \dots , \beta _L$ input to functionality $\mathcal {F}_\mathsf {[} bCOT]$ are consistent to the values defined in $\langle {1}\rangle , \langle {b_1^*}\rangle , \dots , \langle {b_L^*}\rangle $.
3.
$\mathsf P_{A}$ needs to check that two global keys $\varDelta _{\textsf{B}}^{(1)}$ and $\varDelta _{\textsf{B}}^{(2)}$, respectively, input to functionalities $\mathcal {F}_\mathsf {[} bCOT]^{L+1}$ and $\mathcal {F}_\mathsf {[} bCOT]^2$ are consistent with $\varDelta _{\textsf{B}}$ defined in $\langle {1}\rangle $.
4.
$\mathsf P_{A}$ checks that the bit ${\tilde{b}}_k$ defined in $[\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{A}}}$ is consistent to that defined in $\langle {{\tilde{b}}_k}\rangle $, and $\mathsf P_{B}$ checks that ${\tilde{b}}_k$ computed by itself is consistent to that defined in $\langle {{\tilde{b}}_k}\rangle $.

The first two checks guarantee the correctness of $\langle {{\tilde{b}}_k}\rangle $ and $[\![b_{i,j}]\!]_{\varDelta _{\textsf{A}}}$, the third check verifies the consistency of the global keys in $[\![a_i]\!]_{\varDelta _{\textsf{B}}^{(1)}}, [\![a_j]\!]_{\varDelta _{\textsf{B}}^{(1)}}, [\![\hat{a}_k]\!]_{\varDelta _{\textsf{B}}^{(2)}}$, and the final check assures the consistency of bits authenticated between $\langle {{\tilde{b}}_k}\rangle $ and $[\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{A}}}$. Check 1 can be directly realized by calling functionality $\mathcal {F}_\mathsf {[} DVZK]$.

For Check 2, for each $i \in [0,L]$, we let $\mathsf P_{A}$ and $\mathsf P_{B}$ run the $\textsf{Fix} $ procedure w.r.t. $\beta _i$ on input $\varDelta _{\textsf{A}}'$ to generate $[\![\varDelta _{\textsf{A}}']\!]_{\beta _i}$, which can be locally converted into $[\![\beta _i]\!]_{\varDelta _{\textsf{A}}'}$, where $\varDelta _{\textsf{A}}' \in \mathbb {F} _{2^\kappa } $ is sampled uniformly at random by $\mathsf P_{A}$. ^{Footnote 1} For $i \in [0,L]$, we present a new protocol to verify the consistency of $\beta _i$ in the following equations where we define $b_0^* = 1$.

$$\begin{aligned}&\alpha _i + \beta _i = b_i^* \cdot \varDelta _{\textsf{A}} \cdot \varDelta _{\textsf{B}}, \\&\textsf{K}_\textsf{A} [\beta _i] + \textsf{M}_\textsf{A} [\beta _i] = \beta _i \cdot \varDelta _{\textsf{A}}', \end{aligned}$$

We first multiply two sides of the first equation by $\varDelta _{\textsf{A}}^{-1}$, and obtain $\alpha _i \cdot \varDelta _{\textsf{A}}^{-1} + \beta _i \cdot \varDelta _{\textsf{A}}^{-1} = b_i^* \cdot \varDelta _{\textsf{B}}$. We rewrite the resulting equation as $\textsf{K}_\textsf{A} [\beta _i] + \textsf{M}_\textsf{B} [\beta _i] = \beta _i \cdot \varDelta _{\textsf{A}}^{-1}$ where $\textsf{K}_\textsf{A} [\beta _i] =\alpha _i \cdot \varDelta _{\textsf{A}}^{-1}$ and $\textsf{M}_\textsf{B} [\beta _i] = b_i^* \cdot \varDelta _{\textsf{B}}$. Below, we can adapt the known techniques [19, 21] to check the consistency of $\beta _i$ authenticated under different global keys (i.e., $[\![\beta _i]\!]_{\varDelta _{\textsf{A}}^{-1}}$ and $[\![\beta _i]\!]_{\varDelta _{\textsf{A}}'}$) in a batch (see Sect. 4.3 for details).

For Check 3, we make $\mathsf P_{A}$ and $\mathsf P_{B}$ run the $\textsf{Fix} $ procedure w.r.t. $\varDelta _{\textsf{B}}^{(1)}$ (resp., $\varDelta _{\textsf{B}}^{(2)}$) on input $\varDelta _{\textsf{A}}'$ to obtain $[\![\varDelta _{\textsf{B}}^{(1)}]\!]_{\varDelta _{\textsf{A}}'}$ (resp., $[\![\varDelta _{\textsf{B}}^{(2)}]\!]_{\varDelta _{\textsf{A}}'}$). Authenticated values $[\![\varDelta _{\textsf{B}}^{(1)}]\!]_{\varDelta _{\textsf{A}}'}$ and $[\![\varDelta _{\textsf{B}}^{(2)}]\!]_{\varDelta _{\textsf{A}}'}$ are equivalent to $\langle {1_\textsf{B} ^{(1)}}\rangle $ and $\langle {1_\textsf{B} ^{(2)}}\rangle $ where $\varDelta _{\textsf{B}}^{(1)}\varDelta _{\textsf{A}}'$ and $\varDelta _{\textsf{B}}^{(2)}\varDelta _{\textsf{A}}'$ are used as the global keys in dual-key authentication. Both parties can invoke a relaxed equality-check functionality $\mathcal {F}_\mathsf {[} EQ]$ (shown in the full version [16] ) to check $1_\textsf{B} ^{(1)}-1_\textsf{B} ^{(2)}=0$. Using the checking technique by Dittmer et al. [19], we can also check the consistency of the values authenticated between $[\![\varDelta _{\textsf{B}}^{(1)}]\!]_{\varDelta _{\textsf{A}}'}$ and $[\![\varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}}$ generated during the sampling phase.

For Check 4, we use a random linear combination approach to perform the check in a batch. Specifically, we can let $\mathsf P_{A}$ and $\mathsf P_{B}$ call $\mathcal {F}_\mathsf {[} COT]$ to generate $[\![{\varvec{r}}]\!]_{\varDelta _{\textsf{A}}}$ and then obtain $[\![r]\!]_{\varDelta _{\textsf{A}}} \leftarrow \textsf{B2F} ([\![{\varvec{r}}]\!]_{\varDelta _{\textsf{A}}})$, where $r \in \mathbb {F} _{2^\kappa } $ is uniform. Then, both parties run $\textsf{Fix} $ w.r.t. $\varDelta _{\textsf{A}}$ on input $r \varDelta _{\textsf{B}}$ to generate $[\![r \varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}}$ (i.e., $\langle {r}\rangle $). We can let the parties call a standard coin-tossing functionality $\mathcal {F}_\mathsf {[} Rand]$ to sample a random element $\chi \in \mathbb {F} _{2^\kappa } $. Then, both parties can locally compute $\langle {y}\rangle :=\sum \chi ^k \cdot \langle {{\tilde{b}}_k}\rangle + \langle {r}\rangle $ and $[\![y]\!]_{\varDelta _{\textsf{A}}}:=\sum \chi ^k \cdot [\![{\tilde{b}}_k]\!]_{\varDelta _{\textsf{A}}} + [\![r]\!]_{\varDelta _{\textsf{A}}}$. Then, $\mathsf P_{B}$ can open $[\![y]\!]_{\varDelta _{\textsf{A}}}$ that allows $\mathsf P_{A}$ to get y in an authenticated way. Finally, both parties can use $\mathcal {F}_\mathsf {[} EQ]$ to verify that the opening of $\langle {y}\rangle -y\cdot \langle {1}\rangle $ is 0. Since $\chi $ is sampled uniformly at random after all authenticated values are determined, the consistency check will detect malicious behaviors except with probability at most $n/2^\kappa $.

3.3 Our Solution for Dual Execution without Leakage

While the evaluator’s random masks are compressed, the state-of-the-art construction of authenticated garbling based on half-gates by Katz et al. [33] is no longer applied. The consistency checking protocol in [33] requires the evaluator to reveal all masked wire values, which is prohibitive for the compression technique. Therefore, based on the technique [40], Dittmer et al. [19] designed a new construction of authenticated garbling without revealing masked wire values. However, this construction incurs extra communication overhead of $3\rho -1$ bits per AND gate, compared to the half-gates-based construction [33].

In duplex networks, communication cost is often measured by one-way communication. This allows us to adopt the idea of dual execution [37] to perform the authentication of circuit evaluation. In the original dual execution [37], the semi-honest Yao-2PC protocol [48] is executed two times with the same inputs in parallel by swapping the roles of parties for the second execution, and then the correctness of the output is verified by checking that the two executions have the same output bits. However, an inherent problem of the above method is that selective failure attacks are allowed to leak one-bit information of the input by the honest party, even though there exists a protocol to check the consistency of inputs in two executions. For example, suppose that $\mathsf P_{A}$ is honest and $\mathsf P_{B}$ is malicious. When $\mathsf P_{A}$ is a garbler and $\mathsf P_{B}$ is an evaluator, both parties compute an output f(x, y) where x is the $\mathsf P_{A}$ ’s input and y is the $\mathsf P_{B}$ ’s input. After swapping the roles, they compute another output g(x, y) with $g \ne f$, as garbler $\mathsf P_{B}$ is malicious. If the output-equality check passes, then $g(x,y)=f(x,y)$, else $g(x,y)\ne f(x,y)$. In both cases, this leaks one-bit information on the input x.

In the authenticated garbling framework, we propose a new technique to circumvent the problem and eliminate the one-bit leakage. Together with our technique to generate compressed authenticated AND triples, we can achieve the cost of one-way communication that is almost the same as the semi-honest half-gates protocol [49]. Specifically, we let $\mathsf P_{A}$ and $\mathsf P_{B}$ execute the protocol, which combines the sub-protocol of generating authenticated AND triples as described above with the construction of distributed garbling [33], for two times with same inputs in the dual-execution way. For each wire w in the circuit, we need to check that the actual values $z_w$ and $z_w'$ in two executions are identical. We perform the checking by verifying $z_w \cdot (\varDelta _{\textsf{A}}\oplus \varDelta _{\textsf{B}}) = z_w' \cdot (\varDelta _{\textsf{A}}\oplus \varDelta _{\textsf{B}})$. Since $\varDelta _{\textsf{A}}\oplus \varDelta _{\textsf{B}}$ is unknown for the adversary, the probability that $z_w \ne z_w'$ but the check passes is negligible. Our approach allows two parties to check the correctness of all wire values in the circuit, and thus prevents selective failure attacks.

In more detail, for each wire w, let $(\varLambda _w, a_w, b_w)$ be the masked value and wire masks in the first execution and $(\varLambda _w', a_w', b_w')$ be the values in the second execution. Thus, $\mathsf P_{A}$ and $\mathsf P_{B}$ need to check that $\varLambda _w \oplus a_w \oplus b_w = \varLambda _w' \oplus a_w' \oplus b_w'$ for each wire w, where the output wires of XOR gates are unnecessary to be checked as they are locally computed. Below, our task is to check that $(\varLambda _w \oplus a_w \oplus b_w)\cdot (\varDelta _{\textsf{A}}\oplus \varDelta _{\textsf{B}}) = (\varLambda _w' \oplus a_w' \oplus b_w')\cdot (\varDelta _{\textsf{A}}\oplus \varDelta _{\textsf{B}})$ holds for each wire w. From the two protocol executions, both parties hold $([\![a_w]\!]_{\varDelta _{\textsf{B}}}, [\![b_w]\!]_{\varDelta _{\textsf{A}}}, [\![a_w']\!]_{\varDelta _{\textsf{B}}}, [\![b_w']\!]_{\varDelta _{\textsf{A}}})$ for each wire w. When $\mathsf P_{A}$ is a garbler and $\mathsf P_{B}$ is an evaluator, $\mathsf P_{A}$ holds a garbled label $\textsf{L} _{w,0}$ and $\mathsf P_{B}$ holds $(\varLambda _w, \textsf{L} _{w, \varLambda _w})$. Since $\textsf{L} _{w, \varLambda _w} = \textsf{L} _{w, 0} \oplus \varLambda _w \varDelta _{\textsf{A}}$ has the form of IT-MACs, we can view $(\textsf{L} _{w, 0}, \textsf{L} _{w, \varLambda _w}, \varLambda _w)$ as an authenticated bit $[\![\varLambda _w]\!]_{\varDelta _{\textsf{A}}}$, where $\textsf{L} _{w,0}$ is considered as the local key and $\textsf{L} _{w, \varLambda _w}$ plays the role of MAC tag. Similarly, when $\mathsf P_{A}$ is an evaluator and $\mathsf P_{B}$ is a garbler, two parties hold an authenticated bit $[\![\varLambda _w']\!]_{\varDelta _{\textsf{B}}}$. Following the known observation (e.g., [33]), for any authenticated bit $[\![y]\!]_{\varDelta _{\textsf{A}}}$, $\mathsf P_{A}$ and $\mathsf P_{B}$ have an additive sharing of $y \cdot \varDelta _{\textsf{A}}=\textsf{K}_\textsf{A} [y] \oplus \textsf{M}_\textsf{B} [y]$. Therefore, for all cross terms, both parties can obtain their additive shares, and then can compute two values that are checked to be identical. In particular, both parties can compute the additive shares of all cross terms: $Z_{w,1}^{\textsf{A}} \oplus Z_{w,1}^{\textsf{B}} = \varLambda _w\varDelta _{\textsf{A}}, Z_{w,2}^{\textsf{A}} \oplus Z_{w,2}^{\textsf{B}} = \varLambda _w' \varDelta _{\textsf{B}}, Z_{w,3}^{\textsf{A}} \oplus Z_{w,3}^{\textsf{B}} = a_w \varDelta _{\textsf{B}}, Z_{w,4}^{\textsf{A}} \oplus Z_{w,4}^{\textsf{B}} = a_w' \varDelta _{\textsf{B}}, Z_{w,5}^{\textsf{A}} \oplus Z_{w,5}^{\textsf{B}} = b_w \varDelta _{\textsf{A}}, Z_{w,6}^{\textsf{A}} \oplus Z_{w,6}^{\textsf{B}} = b_w' \varDelta _{\textsf{A}}$. Then, for each wire w, $\mathsf P_{A}$ and $\mathsf P_{B}$ can, respectively, compute

$$\begin{aligned}&V_w^\textsf{A} = (\oplus _{i \in [6]} Z_{w,i}^{\textsf{A}} ) \oplus a_w \varDelta _{\textsf{A}} \oplus \varLambda _w' \varDelta _{\textsf{A}} \oplus a_w' \varDelta _{\textsf{A}} \\&V_w^\textsf{B} = (\oplus _{i \in [6]} Z_{w,i}^{\textsf{B}} ) \oplus b_w \varDelta _{\textsf{B}} \oplus \varLambda _w \varDelta _{\textsf{B}} \oplus b_w' \varDelta _{\textsf{B}}, \end{aligned}$$

such that $V_w^\textsf{A} = V_w^\textsf{B} $. Without loss of generality, we assume that only $\mathsf P_{B}$ obtains the output, and thus only $\mathsf P_{B}$ needs to check the correctness of all masked values. In this case, we make $\mathsf P_{A}$ send the hash value of all $V_w^\textsf{A} $ to $\mathsf P_{B}$, who can check its correctness with $V_w^\textsf{B} $ for each wire w.

Optimizations for processing inputs. Dittmer et al. [19] consider that the wire masks (i.e., ${\varvec{b}}_\mathcal {I} $) on all wires in $\mathcal {I} _\textsf{B} $ held by evaluator $\mathsf P_{B}$ is uniformly random and authenticated AND triples associated with ${\varvec{b}}_\mathcal {I} $ are generated using the previous approach (e.g., [33]). This will require an independent preprocessing protocol, and also brings more preprocessing communication cost. We solve the problem by specially processing the input of evaluator $\mathsf P_{B}$. In particular, instead of making $\mathsf P_{B}$ send masked value $\varLambda _w:= y_w \oplus b_w$ for each $w \in \mathcal {I} _\textsf{B} $ to $\mathsf P_{A}$ where $y_w$ is the input bit, we use an OT protocol to transmit $\textsf{L} _{w, \varLambda _w}$ to $\mathsf P_{B}$. This allows to keep masked wire values $\varLambda _w:= y_w \oplus b_w$ for all $w \in \mathcal {I} _\textsf{B} $ secret. In this case, we can compress the wire masks using the technique as described in Sect. 3.2 and adopt the same preprocessing protocol to handle ${\varvec{b}}_\mathcal {I} $. Since L is logarithm to the length n of vector ${\varvec{b}}$ (now $n=|\mathcal {W} |+|\mathcal {I} _\textsf{B} |$), this optimization essentially incurs no more overhead for the preprocessing phase. Furthermore, our preprocessing protocol to generate authenticated AND triples has already invoked functionality $\mathcal {F}_\mathsf {[} COT]$. Therefore, we can let two parties call $\mathcal {F}_\mathsf {[} COT]$ to generate random COT correlations in the preprocessing phase, and then transform them to OT correlations in the standard way. This essentially brings no more communication for the preprocessing phase, due to the sublinear communication of the recent protocols instantiating $\mathcal {F}_\mathsf {[} COT]$. Our optimization does not increase the rounds of online phase. As a trade-off, this optimization increases the online communication cost by $|\mathcal {I} _\textsf{B} | \cdot \kappa $ bits.

In the second protocol execution (i.e., $\mathsf P_{A}$ as an evaluator and $\mathsf P_{B}$ as a garbler), we make a further optimization to directly guarantee that the masked values on all circuit-input wires are XOR of actual values and wire masks. In this case, it is unnecessary to check the correctness of masked values on all circuit-input wires between two protocol executions. The key idea is to utilize the authenticated bits and messages on circuit-input wires generated/sent during the first protocol execution along with the authenticated bits produced in the second protocol execution to generate the masked values on the wires in $\mathcal {I} _\textsf{A} \cup \mathcal {I} _\textsf{B} $. Due to the security of IT-MACs, we can guarantee the correctness of these masked values in the second execution. We postpone the details of this optimization to Sect. 5.

3.4 Optimization Toward Minimal Total Communication

We also make effort to minimize the total communication of two-party computation protocols by optimizing the DILO-WRK protocol [19], achieving the two-way communication of $2\kappa + \rho + 5$ bits per AND gate. We explain the intuition behind our optimization as follows.

We first explain the consistency checking protocol in DILO-WRK, which substitutes the state-of-the-art checking technique [33] in the DILO protocol due to aforementioned security issues. In the original WRK protocol [40], the garbler essentially utilizes another garbled circuit AuthGC to compute the MAC tag of $\varLambda _k$ for each AND gate $(i,j,k,\wedge )$, which ensures that the correct $\varLambda _k$ is acquired by the evaluator. The authors of DILO observe that using the half-gates technique the original $4\rho $ bits communication of WRK (which corresponds to an un-optimized garbled circuit) can be optimized to $3\rho $ bits, resulting in a scheme which we dub “DILO-WRK.”

Recall that for each wire $ w $, we use $ a_w, b_w, \varLambda _w $ to denote the wire masks of $\mathsf P_{A}$ and $\mathsf P_{B}$ and the masked wire value. We define $ \lambda _w = a_w \oplus b_w $. Essentially, the goal of the WRK IT-MAC checking is to let the evaluator compute $(\lambda _k \oplus (\varLambda _i \oplus \lambda _i) \cdot (\varLambda _j \oplus \lambda _j)) \cdot \varDelta _{\textsf{B}}$ using the garbled circuit labels and preprocessing information, and compare it against the $\varLambda _k \cdot \varDelta _{\textsf{B}}$ that is locally computable. Since the former term is unalterable by the security of IT-MAC and is correct by definition, consistency follows when the equality check passes. Therefore, consistency checking reduces to an efficient comparison operation.

Our first insight is that unlike regular IT-MAC opening where the entire MAC tag has to be completely conveyed, in the secure computation setting we may settle for evaluating the additive share of $(\lambda _k \oplus (\varLambda _i \oplus \lambda _i) \cdot (\varLambda _j \oplus \lambda _j)) \cdot \varDelta _{\textsf{B}}$ since it is only used for subsequent equality checking. Therefore, we focus on the cross terms $ \varLambda _i \cdot \textsf{M}_\textsf{A} [a_j]$ and $\varLambda _j \cdot \textsf{M}_\textsf{A} [a_i]$ in the expanded equation below.

$$\begin{aligned}&(\lambda _k \oplus (\varLambda _i \oplus \lambda _i) \cdot (\varLambda _j \oplus \lambda _j)) \cdot \varDelta _{\textsf{B}} \\&= \lambda _k \cdot \varDelta _{\textsf{B}} \oplus \varLambda _i \cdot \varLambda _j \cdot \varDelta _{\textsf{B}} \oplus \varLambda _i \cdot \lambda _j \cdot \varDelta _{\textsf{B}} \oplus \varLambda _j \cdot \lambda _i \cdot \varDelta _{\textsf{B}} \oplus \lambda _i \cdot \lambda _j \cdot \varDelta _{\textsf{B}} \\&= \lambda _k \cdot \varDelta _{\textsf{B}} \oplus \varLambda _i \cdot \varLambda _j \cdot \varDelta _{\textsf{B}} \oplus \lambda _i \cdot \lambda _j \cdot \varDelta _{\textsf{B}} \oplus \varLambda _i \cdot b_j \cdot \varDelta _{\textsf{B}} \oplus \varLambda _i \cdot \textsf{K}_\textsf{B} [a_j] \oplus \varLambda _j \cdot b_i \cdot \varDelta _{\textsf{B}} \\&\oplus \varLambda _j \cdot \textsf{K}_\textsf{B} [a_i] \oplus \varLambda _i \cdot \textsf{M}_\textsf{A} [a_j] \oplus \varLambda _j \cdot \textsf{M}_\textsf{A} [a_i] \hspace{5.0pt}. \end{aligned}$$

In the DILO-WRK scheme, the two cross terms are computed as follows. The garbler sends two ciphertexts $G'_{k,1}:= \textsf{H} (\textsf{L} _{i,0}) \oplus \textsf{H} (\textsf{L} _{i,1}) \oplus \textsf{M}_\textsf{A} [a_j]$ and $G'_{k,2}:= \textsf{H} (\textsf{L} _{j,0}) \oplus \textsf{H} (\textsf{L} _{j,1}) \oplus \textsf{M}_\textsf{A} [a_i]$ to the evaluator and defines $C_1:= \textsf{H} (\textsf{L} _{i,0})$, $C_2:= \textsf{H} (\textsf{L} _{j,0}) $. The evaluator computes $D_1:= \textsf{H} (\textsf{L} _{i,\varLambda _i}) \oplus G'_{k,1} = \varLambda _i \cdot \textsf{M}_\textsf{A} [a_j] \oplus C_1$ and $D_2:= \textsf{H} (\textsf{L} _{j,\varLambda _j}) \oplus G'_{k,2} = \varLambda _j \cdot \textsf{M}_\textsf{A} [a_i] \oplus C_2$, which constitute the additive sharing of the cross terms with $C_1$ and $C_2$. In DILO-WRK, the garbler sends an additional message that conveys the XOR of its local shares. Using our observation, this message can be omitted, leading to $2\rho $ bits of communication per AND gate.

In secure computation, the task of checking the aforementioned equality on every AND gate can be effectively reduced to only one equality check via random linear combination. The secure computation task therefore reduces to evaluating $\sum _{(i,j,k,\wedge ) \in \mathcal {C} _\textsf{and}} \chi ^k \cdot (\varLambda _i \cdot \textsf{M}_\textsf{A} [a_j] + \varLambda _j \cdot \textsf{M}_\textsf{A} [a_i])$. Our second observation is that in Free-XOR compatible garbling schemes, every masked wire value $\varLambda _w$ is a public linear combination of the masked values of previous AND gate output wires and input wires. More generally, we define the public binary vector ${\varvec{c}}^w$ for every wire $w \in \mathcal {W} $ such that $\varLambda _w = \sum _{k \in \mathcal {W} \cup \mathcal {I}} c^w_k \cdot \varLambda _k$. Using this notation, we can expand the target expression as

$$\begin{aligned} \sum _{(i,j,k,\wedge ) \in \mathcal {C} _\textsf{and}} \chi ^k \cdot \left( \left( \sum _{k' \in \mathcal {W} \cup \mathcal {I}} c^i_{k'} \cdot \varLambda _{k'} \right) \cdot \textsf{M}_\textsf{A} [a_j] + (\sum _{k' \in \mathcal {W} \cup \mathcal {I}} c^j_{k'} \cdot \varLambda _{k'}) \cdot \textsf{M}_\textsf{A} [a_i] \right) \hspace{5.0pt}. \end{aligned}$$

By exchanging the summation order, the expression is transformed into a linear operation on all the masked $\varLambda _w$ values, where the coefficients can be computed by the garbler. (Notice that the indices are renamed.)

$$\begin{aligned} \sum _{k\in \mathcal {W} \cup \mathcal {I}} \varLambda _k \cdot \sum _{ (i',j',k',\wedge ) \in \mathcal {C} _\textsf{and}} \chi ^{k'} \cdot (c^{i'}_{k} \cdot \textsf{M}_\textsf{A} [a_{j'}] + c^{j'}_{k} \cdot \textsf{M}_\textsf{A} [a_{i'}]) \hspace{5.0pt}. \end{aligned}$$

Using the half-gates technique, we can evaluate the target expression by sending $G'_k:= \textsf{H} (\textsf{L} _{k,0}) \oplus \textsf{H} (\textsf{L} _{k,1}) \oplus \sum _{ (i',j',k',\wedge ) \in \mathcal {C} _\textsf{and}} \chi ^{k'} \cdot (c^{i'}_{k} \cdot \textsf{M}_\textsf{A} [a_{j'}] + c^{j'}_{k} \cdot \textsf{M}_\textsf{A} [a_{i'}])$ for each index $k \in \mathcal {W} \cup \mathcal {I} $, which has amortized communication cost of $\rho $ bits per AND gate. We note that this checking method is applicable to all distributed garbling schemes that support Free-XOR. Therefore, we believe that this sub-protocol $\varPi _\textsf {[}$ $\textsf{GCCheck}$ ] (Fig. 10) is of independent interest.

3.5 Adaptive Security Without Random Oracle

Compared with the conference version [17], we removed the reliance of the random oracle model in our circuit garbling protocols. In particular, we prove the adaptive security of the garbled circuit protocol without using the random oracle, while all previous authenticated garbling protocols with adaptive security [19, 30, 33, 40] uses the random oracle model during circuit garbling. Recall that with adaptive security, the garbler can send the garbled circuit ciphertexts in the preprocessing phase. Then, a malicious evaluator can adaptively choose its input values after seeing the garbled circuit ciphertexts and the protocol remains secure regardless of the evaluator’s choice. Therefore, with adaptive security the parties only need to determine input labels in the online phase, saving online communication.

To prove the adaptive security, one has to construct a simulator that generates the garbled circuit ciphertexts only from the circuit-output values. In particular, the simulation is done without knowing which ciphertexts would be decrypted during evaluation. The choice of ciphertexts is determined by the relevant masked wire values and are collectively referred to as an “active path” [30]. Previous protocols construct the simulator as follows. In the preprocessing phase the ciphertexts and the active path are sampled randomly. Then in the online phase, since the circuit is garbled with a random oracle, we can utilize its programmability to make the garbled circuit evaluation phase output the correct result, regardless of the actual input.

Nevertheless, we observe that in authenticated garbling, the active path is inherently randomized and it is possible to construct such a simulator without using the random oracle. Recall that in our preprocessing protocol, for each wire $ w $, the wire mask $ \lambda _w $ is shared between the garbler $\mathsf P_{A}$ and the evaluator $\mathsf P_{B}$ as $ \lambda _w = a_w \oplus b_w $. In particular, the garbler has uniformly random wire masks $a_w$ for each of the evaluator’s input wire $w \in \mathcal {I} _\textsf{B} $. In the online phase, let $\mathsf P_{B}$ ’s input value for wire $ w \in \mathcal {I} _\textsf{B} $ be $ y_w $. $\mathsf P_{B}$ first specifies its input $\tilde{\varLambda }_w:= y_w \oplus b_w$ and then $\mathsf P_{A}$ opens its wire mask $a_w$, allowing $\mathsf P_{B}$ to learn $\varLambda _w:= a_w \oplus \tilde{\varLambda }_w$.^{Footnote 2}

In our security proof, the simulator generates the garbled circuit using uniformly random $\varLambda _w$ values in the preprocessing phase. Then in the online phase, once it receives $\mathsf P_{B}$ ’s $\tilde{\varLambda }_w$ message, we can define $ a_w = \varLambda _w \oplus {\tilde{\varLambda }}_w$ and open it so that $\mathsf P_{B}$ learns exactly the previously generated $\varLambda _w$ values. Opening arbitrary $ a_w $ values can be done since the simulator knows $\mathsf P_{B}$ ’s authentication key corresponding to $a_w$ and can thus open a flipped value if necessary. Therefore, we can still argue adaptive security even if the garbled circuit is generated without the random oracle. We note that this technique is applicable to both of our online protocol in Sects. 5 and 6.

4 Preprocessing with Compressed Wire Masks

In this section, we introduce the compressed preprocessing functionality $\mathcal {F}_\mathsf {[}$ cpre] (shown in Fig. 3) for two-party computation as well as an efficient protocol $\varPi _\textsf {[}$ cpre] (shown in Figs. 5 and 6) to realize it. In a modular fashion, we first introduce the sub-components which are called in the main preprocessing protocol. The security of the protocol is also argued similarly: we first prove in separate lemmas the respective security properties of sub-components and then utilize these lemmas to prove the main theorem.

On the length of the input masks. In $\mathcal {F}_\mathsf {[}$ cpre], the garbler $\mathsf P_{A}$ has wire masks for each wire $w \in \mathcal {I} _\textsf{A} \cup \mathcal {I} _\textsf{B} \cup \mathcal {W} $. Nevertheless, the masks for $\mathcal {I} _\textsf{B} $ are only required for the security proof without the random oracle model since in the security proof the garbled circuit has to be generated according to the active path and garbler’s input mask for $w \in \mathcal {I} _\textsf{B} $ allows randomized masked wire value in the view of $\mathsf P_{B}$. Therefore, if we can settle for the random oracle model or the garbled circuit ciphertexts are sent during the online phase after the input has been specified, then the wire masks of $\mathsf P_{A}$ can be shortened to $ | \mathcal {I} _\textsf{A} | + | \mathcal {W} | $ bits.

4.1 Dual-Key Authentication

In this subsection, we define the format of dual-key authentication and list some of its properties that we utilize in the upper level preprocessing protocol.

Definition 4

We use the notation $\langle {x}\rangle := (\textsf{D}_{\textsf{A}}[x], \textsf{D}_{\textsf{B}}[x], x)$ to denote the dual-key authenticated value $x \in \mathbb {F}_{2^\kappa }$, where ${\mathsf{P_{A}}}, {\mathsf{P_{B}}} $ holds $\textsf{D}_{\textsf{A}}[x], \textsf{D}_{\textsf{B}}[x]$ subject to $\textsf{D}_{\textsf{A}}[x] + \textsf{D}_{\textsf{B}}[x] = x \varDelta _{\textsf{A}} \varDelta _{\textsf{B}}$ and $\varDelta _{\textsf{A}}, \varDelta _{\textsf{B}}$ are the IT-MAC keys of ${\mathsf{P_{A}}}, {\mathsf{P_{B}}} $, respectively.

We remark that for any $x \in \mathbb {F} _{2^{\kappa }}$, the IT-MAC authentication $[\![x \varDelta _{\textsf{A}}]\!]_{\varDelta _{\textsf{B}}}$ can be locally transformed to $\langle {x}\rangle $, which we summarize in the following macro (the case for $[\![\varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}}$ can be defined analogously). In particular, $[\![\varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}}$ is equivalent to $\langle {1}\rangle $, i.e., authentication of the constant $1 \in \mathbb {F} _{2^\kappa }$.

$\langle {x}\rangle \leftarrow \textsf{Convert1}_{[\cdot ]\rightarrow \langle {\cdot }\rangle } ([\![x \varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}})$: Set $\textsf{D}_{\textsf{A}}[x]:= \textsf{K}_{\textsf{A}}[x \varDelta _{\textsf{B}}]$ and $\textsf{D}_{\textsf{B}}[x]:= \textsf{M}_{\textsf{B}}[x\varDelta _{\textsf{B}}]$.

For the ease of presentation, we also define the following macro that generates dual-key authentication of cross terms $\langle {xy}\rangle $ assuming the existence of $\langle {y}\rangle := (\alpha , \beta , y)$ and $[\![x]\!]_{\beta } = (\textsf{K}_{\textsf{B}}[x], \textsf{M}_{\textsf{A}}[x], x)$. The correctness can be verified straightforwardly.

$\langle {xy}\rangle \leftarrow \textsf{Convert2}_{[\cdot ]\rightarrow \langle {\cdot }\rangle } ([\![x]\!]_{\beta }, \langle {y}\rangle )$: Given IT-MAC $[\![x]\!]_{\beta }$ and dual-key authentication $\langle {y}\rangle $, ${\mathsf{P_{A}}} $ and ${\mathsf{P_{B}}} $ locally compute the following steps:
- ${\mathsf{P_{A}}} $ outputs $\textsf{D}_{\textsf{A}}[xy]:= \alpha \cdot x + \textsf{M}_{\textsf{A}}[x]$.
- ${\mathsf{P_{B}}} $ outputs $\textsf{D}_{\textsf{B}}[xy]:= \textsf{K}_{\textsf{B}}[x]$.

In our protocol, we utilize the following properties of dual-key authentication. Since they are straightforward, we only provide brief explanation and refrain from providing detailed description.

Claim

The dual-key authentication is additively homomorphic. In particular, given $\langle {x_1}\rangle := (\textsf{D}_{\textsf{A}}[x_1], \textsf{D}_{\textsf{B}}[x_1], x_1)$ and $\langle {x_2}\rangle := (\textsf{D}_{\textsf{A}}[x_2], \textsf{D}_{\textsf{B}}[x_2], x_2)$, ${\mathsf{P_{A}}},{\mathsf{P_{B}}} $ can locally compute $\langle {x_1 + x_2}\rangle := (\textsf{D}_{\textsf{A}}[x_1] + \textsf{D}_{\textsf{A}}[x_2], \textsf{D}_{\textsf{B}}[x_1] + \textsf{D}_{\textsf{B}}[x_2], x_1 + x_2)$. Moreover, given public constant $ c \in \mathbb {F} _{2^\kappa } $ and $ \langle {x}\rangle := (\textsf{D}_{\textsf{A}}[x], \textsf{D}_{\textsf{B}}[x], x)$, ${\mathsf{P_{A}}},{\mathsf{P_{B}}} $ can locally compute $ \langle {c \cdot x}\rangle := (c \cdot \textsf{D}_{\textsf{A}}[x], c \cdot \textsf{D}_{\textsf{B}}[x], c \cdot x)$.

We define the zero-checking macro $\textsf{CheckZero2} $ which ensures soundness for both parties. We note that this is simply the equality checking operations.

$\textsf{CheckZero2} (\langle {x_1}\rangle ,...\langle {x_\ell }\rangle )$: On input dual-key authenticated values $\langle {x_1}\rangle ,...\langle {x_\ell }\rangle $ both parties check $x_i = 0$ for $i \in [\ell ]$ as follows:
1. 1.
  ${\mathsf{P_{A}}} $ computes $h_\textsf{A}:= \textsf{H} ( \textsf{D}_{\textsf{A}}[x_1],..., \textsf{D}_{\textsf{A}}[x_\ell ] )$, and ${\mathsf{P_{B}}} $ sets $h_\textsf{B}:= \textsf{H} ( \textsf{D}_{\textsf{B}}[x_1],..., \textsf{D}_{\textsf{B}}[x_\ell ] ) $, where $\textsf{H}: {{\{0,1\}}^{*}} \rightarrow {{\{0,1\}}^{\kappa }} $ is a cryptographic hash function modeled as a random oracle.
2. 2.
  Both parties call functionality $\mathcal {F}_\mathsf {[} EQ]$ to check $h_\textsf{A} = h_\textsf{B} $. If $\mathcal {F}_\mathsf {[} EQ]$ outputs $\textsf{false} $, the parties abort.

Notice that the additive homomorphic and zero-checking properties allow us to check that a dual-key authenticated value $\langle {x}\rangle $ matches a public value $x'$ assuming the existence of $\langle {1}\rangle = (\textsf{D}_{\textsf{A}}[1], \textsf{D}_{\textsf{B}}[1], 1)$ by calling $\textsf{CheckZero2} (\langle {x}\rangle - x' \langle {1}\rangle )$. Similar to $\textsf{CheckZero} $, we have the following soundness lemma of $\textsf{CheckZero2} $.

Lemma 3

If $\varDelta _{\textsf{A}}, \varDelta _{\textsf{B}} \in \mathbb {F} _{2^\kappa } $ is sampled uniformly at random and are nonzero and $\textsf{H} $ is modeled as a random oracle, then the probability that there exists some $i \in [\ell ]$ such that $x_i \ne 0$ and ${\mathsf{P_{A}}} $ or ${\mathsf{P_{B}}} $ accepts in the $\textsf{CheckZero2} $ procedure is bounded by $\frac{2}{2^\kappa }$.

4.2 Global-Key Sampling

We require $\varDelta _{\textsf{A}} \ne 0$, $\varDelta _{\textsf{B}} \ne 0$, and $\textsf{lsb} (\varDelta _{\textsf{A}} \varDelta _{\textsf{B}}) = 1$ in the preprocessing phase to facilitate dual-key authentication. Considering the requirement of half-gates garbling, we have the constraints $\textsf{lsb} (\varDelta _{\textsf{A}}) = 1$, $\textsf{msb} (\varDelta _{\textsf{B}}) = 1$, and $\textsf{lsb} (\varDelta _{\textsf{A}} \varDelta _{\textsf{B}}) = 1$ in $\mathcal {F}_\mathsf {[} cpre]$. We design the protocol $\varPi _\textsf {[} samp]$ in Fig. 4 and argue in Lemma 4 that the key constraints are satisfied.

Lemma 4

The protocol $\varPi _\textsf {[} samp]$ satisfies the following properties:

The outputs satisfy that $\textsf{lsb} (\varDelta _{\textsf{A}}) = 1$, $\textsf{msb} (\varDelta _{\textsf{B}}) = 1$, and $\textsf{lsb} (\varDelta _{\textsf{A}} \cdot \varDelta _{\textsf{B}}) = 1$ in the honest case.
If $\textsf{lsb} (\varDelta _{\textsf{A}}) \ne 1$ then $\mathsf P_{B}$ aborts except with probability $2^{-\rho }$. Conditioned on $\varDelta _{\textsf{A}} \ne 0$, if $\textsf{lsb} (\varDelta _{\textsf{A}} \cdot \varDelta _{\textsf{B}}) \ne 1$ then $\mathsf P_{B}$ aborts except with probability $2^{-\rho }$.
If $\textsf{msb} (\varDelta _{B}) \ne 1$ then $\mathsf P_{A}$ aborts except with probability $2^{-\rho }$. Conditioned on $\varDelta _{\textsf{B}} \ne 0$, if $\textsf{lsb} (\varDelta _{\textsf{A}} \cdot \varDelta _{\textsf{B}}) \ne 1$ then $\mathsf P_{B}$ aborts except with probability $\frac{2}{2^\kappa } + 2^{-\rho }$, where $\tau $ upper bounds the running time of $\mathsf P_{B}$.

Proof

For the honest case since ${\mathsf{P_{A}}} $ and ${\mathsf{P_{B}}} $ follow the protocol instruction when sampling keys, the constraints on $\varDelta _{\textsf{A}}$ and $\varDelta _{\textsf{B}}$ are satisfied automatically. Moreover, notice that $\textsf{lsb} (\varDelta _{\textsf{A}} \tilde{\varDelta }_{\textsf{B}}) = \textsf{lsb} (\textsf{K}_{\textsf{A}}[\tilde{\varDelta }_{\textsf{B}}]) \oplus \textsf{lsb} (\textsf{M}_{\textsf{B}}[\tilde{\varDelta }_{\textsf{B}}])$ and $\textsf{lsb} (\varDelta _{\textsf{A}}) = 1$. If the parties discover in step 6b that $\textsf{lsb} (\varDelta _{\textsf{A}} \tilde{\varDelta }_{\textsf{B}}) = 0$, ${\mathsf{P_{B}}} $ sets $\varDelta _{\textsf{B}}:= \tilde{\varDelta }_{\textsf{B}}' \oplus 1$ and $\textsf{lsb} (\varDelta _{\textsf{A}} \varDelta _{\textsf{B}}) = \textsf{lsb} (\varDelta _{\textsf{A}} \tilde{\varDelta }_{\textsf{B}} + \varDelta _{\textsf{A}}) = 1$.

For the case of a corrupted ${\mathsf{P_{A}}} $, notice that $\textsf{lsb} (\textsf{K}_{\textsf{A}}[r]) \oplus \textsf{lsb} (\textsf{M}_{\textsf{B}}[r]) = r \cdot \textsf{lsb} (\varDelta _{\textsf{A}})$ and $\textsf{lsb} (\textsf{D}_{\textsf{A}}[r]) \oplus \textsf{lsb} (\textsf{D}_{\textsf{B}}[r]) = r \cdot \textsf{lsb} (\varDelta _{\textsf{A}} \varDelta _{\textsf{B}})$ for $r \in \mathbb {F}_2$. If $\textsf{lsb} (\varDelta _{\textsf{A}}) = 0$ then ${\mathsf{P_{A}}} $ passing the test is equivalent to $m_{\textsf{A}}^0$ $\oplus $ $(\textsf{lsb} (\textsf{K}_{\textsf{A}}[u_{1}])$, ..., $\textsf{lsb} (\textsf{K}_{\textsf{A}}[u_{\rho }]))$ $=$ ${\varvec{u}}$ which happens with $2^{-\rho }$ probability since ${\varvec{u}}$ is sampled independently from the left-hand side of the equation. Conditioned on $\varDelta _{\textsf{A}} \ne 0$, the second test passes when $\textsf{lsb} (\varDelta _{\textsf{A}} \varDelta _{\textsf{B}}) = 0$ except with $2^{-\rho }$ probability from similar argument.

For the case of a corrupted ${\mathsf{P_{B}}} $, the checks in step 5 and step 6e are equivalent to the corrupted ${\mathsf{P_{A}}} $ case. Thus, the soundness of the first check is $2^{-\rho }$. Also Lemma 3 guarantees that inconsistent $\varDelta _{\textsf{B}}$ will be detected except with $\frac{2}{2^\kappa }$ probability. By union bound the soundness of the second check is $\frac{2}{2^\kappa } + 2^{-\rho }$. $\square $

4.3 Consistency Check Between Values and MAC Tags

In our protocol to generate dual-key authentication, we need a party (e.g., ${\mathsf{P_{B}}} $) to use the MAC tags (denoted as $\{\beta _i\}$) of some existing IT-MAC authenticated values as the global keys of another $\mathcal {F}_\mathsf {[} bCOT]$ instance (denoted as $\{\beta _i'\}$). We enforce this constraint by checking equality between values authenticated by different keys. Our first observation is that the MAC tags are already implicitly authenticated by $\varDelta _{\textsf{A}}^{-1}$.

Authentication under inverse key. We define the $\textsf{Invert} $ macro to locally convert $[\![x]\!]_{\varDelta _{\textsf{A}}} = (\textsf{K}_{\textsf{A}}[x], \textsf{M}_{\textsf{B}}[x], x)$ to $[\![y]\!]_{\varDelta _{\textsf{A}}^{-1}}:= (\textsf{K}_{\textsf{A}}[y], \textsf{M}_{\textsf{B}}[y], y)$. We note that this technique appeared previously in the certified VOLE protocols [21].

$[\![y]\!]_{\varDelta _{\textsf{A}}^{-1}} \leftarrow \textsf{Invert} ([\![x]\!]_{\varDelta _{\textsf{A}}}) $: On input $[\![x]\!]_{\varDelta _{\textsf{A}}}$ for $x \in \mathbb {F} _{2^\kappa } $, ${\mathsf{P_{A}}} $ and ${\mathsf{P_{B}}} $ execute the following:
- ${\mathsf{P_{B}}} $ outputs $y:= \textsf{M}_{\textsf{B}}[x]$ and $\textsf{M}_{\textsf{B}}[y]:= x$.
- ${\mathsf{P_{A}}} $ outputs $\textsf{K}_{\textsf{A}}[y]:= \textsf{K}_{\textsf{A}}[x] \cdot \varDelta _{\textsf{A}}^{-1}\in \mathbb {F} _{2^\kappa } $.

We demonstrate the correctness of the $\textsf{Invert} $ macro as follows.

Lemma 5

Let $[\![x]\!]_{\varDelta _{\textsf{A}}} = (\alpha , \beta , x)$ where $x \in \mathbb {F} _{2^\kappa }$ then the MAC tag of ${\mathsf{P_{B}}} $, $\beta $, is implicitly authenticated by $\varDelta _{\textsf{A}}^{-1}$, i.e., the inverse of ${\mathsf{P_{A}}} $’s global key over $\mathbb {F} _{2^{\kappa }}$.

This claim can be verified by multiplying both sides of the equation by $\varDelta _{\textsf{A}}^{-1}$.

$$\begin{aligned} \underbrace{\beta }_{\textsf{M}_{\textsf{B}}[x]} = \underbrace{\alpha }_{\textsf{K}_{\textsf{A}}[x]} + x \cdot \varDelta _{\textsf{A}} \implies \underbrace{x}_{\textsf{M}_{\textsf{B}}[\beta ]} = \underbrace{\alpha \cdot \varDelta _{\textsf{A}}^{-1}}_{\textsf{K}_{\textsf{A}}[\beta ]} + \beta \cdot \varDelta _{\textsf{A}}^{-1}\hspace{5.0pt}. \end{aligned}$$

Random inverse key authentication. Notice that in the $\textsf{Invert} $ macro, if we require the input $[\![x]\!]_{\varDelta _{\textsf{A}}}$ to be uniformly random, i.e., $x \leftarrow \mathbb {F} _{2^{\kappa }}$, then the output value $y:= \textsf{M}_{\textsf{A}}[x] = x \varDelta _{\textsf{A}} - \textsf{K}_{\textsf{B}}[x]$ is also uniformly random in the view of ${\mathsf{P_{A}}} $. Using this method, we can generate random $\mathbb {F} _{2^\kappa } $ elements authenticated by $\varDelta _{\textsf{A}}^{-1}$.

Equality check across different keys. We recall a known technique to verify equality between two values authenticated by respective independent keys [19], which we summarize in the $\textsf{EQCheck} $ macro. We recall its soundness in Lemma 6 and prove it in the full version [16]. In the following, we assume that $\mathcal {F}_\mathsf {[} COT]$ has been initialized with (sid, $\varDelta _{\textsf{A}}$) and ($sid'$, $\varDelta _{\textsf{A}}'$).

$\textsf{EQCheck} (\{[\![y_i]\!]_{\varDelta _{\textsf{A}}}\}_{i \in [\ell ]}, \{[\![y_i']\!]_{\varDelta _{\textsf{A}}'}\}_{i \in [\ell ]})$: On input two sets of authenticated values under different keys $\varDelta _{\textsf{A}}, \varDelta _{\textsf{A}}'$, ${\mathsf{P_{A}}} $ and ${\mathsf{P_{B}}} $ check that $y_i=y_i'$ for all $i \in [\ell ]$ as follows:
1. 1.
  Let $[\![y_i]\!]_{\varDelta _{\textsf{A}}} = (k_i, m_i, y_i)$ and $[\![y'_i]\!]_{\varDelta _{\textsf{A}}'} = (k_i', m_i', y_i')$. ${\mathsf{P_{A}}} $ and ${\mathsf{P_{B}}} $ run $\textsf{Fix} (sid, \{m_i'\}_{i \in [\ell ]})$ to obtain a set of authenticated values $\{[\![m_i']\!]_{\varDelta _{\textsf{A}}}\}_{i \in [\ell ]}$, and also run $\textsf{Fix} (sid', \{m_i\}_{i \in [\ell ]})$ to get another set of authenticated values $\{[\![m_i]\!]_{\varDelta _{\textsf{A}}'}\}_{i \in [\ell ]}$.
2. 2.
  For each $i \in [\ell ]$, $\mathsf P_{A}$ computes $V_i:=k_i \cdot \varDelta _{\textsf{A}}' + k_i' \cdot \varDelta _{\textsf{A}} + \textsf{K}_{\textsf{A}}[m_i]_{\varDelta _{\textsf{A}}'} + \textsf{K}_{\textsf{A}}[m_i']_{\varDelta _{\textsf{A}}} \in \mathbb {F} _{2^\kappa } $, and $\mathsf P_{B}$ computes $W_i:=\textsf{M}_{\textsf{B}}[m_i]_{\varDelta _{\textsf{A}}'} + \textsf{M}_{\textsf{B}}[m_i']_{\varDelta _{\textsf{A}}} \in \mathbb {F} _{2^\kappa } $.
3. 3.
  $\mathsf P_{B}$ sends $h_\textsf{B}:= \textsf{H} ( W_1,..., W_\ell )$ to $\mathsf P_{A}$, who computes $h_\textsf{A}:= \textsf{H} ( V_1,..., V_\ell )$ and verifies that $h_\textsf{A} = h_\textsf{B} $. If the check fails, $\mathsf P_{A}$ aborts. Here, $\textsf{H}: {{\{0,1\}}^{*}} \rightarrow {{\{0,1\}}^{\kappa }} $ is a cryptographic hash function modeled as a random oracle.

Lemma 6

If $\varDelta _{\textsf{A}}$ and $\varDelta _{\textsf{A}}'$ are independently sampled from $\mathbb {F} _{2^\kappa } $, then the probability that there exists some $i \in [\ell ]$ such that $y_i \ne y_i'$ and ${\mathsf{P_{A}}} $ accepts in the $\textsf{EQCheck} $ procedure is bounded by $\frac{3}{2^\kappa }$.

The consistency check. The observation in Lemma 5 suggests that the MAC tags $\{\beta _i\}$ are already implicitly authenticated by $\varDelta _{\textsf{A}}^{-1}$. Moreover, by calling $\textsf{Fix} (\varDelta _{\textsf{A}}')$, $\mathsf P_{A}$ and $\mathsf P_{B}$ can acquire $\{[\![\varDelta _{\textsf{A}}']\!]_{\beta _i'}\}$ and locally convert them to $\{[\![\beta _i']\!]_{\varDelta _{\textsf{A}}'}\}$. Since $\varDelta _{\textsf{A}}$ and $\varDelta _{\textsf{A}}'$ are independent, we can apply $\textsf{EQCheck} $ to complete our goal.

We list the differences that inverse key authentication induces to $\textsf{EQCheck} $. Recall that $\mathcal {F}_\mathsf {[} COT]$ has been initialized with (sid, $\varDelta _{\textsf{A}}$) and ($sid'$, $\varDelta _{\textsf{A}}'$).

$\textsf{EQCheck} (\{[\![\beta _i]\!]_{\varDelta _{\textsf{A}}^{-1}}\}_{i \in [\ell ]}, \{[\![\beta _i']\!]_{\varDelta _{\textsf{A}}'}\}_{i \in [\ell ]})$: On input two sets of authenticated values under different keys $\varDelta _{\textsf{A}}^{-1}, \varDelta _{\textsf{A}}'$, ${\mathsf{P_{A}}} $ and ${\mathsf{P_{B}}} $ check that $\beta _i=\beta _i'$ for all $i \in [\ell ]$ as follows:
1. 1.
  ${\mathsf{P_{A}}} $ and ${\mathsf{P_{B}}} $ call $\mathcal {F}_\mathsf {[} COT]$ on the same input ($\textsf{extend} $, sid, $\ell \kappa $) to get $[\![{\varvec{r}}_1]\!]_{\varDelta _{\textsf{A}}}, \dots , [\![{\varvec{r}}_\ell ]\!]_{\varDelta _{\textsf{A}}}$ with ${\varvec{r}}_i \in \mathbb {F} _{2^\kappa } $. Then, for $i \in [\ell ]$, both parties define $[\![r_i]\!]_{\varDelta _{\textsf{A}}}:= \textsf{B2F} ([\![{\varvec{r}}_i]\!]_{\varDelta _{\textsf{A}}})$ with $r_i \in \mathbb {F} _{2^\kappa } $, and set $[\![s_i]\!]_{\varDelta _{\textsf{A}}^{-1}}:= \textsf{Invert} ([\![r_i]\!]_{\varDelta _{\textsf{A}}})$.
2. 2.
  ${\mathsf{P_{A}}} $ and ${\mathsf{P_{B}}} $ run $\textsf{EQCheck} (\{[\![\beta _i]\!]_{\varDelta _{\textsf{A}}^{-1}}\}_{i \in [\ell ]}, \{[\![\beta _i']\!]_{\varDelta _{\textsf{A}}'}\}_{i \in [\ell ]})$ as described above, except that they use random authenticated values $[s_i]_{\varDelta _{\textsf{A}}^{-1}}$ for $i \in [\ell ]$ to generate chosen authenticated values under $\varDelta _{\textsf{A}}^{-1}$ in the $\textsf{Fix} $ procedure.

It is straightforward to verify the soundness is not affected by changing to the inverse key. Thus, we omit the proof of the following lemma.

Lemma 7

If $\varDelta _{\textsf{A}}$ and $\varDelta _{\textsf{A}}'$ are independently sampled from $\mathbb {F} _{2^\kappa } $, then the probability that there exists some $i \in [\ell ]$ such that $\beta _i \ne \beta _i'$ and ${\mathsf{P_{A}}} $ accepts in the $\textsf{EQCheck} $ procedure is bounded by $\frac{3}{2^\kappa }$.

4.4 Circuit Dependent Compressed Preprocessing

We now describe the protocol to realize the functionality $\mathcal {F}_\mathsf {[} cpre]$. Following the conventions of previous works, we defer all consistency checks to the end of the protocol. Notice that step 1 to step 5 corresponds to the circuit-independent phase (where we only require the scale rather than the topology information of the circuit) while the rest is the circuit-dependent phase (where the entire circuit is known). The protocol is shown in Figs. 5 and 6. We then analyze its security in Theorem 1. The proof is presented in the full version [16].

Theorem 1

Protocol $\varPi _\textsf {[} cpre]$ shown in Figs. 5 and 6 securely realizes functionality $\mathcal {F}_\mathsf {[} cpre]$ (Fig. 3) against malicious adversaries in the $(\mathcal {F}_\mathsf {[} COT], \mathcal {F}_\mathsf {[} bCOT], \mathcal {F}_\mathsf {[} DVZK],$ $\mathcal {F}_\mathsf {[} EQ], \mathcal {F}_\mathsf {[} Rand])$-hybrid model.

Consistency checks. We explain the rationale of the consistency checks in $\varPi _\textsf {[} cpre]$.

The $\mathcal {F}_\mathsf {[} DVZK]$ in step 11 checks that the $\textsf{Fix}$ inputs of $\mathsf P_{A}$ in step 6 and those of $\mathsf P_{B}$ in step 6 and step 3 are well-formed.
The $\textsf{CheckZero2}$ and $\textsf{EQCheck}$ in step 12 ensure to $\mathsf P_{A}$ that the multiple instances of $\varDelta _{\textsf{B}}$ in $\varPi _\textsf {[} samp]$ (Fig. 4) and $\varPi _\textsf {[} cpre]$ (step 4 and step 5 in Fig. 5) are identical. Also, $\mathsf P_{B}$ can make sure that $\varDelta _{\textsf{A}}'$ in step 4 and step 5 of $\varPi _\textsf {[} cpre]$ (Fig. 5) are identical.
$\mathsf P_{B}$ checks that the message in step 9 of $\varPi _\textsf {[} cpre]$ from $\mathsf P_{A}$ are correct. To do this, $\mathsf P_{B}$ checks its locally computed value against the dual-key authenticated value, which is unalterable. Moreover, we reduce the communication using random linear combination. This is done in step 14 and step 15 of $\varPi _\textsf {[} cpre]$ (Fig. 6).
$\mathsf P_{A}$ checks that the $\textsf{Fix}$ inputs of $\mathsf P_{B}$ in step 10 of $\varPi _\textsf {[}$ cpre] (Fig. 6) are correct. This is done by checking the IT-MAC authenticated values against the dual-key authenticated ones in step 16 of $\varPi _\textsf {[}$ cpre] (Fig. 6).

Optimization based on Fiat–Shamir. In the protocol $\varPi _\textsf {[} cpre]$, both parties choose random public challenges by calling functionality $\mathcal {F}_\mathsf {[} Rand]$. Based on the Fiat–Shamir heuristic [23], both parties can generate the challenges by hashing the protocol transcript up until this point, which is secure in the random oracle model. This optimization can save one communication round, and has also been used in previous work such as [10, 47].

Communication complexity.

As recent PCG-like COT protocols have communication complexity sublinear to the number of resulting correlations, we can ignore the communication cost of generating random COT correlations when counting the communication amortized to every triple. Our checking protocols only introduce a negligibly small communication overhead. Therefore, the $\textsf{Fix}$ procedure brings the main communication cost where $\textsf{Fix}$ is used to transform random COT to chosen COT. Also, since parameter L is logarithmic to the number n of triples, we only need to consider the $\textsf{Fix}$ procedures related to n.

This includes IT-MAC generation of $a_{i,j}$ (from $\mathsf P_{A}$ to $\mathsf P_{B}$ in step 7 of Fig. 5), $b_{i,j}$ (from $\mathsf P_{B}$ to $\mathsf P_{A}$ in the same step), $\hat{b}_k$ (from $\mathsf P_{B}$ to $\mathsf P_{A}$ in step 10 of Fig. 6). In addition, for each triple, $\mathsf P_{A}$ needs to send $\textsf{lsb} (\textsf{D}_\textsf{A} [{\tilde{b}}_k])$ to $\mathsf P_{B}$ in step 9 of Fig. 6. Overall, the one-way communication cost is 2 bits per triple.

5 Authenticated Garbling from COT

Now we describe the online phase of our two-party computation protocol. We first introduce a generalized distributed garbling syntax which can be instantiated by different schemes and then introduce the complete Boolean circuit evaluation protocol $\varPi _\textsf {[}$ 2PC].

5.1 Distributed Garbling

We define the format of distributed garbling using two macros ${\textsf{Garble}} $ and ${\textsf{Eval}} $, assuming that the preprocessing information is ready. Notice that these two macros can be instantiated by different garbling schemes. We utilize the distributed half-gates garbling scheme [33] for both of our protocols. For the protocol in this section that optimizes toward one-way communication, we apply the dual-execution technique to check consistency, whereas for the second protocol in the next section that optimizes toward total communication, we design a novel consistency checking procedure that achieves $\rho $ bits of communication per AND gate. Since our second protocol is inspired by the optimized WRK garbling of Dittmer et al. [19], we recall that scheme as well as the distributed half-gates garbling in the full version [16].

${\textsf{Garble}} (\mathcal {C})$: $\mathsf P_{A}$ and $\mathsf P_{B}$ perform local operations as follows:
- $\mathsf P_{A}$ computes and outputs $(\mathcal{G}\mathcal{C} _\textsf{A}, \{\textsf{L} _{w,0}, \textsf{L} _{w,1}\}_{w \in \mathcal {I} _\textsf{A} \cup \mathcal {I} _\textsf{B} \cup \mathcal {W} \cup \mathcal {O}})$.
- $\mathsf P_{B}$ computes and outputs $\mathcal{G}\mathcal{C} _\textsf{B} $.
${\textsf{Eval}} (\mathcal{G}\mathcal{C} _\textsf{A}, \mathcal{G}\mathcal{C} _\textsf{B}, \{(\varLambda _w, \textsf{L} _{w, \varLambda _w})\}_{w \in \mathcal {I} _\textsf{A} \cup \mathcal {I} _\textsf{B}})$: $\mathsf P_{B}$ evaluates the garbled circuit and gets $\{ \varLambda _w, \textsf{L} _{w, \varLambda _w}\}_{w \in \mathcal {W} \cup \mathcal {O}}$.

In semi-honest garbling schemes [39, 49], the garbler controls all wire masks. Moreover, those schemes process the circuit in a gate-by-gate manner, and for each gate the evaluator only chooses some ciphertexts according to the masked gate inputs. Using those facts, the garbler can launch the selective failure attack by filling some ciphertext locations w.r.t. a Boolean gate with random values such that inconsistency only occurs when the evaluator uses those ciphertexts.^{Footnote 3} Since the garbler can deduce the real wire values from masked wire values, the inconsistency event is correlated with the circuit real values, damaging privacy.

Distributed garbling schemes solve this problem by secret sharing wire masks between the garbler and the evaluator such that the aforementioned inconsistency event is independent of real wire values in the garbler’s view. If the evaluator’s shares are uniformly random as in [33, 40] then the wire masks are of full entropy and the probability of inconsistency is independent of the input values. Moreover, Dittmer et al. [19] observed that if the evaluator’s masks satisfy $2\rho $-wise independence then the probabilities of inconsistency differ with at most $ 2^{-\rho } $ under different input values and is sufficient for defeating selective failure. Therefore, we present a quantified version of selective failure resilience of distributed garbling in Definition 5.

Definition 5

Let ${\textsf{Garble}} $ and ${\textsf{Eval}} $ define a distributed garbling scheme in the preprocessing model. The garbler $ {\mathsf{P_{A}}} $ holds $\varDelta _{\textsf{A}}$, the evaluator $ {\mathsf{P_{B}}} $ holds $ \varDelta _{\textsf{B}} $ and both have $([\![{\varvec{a}}]\!]_{\varDelta _{\textsf{B}}}, [\![\hat{{\varvec{a}}}]\!]_{\varDelta _{\textsf{B}}}, [\![{\varvec{b}}]\!]_{\varDelta _{\textsf{A}}}, [\![\hat{{\varvec{b}}}]\!]_{\varDelta _{\textsf{A}}})$. Using the circuit notations in Sect. 2.1, we consider the following experiment induced by $\mathsf P_{B}$ ’s input $ {\varvec{y}}$.

1.
$\mathsf P_{A}$ provides $ \mathcal{G}\mathcal{C} _\textsf{A}, \{ (\textsf{L} _{w, 0}, \textsf{L} _{w, 1}) \}_{w \in \mathcal {I} _\textsf{B}}, \{ (\varLambda _w, \textsf{L} _{w, \varLambda _w}) \}_{w \in \mathcal {I} _\textsf{A}} $
2.
$\mathsf P_{B}$ runs $ {\textsf{Garble}} (\mathcal {C}) $ to get $ \mathcal{G}\mathcal{C} _\textsf{B} $ and defines $ \varLambda _w = y_w \oplus a_w \oplus b_w $ for $ w \in \mathcal {I} _\textsf{B} $. $\mathsf P_{B}$ runs
$$\begin{aligned} \{ \varLambda _w, \textsf{L} _{w, \varLambda _w}\}_{w \in \mathcal {W} \cup \mathcal {O}} \leftarrow {\textsf{Eval}} (\mathcal{G}\mathcal{C} _\textsf{A}, \mathcal{G}\mathcal{C} _\textsf{B}, \{(\varLambda _w, \textsf{L} _{w, \varLambda _w})\}_{w \in \mathcal {I} _\textsf{A} \cup \mathcal {I} _\textsf{B}}) \end{aligned}$$
to learn $ \varLambda _w $ for $ w \in \mathcal {W} $.
3.
Let $ {\varvec{z}}$ be the output of $ \mathcal {C} $ on inputs $ {\varvec{x}}, {\varvec{y}}$ where $ {\varvec{x}}$ is defined as $ x_w = a_w \oplus b_w \oplus \varLambda _w $ for $ w \in \mathcal {I} _\textsf{A} $. Let $ \textsf{Bad}_{{\varvec{y}}}$ be the event that $ \exists w \in \mathcal {W}, z_w \ne a_w \oplus b_w \oplus \varLambda _w $.

We call a distributed garbling scheme to be $\epsilon $-selective failure resilience, if for any ${\varvec{y}}, {\varvec{y}}'$ s.t. ${\varvec{y}}\ne {\varvec{y}}'$, we have

$$\begin{aligned} \left| \Pr [ \textsf{Bad}_{{\varvec{y}}} ] - \Pr [ \textsf{Bad}_{{\varvec{y}}'} ] \right| \le \epsilon \hspace{5.0pt}. \end{aligned}$$

With uncompressed preprocessing, the DILO-WRK and KRRW distributed garbling (recalled in the full version [16].) has 0-selective failure resilience [33, 40] since the inputs $\varLambda _w$ to ${\textsf{Eval}} $ are completely masked and independent of the real input. In Lemma 8, we show that for the KRRW scheme that we use in this paper, replacing the evaluator’s mask to $2\rho $-wise independent randomness induces $2^{-\rho }$-selective failure resilience.^{Footnote 4} The proof is given in the full version [16].

Lemma 8

By sampling the wire masks ${\varvec{a}}, {\varvec{b}}$ using the compressed preprocessing functionality $\mathcal {F}_\mathsf {[} cpre]$ (recall that ${\varvec{b}}:= \textbf{M}\cdot {\varvec{b}}^*$ is compressed randomness), the KRRW distributed garbling scheme (see details in the full version [16].)

has $2^{-\rho }$-selective failure resilience.

The next lemma states that after evaluating the garbled circuit the garbler and evaluator implicitly holds the authentication of the masked public wire values (color/permutation bits). To the best of our knowledge, we are the first to apply this observation in the consistency check of authenticated garbling.

Lemma 9

After running ${\textsf{Eval}} $, the evaluator holds the “color bits” $\varLambda _w$ for every wire $w \in \mathcal {W} $. The garbler ${\mathsf{P_{A}}} $ and evaluator ${\mathsf{P_{B}}} $ also hold $\textsf{K}_{\textsf{A}}[ \varLambda _w], \textsf{M}_{\textsf{B}}[ \varLambda _w]$ subject to $\textsf{M}_{\textsf{B}}[ \varLambda _w] = \textsf{K}_{\textsf{A}}[ \varLambda _w] + \varLambda _w \varDelta _{\textsf{A}}$.

Proof

We can define the following values using only wire labels:

$$\begin{aligned} \varLambda _w:= (\textsf{L} _{w,0} \oplus \textsf{L} _{w,\varLambda _w}) \cdot \varDelta _{\textsf{A}}^{-1}, \quad \textsf{M}_{\textsf{B}}[ \varLambda _w]:= \textsf{L} _{w, \varLambda _w}, \quad \textsf{K}_{\textsf{A}}[ \varLambda _w]:= \textsf{L} _{w, 0} \hspace{5.0pt}. \end{aligned}$$

It is easy to verify $\textsf{M}_{\textsf{B}}[ \varLambda _w] = \textsf{K}_{\textsf{A}}[ \varLambda _w] + \varLambda _w \cdot \varDelta _{\textsf{A}}$, which implies that $[\![\varLambda _w]\!]_{\varDelta _{\textsf{A}}}:= (\textsf{L} _{w, 0}, \textsf{L} _{w, \varLambda _w}, \varLambda _w)$ is a valid IT-MAC. $\square $

5.2 A Dual-Execution Protocol Without Leakage

We describe a malicious secure 2PC protocol with almost the same one-way communication as half-gates garbling. We achieve this by adapting the dual-execution technique to the distributed garbling setting. Intuitively, our observation in Lemma 9 allows us to check the consistency of every wire of the circuit. Together with some IT-MAC techniques to ensure input consistency, our protocol circumvents the one-bit leakage of previous dual-execution protocols [31, 32].

In the following descriptions, we denote the actual value induced by the input on each wire w of the circuit $\mathcal {C} $ by $z_w$. The masked value on that wire is denoted as $\varLambda _w:= z_w \oplus a_w \oplus b_w$ which is revealed to the evaluator during evaluation. The protocol is described in Figs. 7 and 8.

Intuitions of Consistency Checking. The privacy of garbled circuit guarantees that when the garbled circuit is correctly computed, then except with negligible probability the evaluator can only acquire one of the two labels (corresponding to the active path) for each wire in the circuit. Thus, we can check the color bits of the honest party against the labels that the corrupted party acquires (in the separate execution) to verify consistency.

Using the notations from Lemma 9, we may define $\varLambda _w$ using the wire labels $ \textsf{L} _{w, 0}, \textsf{L} _{w, \varLambda _w} $ and the global key $\varDelta $. Our goal is to check the following equations where the left-hand (resp. right-hand) side is the evaluation result of $\mathsf P_{A}$ (resp. $\mathsf P_{B}$). Here, Eq. 1 is the corrupted $\mathsf P_{A}$ case while Eq. 2 is the corrupted $\mathsf P_{B}$ case.

$$\begin{aligned}&(\textsf{L} _{w, \varLambda _w'}' \oplus \textsf{L} _{w, 0}') \cdot \varDelta _{\textsf{B}}^{-1}\oplus a_w' \oplus b_w' = \varLambda _w \oplus a_w \oplus b_w \end{aligned}$$

(1)

$$\begin{aligned}&\varLambda _w' \oplus a_w' \oplus b_w' = (\textsf{L} _{w, \varLambda _w} \oplus \textsf{L} _{w, 0}) \cdot \varDelta _{\textsf{A}}^{-1}\oplus a_w \oplus b_w \hspace{5.0pt}. \end{aligned}$$

(2)

Multiplying the first equation by $\varDelta _{\textsf{B}}$, the second by $\varDelta _{\textsf{A}}$ and do summation^{Footnote 5} gives the $ V_w^{\textsf{A}}, V_w^{\textsf{B}}$ values in the consistency checking.

$$\begin{aligned} \begin{matrix} (a_w \oplus a_w' \oplus \varLambda _w') \varDelta _{\textsf{A}} \oplus \textsf{M}_{\textsf{A}}[a_w] \oplus \textsf{M}_{\textsf{A}}[a_w'] \\ \oplus \textsf{M}_{\textsf{A}}[ \varLambda _w'] \oplus \textsf{K}_{\textsf{A}}[b_w] \oplus \textsf{K}_{\textsf{A}}[b_w'] \oplus \textsf{K}_{\textsf{A}}[\varLambda _w] \end{matrix}\\ \qquad = \begin{matrix} (b_w \oplus b_w' \oplus \varLambda _w) \varDelta _{\textsf{B}} \oplus \textsf{M}_{\textsf{B}}[b_w] \oplus \textsf{M}_{\textsf{B}}[b_w'] \\ \oplus \textsf{M}_{\textsf{B}}[ \varLambda _w] \oplus \textsf{K}_{\textsf{B}}[a_w] \oplus \textsf{K}_{\textsf{B}}[a_w'] \oplus \textsf{K}_{\textsf{B}}[\varLambda _w'] \end{matrix} \end{aligned}$$

Communication complexity. In our dual-execution protocol, ${\mathsf{P_{A}}} $ and ${\mathsf{P_{B}}} $ send $(2\kappa + 1) |\mathcal {W} | + (\kappa + 2) |\mathcal {I} _\textsf{A} | + (2\kappa + 1) |\mathcal {I} _\textsf{B} | + 2\kappa + |\mathcal {O} |$ and $(2\kappa + 1) |\mathcal {W} | + (\kappa + 2) |\mathcal {I} _\textsf{B} | + (2\kappa + 1) |\mathcal {I} _\textsf{A} | + \kappa $ bits, respectively. Therefore, the amortized one-way communication is $2\kappa + 1$ bits per AND gate. Since we need to call $\mathcal {F}_\mathsf {[}$ cpre] twice in $\varPi _\textsf {[}$ 2PC], we conclude that the amortized one-way (resp. two-way) communication in the ($\mathcal {F}_\mathsf {[}$ COT], $\mathcal {F}_\mathsf {[}$ bCOT], $\mathcal {F}_\mathsf {[}$ DVZK], $\mathcal {F}_\mathsf {[}$ EQ], $\mathcal {F}_\mathsf {[}$ Rand])-hybrid model is $2\kappa + 5$ (resp. $4\kappa + 10$) bits.

5.3 Security Analysis

We state the security of our 2PC protocol in Theorem 2 and prove it in the full version [16]. As an intermediate step, we prove in Lemma 10 that the difference of the $V_w^\textsf{A} $ and $V_w^\textsf{B} $ values in the consistency checking phase actually captures the error on the wire w (indicating whether the result of w is flipped).

Lemma 10

Let $e_w:= (a_w \oplus b_w \oplus \varLambda _w) \oplus (a'_w \oplus b'_w \oplus \varLambda '_w) $ be the error on wire $w \in \mathcal {W} \cup \mathcal {I} $ after the execution of $\varPi _\textsf {[} 2PC\text{- }1way]$. Then, the checking values $V_w^\textsf{A}, V_w^\textsf{B} $ satisfy that $V_w^\textsf{A} \oplus V_w^B = e_w \cdot (\varDelta _{\textsf{A}} \oplus \varDelta _{\textsf{B}})$.

Theorem 2

Let $\textsf{H} _{\textsf{ccrnd}}$ be a $(\textsf{poly}(\kappa ), 2 |\mathcal {W} |, \kappa , \epsilon _{\textsf{ccrnd}})$-circular correlation robust hash function under naturally derived keys, $\textsf{H} _{\textsf{tcr}}$ be a $(\textsf{poly}(\kappa ), |\mathcal {I} |, \kappa , \epsilon _{\textsf{tcr}})$-tweakable correlation robust hash function. Protocol $\varPi _\textsf {[} 2PC]$ shown in Figs. 7 and 8 securely realizes functionality $\mathcal {F}_\mathsf {[} 2PC]$ in the presence of malicious adversary in the $\mathcal {F}_\mathsf {[} cpre],\mathcal {F}_\mathsf {[} COT]$-hybrid model.

6 Optimization Toward Two-Way Communication

In this section, we propose an optimization to the DILO-WRK online protocol, reducing the amortized online communication cost from $2 \kappa + 3 \rho $ bits to $2 \kappa + \rho + 1$ bits per AND gate. We mainly focus on reducing the overhead with regard to consistency checking. In particular, our technique is to perform random linear combination prior to hashing so that the cross terms from different AND gates can be combined. Then, using the half-gate multiplication technique we can securely evaluate the cross term using $\rho $ bits for each AND gate as compared to $3\rho $ bits in the DILO-WRK scheme. We present the protocol in Fig. 9.

We note that in $\varPi _\textsf {[}$ 2PC-2way], we only use the hash function a la half-gates. Therefore, we only require the hash function to be circular correlation robust under naturally derived keys ($\textsf{ccrnd}$), which can be instantiated in the random permutation model with one random permutation [27].

Since the consistency checking phase only relies on the Free-XOR properties, we formulate it as an independent procedure that can be coupled with any distributed garbling protocol that supports Free-XOR. This may be of independent interest to future protocols that requires consistency checking without revealing the masked values for each wire.

On the length of $\varDelta _{\textsf{B}}$. We remark that since the key of ${\mathsf{P_{B}}} $ no longer serves to garble a circuit, its length can be reduced to $\rho $ bits. Since the preprocessing protocol has constant amortized communication overhead, we can re-use the same preprocessing protocol (thus using the same functionality $\mathcal {F}_\mathsf {[} cpre]$) but truncate all MAC tags and keys related to $\varDelta _{\textsf{B}}$, including $\varDelta _{\textsf{B}}$ itself down to $\rho $ bits. This can be done by simply discarding the respective $\kappa - \rho $ higher bits since the messages that they authenticate are single bits. We use the original notations in the following descriptions but remind the readers that the MAC keys and tags are truncated and of $\rho $-bit length.

Intuitions of the consistency checking. Our starting point is the KRRW scheme, where all masked wire values are made public so that the checking equation $(\varLambda _i \oplus \lambda _i) \cdot (\varLambda _j \oplus \lambda _j) \cdot \varDelta _{\textsf{B}} = (\varLambda _k \oplus \lambda _k) \cdot \varDelta _{\textsf{B}}$ reduces to equality checking (recall that $\lambda _i \cdot \lambda _j \cdot \varDelta _{\textsf{B}}$ is already shared after preprocessing). With compressed preprocessing, the masked values must be kept secret due to not being fully masked. Therefore, we must securely compute the secret sharing of the multiplication between the masked wire values and values known to $\mathsf P_{A}$.

In more detail, we need to check for every AND gate ($i,j,k,\wedge $) the following equation,

$$\begin{aligned}(\varLambda _i \oplus \lambda _i) \cdot (\varLambda _j \oplus \lambda _j) \cdot \varDelta _{\textsf{B}} = (\varLambda _k \oplus \lambda _k) \cdot \varDelta _{\textsf{B}} \hspace{5.0pt}.\end{aligned}$$

We can rewrite the equation as follows (notice that $B'_k \in \mathbb {F}_2$ can be locally computed by $\mathsf P_{B}$),

$$\begin{aligned}(\underbrace{\varLambda _i \cdot \varLambda _j \oplus \varLambda _k \oplus b_k \oplus \hat{b}_k \oplus \varLambda _i \cdot b_j \oplus \varLambda _j \cdot b_i}_{B'_k} \oplus a_k \oplus \hat{a}_k \oplus \varLambda _i \cdot a_j \oplus \varLambda _j \cdot a_i) \cdot \varDelta _{\textsf{B}} = 0 \hspace{5.0pt}.\end{aligned}$$

By expanding the terms and utilizing the IT-MAC relation $a_k \cdot \varDelta _{\textsf{B}} = \textsf{M}_\textsf{A} [a_k] + \textsf{K}_\textsf{B} [a_k]$, we have,

$$\begin{aligned} & B'_k \cdot \varDelta _{\textsf{B}} \oplus \textsf{M}_\textsf{A} [a_k] \oplus \textsf{K}_\textsf{B} [a_k] \oplus \textsf{M}_\textsf{A} [\hat{a}_k] \oplus \textsf{K}_\textsf{B} [\hat{a}_k] \oplus \varLambda _i \cdot (\textsf{M}_\textsf{A} [a_j] \oplus \textsf{K}_\textsf{B} [a_j]) \oplus \varLambda _j \cdot \\ & \quad ( \textsf{M}_\textsf{A} [a_i] \oplus \textsf{K}_\textsf{B} [a_i]) = 0 \hspace{5.0pt}. \end{aligned}$$

By re-arranging the terms according to their membership, we have:

$$\begin{aligned}&\underbrace{B'_k \cdot \varDelta _{\textsf{B}} \oplus \textsf{K}_\textsf{B} [a_k] \oplus \textsf{K}_\textsf{B} [\hat{a}_k] \oplus \varLambda _i \cdot \textsf{K}_\textsf{B} [a_j] \oplus \varLambda _j \cdot \textsf{K}_\textsf{B} [a_i]}_{B_k} \oplus \underbrace{\textsf{M}_\textsf{A} [a_k] \oplus \textsf{M}_\textsf{A} [\hat{a}_k]}_{A_{k, 0}} \\&\oplus \varLambda _i \cdot \textsf{M}_\textsf{A} [a_j] \oplus \varLambda _j \cdot \textsf{M}_\textsf{A} [a_i] = 0 \hspace{5.0pt}. \end{aligned}$$

Notice that the values $B_k$ and $A_{k, 0}$ are both locally computable by $\mathsf P_{B}$ and $\mathsf P_{A}$, respectively, so we only have to securely compute the rest of the terms. The previous method is to utilize the fact that the masked value $\varLambda _i, \varLambda _j$ are already authenticated by the wire labels. Given such authentication we can evaluate the multiplication of $\varLambda _i$ with any value $X \in \mathbb {F} _{2^\rho } $ known to $\mathsf P_{A}$ as follows. $\mathsf P_{A}$ sends $G_i:= \textsf{H} (\textsf{L} _{i,0}) \oplus \textsf{H} (\textsf{L} _{i,1}) \oplus X$ to $\mathsf P_{B}$ who later recovers $\textsf{H} (\textsf{L} _{i,\varLambda _i}) \oplus \varLambda _i \cdot G_i = \textsf{H} (\textsf{L} _{i,0}) \oplus \varLambda _i \cdot X$. Clearly this forms an additive sharing of $\varLambda _i \cdot X$, and since there are two multiplications, at least $2\rho $-bit of communication is needed for every AND gate.

Our insight is that in garbled circuits with Free-XOR optimization, the masked value $\varLambda _i$ on any wire i is a public linear combination of the masked wire values on all the AND gate output wires and input wires. We formalize this by defining the following public vector ${\varvec{c}}^i \in \mathbb {F}_2^{|\mathcal {I} | + |\mathcal {W} |}$ for every wire i s.t. $\varLambda _i = \sum _k c^i_k \cdot \varLambda _k$. This allows us to collapse the two terms into one by exchanging the summation order with the random linear combination. In particular, to check the correctness of every AND gate ($i,j,k,\wedge $) we perform random linear combination using public randomness $\chi _1,...,\chi _t$, and our checking equation becomes the following. (Recall that $t = | \mathcal {W} | $.)

$$\begin{aligned} \sum _{k \in \mathcal {W}} \chi _k \cdot B_k \oplus \sum _{k \in \mathcal {W}} \chi _k \cdot A_{k, 0} \oplus \sum _{(i',j',k',\wedge ) \in \mathcal {C} _\textsf{and}} \chi _{k'} \cdot (\varLambda _{i'} \cdot \textsf{M}_\textsf{A} [a_{j'}] \oplus \varLambda _{j'} \cdot \textsf{M}_\textsf{A} [a_{i'}]) = 0 \hspace{5.0pt}. \end{aligned}$$

Using the aforementioned notation, we have,

$$\begin{aligned} & \sum _{k \in \mathcal {W}} \chi _k \cdot B_k \oplus \sum _{k \in \mathcal {W}} \chi _k \cdot A_{k, 0} \oplus \sum _{(i',j',k',\wedge ) \in \mathcal {C} _\textsf{and}} \chi _{k'} \cdot \\ & \quad \left( \left( \sum _{k \in \mathcal {W} \cup \mathcal {I}} c^{i'}_{k} \cdot \varLambda _{k}\right) \cdot \textsf{M}_\textsf{A} [a_{j'}] \oplus (\sum _{k \in \mathcal {W} \cup \mathcal {I}} c^{j'}_{k} \cdot \varLambda _{k}) \cdot \textsf{M}_\textsf{A} [a_{i'}]\right) = 0 \hspace{5.0pt}. \end{aligned}$$

By exchanging the summation order, we have,

$$\begin{aligned} & \sum _{k \in \mathcal {W}} \chi _k \cdot B_k \oplus \sum _{k \in \mathcal {W}} \chi _k \cdot A_{k, 0} \oplus \sum _{k \in \mathcal {W} \cup \mathcal {I}} \varLambda _{k} \cdot \\ & \quad \underbrace{\sum _{(i',j',k',\wedge ) \in \mathcal {C} _\textsf{and}} \chi _{k'} \cdot (c^{i'}_{k} \cdot \textsf{M}_\textsf{A} [a_{j'}] \oplus c^{j'}_{k} \cdot \textsf{M}_\textsf{A} [a_{i'}])}_{A_{k, 1}} = 0 \hspace{5.0pt}. \end{aligned}$$

Using the half-gates technique, $\mathsf P_{A}$ sends $G'_k:= \textsf{H} _{\textsf{ccrnd}} (\textsf{L} _{k, 0}, k \Vert 2) \oplus \textsf{H} _{\textsf{ccrnd}} (\textsf{L} _{k, 1}, k \Vert 2) \oplus A_{k, 1}$ for every $k \in \mathcal {W} \cup \mathcal {I} $ to evaluate the additive sharing of $\varLambda _k \cdot A_{k, 1}$. Therefore, we reduce the consistency checking of AND gate correlation to equality checking using $\rho $ bits of amortized communication.

Now we formulate this as an independent procedure $\textsf{GCCheck}$ in Fig. 10.

Communication Complexity. In the online phase $\mathsf P_{A}$ and $\mathsf P_{B}$ sends $(2\kappa + \rho + 1) |\mathcal {W} | + (\kappa + \rho + 1) |\mathcal {I} _\textsf{A} | + (2\kappa + \rho + 1) |\mathcal {I} _\textsf{B} | + \kappa + |\mathcal {O} |$ and $|\mathcal {I} _\textsf{B} |$ bits, respectively. Since in this protocol we only need to invoke $\varPi _\textsf {[}$ cpre] once, we conclude that the total two-way communication of $\varPi _\textsf {[}$ 2PC-2way] is $2\kappa + \rho + 5$ bits per AND gate.

6.1 Security Analysis

We first claim in Lemma 11 that the soundness error of the consistency checking phase can be bounded by $\frac{2}{2^\rho }$. Then, the main security theorem is shown in Theorem 3. The respective proofs are shown in the full version [16].

Lemma 11

After the equality check $\textsf{GCCheck}$ (Fig. 10), except with probability $\frac{2}{2^\rho }$, $\mathsf P_{B}$ either aborts or evaluates the garbled circuit exactly according to $\mathcal {C} $.

Theorem 3

Let $\textsf{H} _{\textsf{ccrnd}}$ be a $(\textsf{poly}(\kappa ), 3 |\mathcal {W} | + |\mathcal {I} |, \kappa , \epsilon _{\textsf{ccrnd}})$-circular correlation robust hash function under naturally derived keys, $\textsf{H} _{\textsf{tcr}}$ be a $(\textsf{poly}(\kappa ), |\mathcal {I} _\textsf{B} |, \kappa , \epsilon _{\textsf{tcr}})$-tweakable correlation robust hash function. Protocol $\varPi _\textsf {[} 2PC\text{- }2way]$ shown in Fig. 9 securely realizes functionality $\mathcal {F}_\mathsf {[} 2PC]$ in the presence of malicious adversary in the $(\mathcal {F}_\mathsf {[} cpre],\mathcal {F}_\mathsf {[} COT])$-hybrid model.

Notes

An independent global key $\varDelta _{\textsf{A}}'$ is necessary to perform the consistency check, and otherwise a malicious $\mathsf P_{B}$ will always pass the check if $\varDelta _{\textsf{A}}$ is reused.
In more detail, due to the compression of $\mathsf P_{B}$ ’s wire masks, we cannot send $\tilde{\varLambda }_w$ directly but rather feed it to an oblivious transfer protocol.
Different garbling schemes vary in the choice of where to place the consistency check. For the WRK scheme, the evaluator can detect inconsistency and abort during the evaluation, whereas for the half-gates garbling, the circuit values are effectively committed after evaluation and a subsequent checking phase is dedicated to ensure that the circuit values are correctly computed. Therefore, we focus on the inconsistency event where the plaintext execution differs from the evaluation of the garbled circuit.
We note that in the proof of Dittmer et al. [19], the mask ${\varvec{b}}$ is assumed to be $\rho $-wise independent and the argument is that one corrupted table entry is equivalent to a coin toss with 1/2 probability of failure. If there are less than $\rho $ corrupted table entries then evaluator’s abort probability is input-independent, otherwise (more than $\rho $ entries are corrupted) the evaluator would abort with overwhelming probability. Their argument is not very precise so we choose to focus on the probability that the input–output correlation on each AND gate being falsified, which implies that the evaluator would abort. Thus, we require the stricter $2\rho $-wise independence in ${\varvec{b}}$, but this does not affect amortized performance of our protocol.
We define $a_w, a_w', b_w, b_w'$ by the MAC tag and keys to implicitly authenticate them.
The additional $\frac{1}{2^\kappa }$ security less is due to the probability that $\varDelta '$ cancels out the $\varDelta $ terms, similar to the argument in Lemma 7.

Abbreviations

$\kappa $ :: Computational security parameter
$\rho $ :: Statistical security parameter
$x \leftarrow S$ :: Sample x uniformly at random from S
[a, b) And [a, b]:: $\{a, \dots , b-1\}$ and $\{a, \dots , b\}$
${\varvec{a}}$, $a_i$, $\textbf{A}$, $\textbf{A}_{i, j}$ :: Vector, the i-th entry of ${\varvec{a}}$, matrix, the (i, j)-th entry of $ \textbf{A}$
$\{x_i\}$ :: A set without specifying the indices
$\textsf{lsb} (x), \textsf{msb} (x)$ :: Least significant bit of x, most significant bit of x
$\textsf{B2F} $ :: Macro to convert from $\mathbb {F} _2^\kappa $ to $\mathbb {F} _{2^\kappa } $
$\textsf{F2B} $ :: Macro to convert from $\mathbb {F} _{2^\kappa } $ to $\mathbb {F} _2^\kappa $
$\mathcal {C} $, $\mathcal {O} $ :: A Boolean circuit, the set of circuit-output wires in $\mathcal {C} $
$\mathcal {I} _\textsf{A}, \mathcal {I} _\textsf{B} $ :: The sets of circuit-input wires of $\mathsf P_{A}$ and $\mathsf P_{B}$
$\mathcal {C} _\textsf{and}, \mathcal {W} $ :: The set of all AND gates and set of their output wires
n, m, t :: Parameters $n = |\mathcal {W} | + |\mathcal {I} _\textsf{B} |, m = |\mathcal {W} | + |\mathcal {I} _\textsf{A} |, t = |\mathcal {W} |$
L :: Compression parameter $L = \lceil 2\rho \log \frac{ en}{\sqrt{2} \rho } + \frac{\log 2\rho }{2} \rceil $
$[\![x]\!]_{\varDelta } = (\textsf{K}_\textsf{A} {[}x{]}, \textsf{M}_\textsf{B} {[}x{]}, x)$ :: IT-MAC authentication of x under the global key $\varDelta $
$\langle {x}\rangle = (\alpha , \beta , x) $ :: Dual-key authenticated value on x under $\varDelta _{\textsf{A}}\varDelta _{\textsf{B}}$
$\textsf{CheckZero} ({[}x{]})$ :: Check that x is equal to 0
$\textsf{CheckZero2} (\langle {x}\rangle )$ :: Check that x is equal to 0
$\textsf{Open} ([\![x]\!]_{\varDelta })$ :: Opening x authenticated by $ \varDelta $
$\textsf{Convert1}_{[\cdot ]\rightarrow \langle {\cdot }\rangle } ([\![x \varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}})$ :: Convert $[\![x \varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}}$ to a dual-key authenticated bit $\langle {x}\rangle $
$\textsf{Convert2}_{[\cdot ]\rightarrow \langle {\cdot }\rangle } ([\![x]\!]_{\beta }, \langle {y}\rangle )$ :: Convert $[\![x]\!]_{\beta }$ along with $\langle {y}\rangle = (\alpha , \beta , y)$ to $\langle {xy}\rangle $
$\textsf{EQCheck} $ :: Check equality of values auth. under different global keys
${\textsf{Garble}},{\textsf{Eval}} $ :: Generation and evaluation of distributed garbling

References

J. Abascal, M.H.F. Sereshgi, C. Hazay, Y. Ishai, M. Venkitasubramaniam, Is the classical GMW paradigm practical? The case of non-interactive actively secure 2PC, in ACM Conf. on Computer and Communications Security (CCS) (ACM Press, 2020), pp. 1591–1605. https://doi.org/10.1145/3372297.3423366
C. Baum, L. Braun, A. Munch-Hansen, B. Razet, P. Scholl, Appenzeller to brie: efficient zero-knowledge proofs for mixed-mode arithmetic and Z2k, in ACM Conf. on Computer and Communications Security (CCS) (ACM Press, 2021), pp. 192–211. https://doi.org/10.1145/3460120.3484812
C. Baum, L. Braun, A. Munch-Hansen, P. Scholl, Moz${\mathbb{Z}}_{2^k}$arella: efficient vector-OLE and zero-knowledge proofs over ${\mathbb{Z}}_{2^k}$, in Advances in Cryptology—Crypto 2022, Part IV. LNCS. vol. 13510 (Springer, 2022), pp. 329–358. https://doi.org/10.1007/978-3-031-15985-5_12
C. Baum, L. Braun, A. Munch-Hansen, P. Scholl, Mac’n’Cheese: zero-knowledge proofs for Boolean and arithmetic circuits with nested disjunctions, in Advances in Cryptology—Crypto 2021, Part IV. LNCS. vol. 12828 (Springer, 2021), pp. 92–122.https://doi.org/10.1007/978-3-030-84259-8_4
D. Beaver, S. Micali, P. Rogaway, The round complexity of secure protocols (extended abstract), in 22nd Annual ACM Symposium on Theory of Computing (STOC) (ACM Press, 1990), pp. 503–513.https://doi.org/10.1145/100216.100287
M. Bellare, V.T. Hoang, S. Keelveedhi, P. Rogaway, Efficient garbling from a fixed-key blockcipher, in IEEE Symposium on Security and Privacy (S &P) (2013), pp. 478–492. https://doi.org/10.1109/SP.2013.39
R. Bendlin, I. Damgård, C. Orlandi, S. Zakarias, Semi-homomorphic encryption and multiparty computation, in Advances in Cryptology—Eurocrypt 2011. LNCS vol. 6632 (Springer, 2011), pp. 169–188. https://doi.org/10.1007/978-3-642-20465-4_11
A. Blum, M.L. Furst, M.J. Kearns, R.J. Lipton, Cryptographic primitives based on hard learning problems. in Advances in Cryptology—Crypto 1993. LNCS vol. 773 (Springer, 1994), pp. 278–291.https://doi.org/10.1007/3-540-48329-2_24
E. Boyle, G. Couteau, N. Gilboa, Y. Ishai, L. Kohl, N. Resch, P. Scholl, Correlated pseudorandomness from expand-accumulate codes., in Advances in Cryptology—Crypto 2022, Part II. LNCS vol. 13508 (Springer, 2022), pp. 603–633.https://doi.org/10.1007/978-3-031-15979-4_21
E. Boyle, G. Couteau, N. Gilboa, Y. Ishai, L. Kohl, P. Rindal, P. Scholl, Efficient two-round OT extension and silent non-interactive secure computation, in ACM Conf. on Computer and Communications Security (CCS) (ACM Press, 2019), pp. 291–308.https://doi.org/10.1145/3319535.3354255
E. Boyle, G. Couteau, N. Gilboa, Y. Ishai, L. Kohl, P. Rindal, P. Scholl, Efficient pseudorandom correlation generators: silent OT extension and more, in Advances in Cryptology—Crypto 2019, Part III. LNCS, vol. 11694 (Springer, 2019), pp. 489–518. https://doi.org/10.1007/978-3-030-26954-8_16
E. Boyle, G. Couteau, N. Gilboa, Y. Ishai, L. Kohl, P. Rindal, P. Scholl, Efficient pseudorandom correlation generators from ring-LPN, in Advances in Cryptology—Crypto 2020, Part II. LNCS, vol. 12171 (Springer, 2020), pp. 387–416.https://doi.org/10.1007/978-3-030-56880-1_14
R. Canetti, Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000).https://doi.org/10.1007/s001459910006
Article MathSciNet MATH Google Scholar
R. Cleve, Limits on the security of coin flips when half the processors are faulty (extended abstract), in 18th Annual ACM Symposium on Theory of Computing (STOC) (ACM Press, 1986) pp. 364–369. https://doi.org/10.1145/12130.12168
G. Couteau, P. Rindal, S. Raghuraman, Silver: silent VOLE and oblivious transfer from hardness of decoding structured LDPC codes, in Advances in Cryptology—Crypto 2021, Part III. LNCS, vol. 12827 (Springer, 2021), pp. 502–534. https://doi.org/10.1007/978-3-030-84252-9_17
H. Cui, X. Wang, K. Yang, Y. Yu, Actively secure half-gates with minimum overhead under duplex networks. Cryptology ePrint Archive, Paper 2023/278 (2023), https://eprint.iacr.org/2023/278
H. Cui, X. Wang, K. Yang, Y. Yu, Actively secure half-gates with minimum overhead under duplex networks (LNCS, Springer, 2023), pp. 35–67.https://doi.org/10.1007/978-3-031-30617-4_2
I. Damgård, J.B. Nielsen, M. Nielsen, S. Ranellucci, The tinytable protocol for 2-party secure computation, or: gate-scrambling revisited, in Advances in Cryptology—Crypto 2017, Part I. LNCS, vol. 10401 (Springer, 2017), pp. 167–187. https://doi.org/10.1007/978-3-319-63688-7_6
S. Dittmer, Y. Ishai, S. Lu, R. Ostrovsky, Authenticated garbling from simple correlations, in Advances in Cryptology—Crypto 2022, Part IV. LNCS, vol. 13510 (Springer, 2022), pp. 57–87.https://doi.org/10.1007/978-3-031-15985-5_3
S. Dittmer, Y. Ishai, S. Lu, R. Ostrovsky, Improving line-point zero knowledge: two multiplications for the price of one, in ACM Conf. on Computer and Communications Security (CCS) (ACM Press, 2022), pp. 829–841.https://doi.org/10.1145/3548606.3559385
S. Dittmer, Y. Ishai, R. Ostrovsky, Line-point zero knowledge and its applications, in 2nd Conference on Information-Theoretic Cryptography (2021)
Y. Dodis, S. Khanna, Space time tradeoffs for graph properties, in Intl. Colloquium on Automata, Languages, and Programming (ICALP). LNCS vol. 1644 (Springer, 1999), pp. 291–300. https://doi.org/10.1007/3-540-48523-6_26
A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in Advances in Cryptology—Crypto 1986. LNCS, vol. 263 (Springer, 1987), pp. 186–194.https://doi.org/10.1007/3-540-47721-7_12
O. Goldreich, Foundations of cryptography: basic applications, vol. 2 (Cambridge University Press, Cambridge, UK, 2004)
Book MATH Google Scholar
O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or a completeness theorem for protocols with honest majority, in 19th Annual ACM Symposium on Theory of Computing (STOC) (ACM Press, 1987), pp. 218–229. https://doi.org/10.1145/28395.28420
C. Guo, J. Katz, X. Wang, C. Weng, Y. Yu, Better concrete security for half-gates garbling (in the multi-instance setting), in Advances in Cryptology—Crypto 2020, Part II. LNCS, vol. 12171 (Springer, 2020), pp. 793–822. https://doi.org/10.1007/978-3-030-56880-1_28
C. Guo, J. Katz, X. Wang, C. Weng, Y. Yu, Efficient and secure multiparty computation from fixed-key block ciphers, in IEEE Symposium on Security and Privacy (S &P) 2020 (2020), pp. 825–841. https://doi.org/10.1109/SP40000.2020.00016
C. Hazay, Y. Ishai, M. Venkitasubramaniam, Actively secure garbled circuits with constant communication overhead in the plain model, in Theory of Cryptography Conference (TCC) 2017. LNCS, vol. 10678 (Springer, 2017), pp. 3–39. https://doi.org/10.1007/978-3-319-70503-3_1
C. Hazay, P. Scholl, E. Soria-Vazquez, Low cost constant round MPC combining BMR and oblivious transfer, in Advances in Cryptology—Asiacrypt 2017, Part I. LNCS, vol. 10624 (Springer, 2017), pp. 598–628.https://doi.org/10.1007/978-3-319-70694-8_21
C. Hazay, P. Scholl, E. Soria-Vazquez, Low cost constant round MPC combining BMR and oblivious transfer. J. Cryptol. 33(4), 1732–1786 (2020).https://doi.org/10.1007/s00145-020-09355-y
Article MathSciNet MATH Google Scholar
C. Hazay, A. Shelat, M. Venkitasubramaniam, Going beyond dual execution: MPC for functions with efficient verification, in Intl. Conference on Theory and Practice of Public Key Cryptography 2020, Part II. LNCS, vol. 12111 (Springer, 2020), pp. 328–356. https://doi.org/10.1007/978-3-030-45388-6_12
Y. Huang, J. Katz, D. Evans, Quid-pro-quo-tocols: strengthening semi-honest protocols with dual execution, in IEEE Symposium on Security and Privacy (S &P) 2012 (2012), pp. 272–284.https://doi.org/10.1109/SP.2012.43
J. Katz, S. Ranellucci, M. Rosulek, X. Wang, Optimizing authenticated garbling for faster secure two-party computation. in Advances in Cryptology—Crypto 2018, Part III. LNCS, vol. 10993 (Springer, 2018), pp. 365–391. https://doi.org/10.1007/978-3-319-96878-0_13
V. Kolesnikov, T. Schneider, Improved garbled circuit: free XOR gates and applications, in Intl. Colloquium on Automata, Languages, and Programming (ICALP). LNCS, vol. 5126 (Springer, 2008), pp. 486–498.https://doi.org/10.1007/978-3-540-70583-3_40
Y. Lindell, B. Pinkas, N.P. Smart, A. Yanai, Efficient constant round multi-party computation combining BMR and SPDZ, in Advances in Cryptology—Crypto 2015, Part II. LNCS, vol. 9216 (Springer, 2015), pp. 319–338.https://doi.org/10.1007/978-3-662-48000-7_16
Y. Lindell, N.P. Smart, E. Soria-Vazquez, More efficient constant-round multi-party computation from BMR and SHE, in Theory of Cryptography Conference (TCC) 2016. LNCS, vol. 9985 (Springer, 2016), pp. 554–581.https://doi.org/10.1007/978-3-662-53641-4_21
Mohassel, P., Franklin, M.: Efficiency Tradeoffs for Malicious Two-Party Computation. In: Intl. Conference on Theory and Practice of Public Key Cryptography. LNCS, vol. 3958, pp. 458–473. Springer (2006).https://doi.org/10.1007/11745853_30
J.B. Nielsen, P.S. Nordholt, C. Orlandi, S.S. Burra, A new approach to practical active-secure two-party computation, in Advances in Cryptology—Crypto 2012. LNCS, vol. 7417 (Springer, 2012), pp. 681–700.https://doi.org/10.1007/978-3-642-32009-5_40
M. Rosulek, L. Roy, Three halves make a whole? beating the half-gates lower bound for garbled circuits, in Advances in Cryptology—Crypto 2021, Part I. LNCS, vol. 12825 (Springer, 2021), pp. 94–124.https://doi.org/10.1007/978-3-030-84242-0_5
X. Wang, S. Ranellucci, J. Katz, Authenticated garbling and efficient maliciously secure two-party computation, in ACM Conf. on Computer and Communications Security (CCS) 2017 (ACM Press, 2017), pp. 21–37.https://doi.org/10.1145/3133956.3134053
X. Wang, S. Ranellucci, J. Katz, Global-scale secure multiparty computation, in ACM Conf. on Computer and Communications Security (CCS) 2017 (ACM Press, 2017), pp. 39–56. https://doi.org/10.1145/3133956.3133979
C. Weng, K. Yang, J. Katz, X. Wang, Wolverine: fast, scalable, and communication-efficient zero-knowledge proofs for boolean and arithmetic circuits, in IEEE Symposium on Security and Privacy (S &P) 2021 (2021), pp. 1074–1091. https://doi.org/10.1109/SP40001.2021.00056
C. Weng, K. Yang, X. Xie, J. Katz, X. Wang, Mystique: efficient conversions for zero-knowledge proofs with applications to machine learning, in USENIX Security Symposium 2021 (USENIX Association, 2021), pp. 501–518
C. Weng, K. Yang, Z. Yang, X. Xie, X. Wang, AntMan: interactive zero-knowledge proofs with sublinear communication, in ACM Conf. on Computer and Communications Security (CCS) 2022 (ACM Press, 2022), pp. 2901–2914. https://doi.org/10.1145/3548606.3560667
K. Yang, P. Sarkar, C. Weng, X. Wang, QuickSilver: efficient and affordable zero-knowledge proofs for circuits and polynomials over any field, in ACM Conf. on Computer and Communications Security (CCS) 2021 (ACM Press, 2021), pp. 2986–3001. https://doi.org/10.1145/3460120.3484556
K. Yang, X. Wang, J. Zhang, More efficient MPC from improved triple generation and authenticated garbling, in ACM Conf. on Computer and Communications Security (CCS) 2020 (ACM Press, 2020), pp. 1627–1646. https://doi.org/10.1145/3372297.3417285
K. Yang, C. Weng, X. Lan, J. Zhang, X. Wang, Ferret: fast extension for correlated OT with small communication. in ACM Conf. on Computer and Communications Security (CCS) 2020 (ACM Press, 2020), pp. 1607–1626. https://doi.org/10.1145/3372297.3417276
A.C.C. Yao, How to generate and exchange secrets (extended abstract), in 27th Annual Symposium on Foundations of Computer Science (FOCS) (IEEE, 1986), pp. 162–167. https://doi.org/10.1109/SFCS.1986.25
S. Zahur, M. Rosulek, D. Evans, Two halves make a whole - reducing data transfer in garbled circuits using half gates, in Advances in Cryptology—Eurocrypt 2015, Part II LNCS, vol. 9057 (Springer, 2015), pp. 220–250. https://doi.org/10.1007/978-3-662-46803-6_8

Download references

Funding

The work of Yu Yu is supported by the National Natural Science Foundation of China (Grant Nos. 62125204 and 92270201), Innovation Program for Quantum Science and Technology (No. 2021ZD0302901/2021ZD0302902), and the Major Program of Guangdong Basic and Applied Research (Grant No. 2019B030302008). Yu Yu’s work has also been supported by the New Corner-stone Science Foundation through the XPLORER PRIZE. The work of Kang Yang is supported by the National Key Research and Development Program of China (Grant No. 2022YFB2702000) and by the National Natural Science Foundation of China (Grant No. 62102037). The work of Xiao Wang is supported by NSF award #2236819.

Author information

Authors and Affiliations

Shanghai Jiao Tong University, Shanghai, China
Hongrui Cui & Yu Yu
State Key Laboratory of Cryptology, Beijing, China
Hongrui Cui & Kang Yang
Northwestern University, Evanston, USA
Xiao Wang
Shanghai Qi Zhi Institute, Shanghai, China
Yu Yu

Authors

Hongrui Cui
View author publications
You can also search for this author inPubMed Google Scholar
Xiao Wang
View author publications
You can also search for this author inPubMed Google Scholar
Kang Yang
View author publications
You can also search for this author inPubMed Google Scholar
Yu Yu
View author publications
You can also search for this author inPubMed Google Scholar

Corresponding authors

Correspondence to Xiao Wang, Kang Yang or Yu Yu.

Additional information

Communicated by Masayuki Abe.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Security Model and Functionalities

1.1 Security Model

We say that a two-party protocol $\varPi _\textsf {[} ]$ securely realizes an ideal functionality $\mathcal {F}_\mathsf {[} ]$ if for any probabilistic polynomial time (PPT) adversary ${{\mathcal {A} }} $, there exists a PPT adversary (a.k.a., simulator) ${\mathcal {S} } $, such that the joint distribution of the outputs of the honest party and ${{\mathcal {A} }} $ in the real-world execution where the party interacts with ${{\mathcal {A} }} $ and execute $\varPi _\textsf {[} ]$ is computationally indistinguishable from that of the outputs of the honest party and ${\mathcal {S} } $ in the ideal-world execution where the party interacts with ${\mathcal {S} } $ and $\mathcal {F}_\mathsf {[} ]$. We adopt the notion of security with abort, where fairness is not achieved in the two-party setting [14]. For all our functionalities, the adversary can send $\textsf{abort} $ to these functionalities at any time, and then the execution is aborted. For the sake of simplicity, we omit the description in these functionalities.

1.2 The Equality-Check Functionality

Our protocol will invoke a relaxed equality-checking functionality $\mathcal {F}_\mathsf {[} EQ]$ [38] that is recalled in Fig. 11. This functionality can be securely realized by committing to the input and then opening it, as we allow to leak the inputs if two inputs are different. The protocol realizing $\mathcal {F}_\mathsf {[} EQ]$ needs two rounds and takes $2\kappa +\ell $ bits of one-way communication for $\ell $-bit inputs.

1.3 The Coin-Tossing Functionality

Our protocol will use a standard coin-tossing functionality $\mathcal {F} _\textsf{Rand}$ shown in Fig. 12, which samples a uniform element in $\mathbb {F} _{2^\kappa } $. This can be securely realized by having every party commit to a random element via calling $\mathcal {F} _\textsf{Com}$, and then open the commitments and use the sum of all random elements as the output.

Proofs of Security

1.1 Proof of Lemma 2

Proof

Let $L = {\lceil {\rho + m \cdot \log (\frac{en}{m}) + \frac{\log m}{2}}\rceil }$ and let $\textbf{M}\leftarrow \mathbb {F} _2^{n \times L}$ be a uniformly random matrix. In the following, we show that $\textbf{M}$ satisfies the (m, L)-independent property except with probability $2^{-\rho }$.

Recall that the property states that any $\rho $ rows of the matrix are linearly independent. Since we are working in the binary field, a set of vectors in $\mathbb {F} _2^L$ being linearly dependent implies that they XOR to 0, which happens with probability $2^{-L}$ for uniformly random vectors. Therefore, denote $\mathcal {R} $ as the random variable counting the number of linearly dependent sets with size no more than $\rho $, then by the linearity of expectation we have:

$$\begin{aligned} \mathbb {E} [\mathcal {R} ] = \sum _{k = 1}^{m} \left( {\begin{array}{c}n\\ k\end{array}}\right) 2^{-L} \hspace{5.0pt}. \end{aligned}$$

Using Markov’s inequality, we have

$$\begin{aligned} \Pr [\mathcal {R} \ge 1 ] \le \mathbb {E} [\mathcal {R} ] = \sum _{k = 1}^{m} \left( {\begin{array}{c}n\\ k\end{array}}\right) 2^{-L} \hspace{5.0pt}.\end{aligned}$$

In our secure computation setting, $m = 2\rho $ and n is the number of circuit-input gates and AND gates so we may assume $n > 2m$. Thus, we have

$$\begin{aligned}\Pr [\mathcal {R} \ge 1] \le \frac{n^{^m}}{m!} \cdot \frac{m}{2^L} \hspace{5.0pt}.\end{aligned}$$

Using Stirling’s approximation and taking $L \ge {\lceil {\rho + m \cdot \log (\frac{en}{m}) + \frac{\log m}{2}}\rceil }$, we have

$$\begin{aligned} \Pr [\mathcal {R} \ge 1]&\le \frac{n^{m}}{2\sqrt{m}(\frac{m}{e})^{m}} \cdot \frac{m}{(2^\rho \cdot \frac{en}{m})^{m} \cdot \sqrt{m}} \\&\le 2^{-(\rho +1)} < 2^{-\rho }, \end{aligned}$$

which implies $\Pr [\mathcal {R} = 0] \ge 1 - 2^{-\rho }$. $\square $

1.2 Proof of Lemma 6

Proof

Suppose $y_i \ne y_i'$ for some $i \in [\ell ]$. Then, we have

$$\begin{aligned} V_i&= k_i \varDelta _{\textsf{A}}' \oplus k'_i \varDelta _{\textsf{A}} \oplus \textsf{K}_\textsf{A} [{\tilde{m}}_i] \oplus \textsf{K}_\textsf{A} [{\tilde{m}}'_i] \\&= (m_i \oplus y_i \varDelta _{\textsf{A}}) \varDelta _{\textsf{A}}' \oplus (m'_i \oplus y'_i \varDelta _{\textsf{A}}') \varDelta _{\textsf{A}} \oplus (\textsf{M}_\textsf{B} [{\tilde{m}}_i] \oplus {\tilde{m}}_i \varDelta _{\textsf{A}}') \oplus (\textsf{M}_\textsf{B} [{\tilde{m}}'_i] \oplus {\tilde{m}}'_i \varDelta _{\textsf{A}}) \\&= (y_i \oplus y'_i) \varDelta _{\textsf{A}} \varDelta _{\textsf{A}}' \oplus (m_i \oplus {\tilde{m}}_i) \varDelta _{\textsf{A}}' \oplus (m'_i \oplus {\tilde{m}}'_i) \varDelta _{\textsf{A}} \oplus \textsf{M}_\textsf{B} [{\tilde{m}}'_i] \oplus \textsf{M}_\textsf{B} [{\tilde{m}}_i] \\&= ((y_i \oplus y'_i) \varDelta _{\textsf{A}} \oplus (m_i \oplus {\tilde{m}}_i)) \varDelta _{\textsf{A}}' \oplus (m'_i \oplus {\tilde{m}}'_i) \varDelta _{\textsf{A}} \oplus \textsf{M}_\textsf{B} [{\tilde{m}}'_i] \oplus \textsf{M}_\textsf{B} [{\tilde{m}}_i] \hspace{5.0pt}. \end{aligned}$$

With probability $ 2^{-\kappa } $ we have $ (y_i \oplus y'_i) \varDelta _{\textsf{A}} \oplus (m_i \oplus {\tilde{m}}_i) = 0$. Conditioned on this event not happening, we can use the same argument as in Lemma 1 to argue $\mathsf P_{B}$ ’s advantage in passing the test is bounded by $ \frac{2}{2^{\kappa }}$. Therefore, by a union bound, we conclude that the soundness error of $\textsf{EQCheck}$ is bounded by $\frac{3}{2^\kappa }$. $\square $

1.3 Proof of Theorem 1

Proof

Correctness. Lemma 4 shows that the key sampling procedure $\varPi _\textsf {[} samp]$ returns keys subject to $\textsf{lsb} (\varDelta _{\textsf{A}} \varDelta _{\textsf{B}}) = 1$, which ensures $\textsf{lsb} (\textsf{D}_{\textsf{A}}[x]) \oplus \textsf{lsb} (\textsf{D}_{\textsf{B}}[x]) = x$ for any $x \in \mathbb {F} _2$. This implies that all the ${{\tilde{b}}}_k$ values that ${\mathsf{P_{B}}} $ computes in step 9 are correct.

Now we argue security. We first present the sampling simulation as a separate process and then describe the simulation for the main protocol $\varPi _\textsf {[} cpre]$. In the following proof, there are multiple instances where the same keys $\varDelta _{\textsf{A}}$ or $\varDelta _{\textsf{B}}$ are used. We use different superscripts to differentiate those keys received from the adversary.

Corrupted ${\mathsf{P_{A}}} $. $\mathcal {S} _{\textsf{A}}$ first simulates the key sampling protocol $\varPi _\textsf {[} samp]$ as follows:

1.
$\mathcal {S} _{\textsf{A}}$ receives the input key $\varDelta _{\textsf{A}}^{1}$ by simulating $\mathcal {F}_\mathsf {[} COT]$.
2.
$\mathcal {S} _{\textsf{A}}$ receives $m_{\textsf{A}}^0$ of ${{\mathcal {A} }} $. If $\textsf{lsb} (\varDelta _{\textsf{A}}) \ne 1$ then it aborts.
3.
$\mathcal {S} _{\textsf{A}}$ samples $\tilde{\varDelta }_{\textsf{B}}$ s.t. $\textsf{msb} (\tilde{\varDelta }_{\textsf{B}}) = 1$, to handle the $\textsf{Fix} $ command and $m_{\textsf{B}}^1$ message. It also receives the message $m_\textsf{A} ^1$ from $\mathcal {A} $.
4.
$\mathcal {S} _{\textsf{A}}$ simulates the $\textsf{init} $ and $\textsf{extend} $ commands of $\mathcal {F}_\mathsf {[} COT]$ internally.
5.
$\mathcal {S} _{\textsf{A}}$ sends $m_{\textsf{B}}^0$ following the protocol instructions.
6.
$\mathcal {S} _{\textsf{A}}$ then simulates the checking procedure as follows:
1. (a)
  $\mathcal {S} _{\textsf{A}}$ simulates $\textsf{extend} $ and $\textsf{Fix} $ using previously sampled keys. It also sends $\textsf{true} $ to ${{\mathcal {A} }} $ to simulate $\mathcal {F}_\mathsf {[} DVZK]$.
2. (b)
  $\mathcal {S} _{\textsf{A}}$ receives $m_{\textsf{A}}^2$ from the adversary. If $m_\textsf{A} ^2 \ne \textsf{lsb} (\textsf{D}_\textsf{A} [x_1]),...,\textsf{lsb} (\textsf{D}_\textsf{A} [x_\rho ])$ then $\mathcal {S} _{\textsf{A}}$ aborts.
3. (c)
  $\mathcal {S} _{\textsf{A}}$ extracts ${{\mathcal {A} }} $’s input of $\textsf{Fix} $ as $\varDelta _{\textsf{A}}^2$.
4. (d)
  $\mathcal {S} _{\textsf{A}}$ samples ${\varvec{y}}$ as the output of $\textsf{extend} $ and extracts ${{\mathcal {A} }} $’s input to the $\textsf{Fix} $ command. If the multiplication correlation does not hold then $\mathcal {S} _{\textsf{A}}$ aborts.
5. (e)
  $\mathcal {S} _{\textsf{A}}$ sends $m_{\textsf{B}}^2$ according to protocol instruction.
6. (f)–(g)
  If $\varDelta _{\textsf{A}}^1 \ne \varDelta _{\textsf{A}}^2$ then $\mathcal {S} _{\textsf{A}}$ sends $h \leftarrow \mathbb {F} _{2^\kappa } $ to ${{\mathcal {A} }} $ and aborts to simulate $\textsf{CheckZero2} $. Otherwise, it follows the protocol instruction.

Then, $\mathcal {S} _{\textsf{A}}$ simulates the main protocol $\varPi _\textsf {[} cpre]$.

1.
$\mathcal {S} _{\textsf{A}}$ samples $\textbf{M}\leftarrow \mathbb {F}_2^{n \times L}$ and sends it to ${{\mathcal {A} }} $.
2.
$\mathcal {S} _{\textsf{A}}$ locally simulates the $\textsf{extend} $ command and samples ${\varvec{b}}^*$.
3.
$\mathcal {S} _{\textsf{A}}$ simulates the $\textsf{Fix} $ command using previously sampled ${\varvec{b}}^*$ and $\varDelta _{\textsf{B}}$.
4–5
$\mathcal {S} _{\textsf{A}}$ simulates the $\textsf{init} $ command internally and receives ${\varvec{a}}\leftarrow \mathbb {F}_2^m$ and $\hat{{\varvec{a}}} \leftarrow \mathbb {F}_2^t$ from ${{\mathcal {A} }} $ in $\mathcal {F}_\mathsf {[} bCOT]^{L+1}$ and $\mathcal {F}_\mathsf {[} bCOT]^{2}$. Then, it extracts $(\varDelta _{\textsf{A}}')^{(1)}$ and $(\varDelta _{\textsf{A}}')^{(2)}$, respectively, from the two $\textsf{Fix} $ commands.
6.
$\mathcal {S} _{\textsf{A}}$ follows the protocol instruction.
7.
$\mathcal {S} _{\textsf{A}}$ simulates $\textsf{Fix}$ using uniformly random messages. It also extracts $a_{i,j}$ from the $\textsf{Fix}$ command from ${{\mathcal {A} }} $.
8.
$\mathcal {S} _{\textsf{A}}$ follows the protocol instruction.
9.
$\mathcal {S} _{\textsf{A}}$ receives the $\textsf{lsb} (\textsf{D}_{\textsf{A}}[{\tilde{b}}_k])$ message from ${{\mathcal {A} }} $ and evaluates the $\hat{b}_k$ values.
10.
$\mathcal {S} _{\textsf{A}}$ simulates $\textsf{Fix}$ using previously computed $\hat{b}_k$ values.
11.
$\mathcal {S} _{\textsf{A}}$ simulates $\mathcal {F}_\mathsf {[} DVZK]$ on ($[\![b_i]\!]_{\varDelta _{\textsf{A}}}$, $[\![b_j]\!]_{\varDelta _{\textsf{A}}}$, $[\![b_{i,j}]\!]_{\varDelta _{\textsf{A}}}$) for each AND gate ($i,j,k,\wedge $) and ($[\![b^*_i]\!]_{\varDelta _{\textsf{A}}}$, $[\![\varDelta _{\textsf{B}}]\!]_{\varDelta _{\textsf{A}}}$, $[\![B^*_i]\!]_{\varDelta _{\textsf{A}}}$) by sending $\textsf{true}$ to $\mathcal {A} $. If the previously extracted ${a}_{i,j} \ne a_i \cdot a_j$ then $\mathcal {S} _{\textsf{A}}$ aborts.
12.
$\mathcal {S} _{\textsf{A}}$ extracts $\mathcal {A} $ ’s input to $\mathcal {F}_\mathsf {[}$ COT] as $(\varDelta _{\textsf{A}}')^{(3)}$. If $(\varDelta _{\textsf{A}}')^{(1)} \ne (\varDelta _{\textsf{A}}')^{(2)}$ or $(\varDelta _{\textsf{A}}')^{(2)} \ne (\varDelta _{\textsf{A}}')^{(3)}$ then $\mathcal {S} _{\textsf{A}}$ sends $h \leftarrow \mathbb {F} _{2^\kappa } $ to simulate $\textsf{CheckZero2}$ and aborts. Otherwise, it follows the protocol instruction to simulate $\textsf{EQCheck}$.
13.
$\mathcal {S} _{\textsf{A}}$ follows the protocol instruction and samples $r \leftarrow \mathbb {F}_{2^\kappa }$.
14.
$\mathcal {S} _{\textsf{A}}$ simulates $\mathcal {F}_\mathsf {[}$ Rand] internally and sends $\chi \leftarrow \mathbb {F} _{2^\kappa } $ to $\mathcal {A} $.
15.
$\mathcal {S} _{\textsf{A}}$ sends $y:= \sum _{k \in \mathcal {W}} \chi ^k \cdot {\tilde{b}}_k + r$ to $\mathcal {A} $. If the previous $\textsf{lsb} (\textsf{D}_{\textsf{A}}[{\tilde{b}}_k])$ messages are erroneous then $\mathcal {S} _{\textsf{A}}$ sends $h \leftarrow \mathbb {F} _{2^\kappa } $ to $\mathcal {F}_\mathsf {[}$ EQ] and aborts to simulate $\textsf{CheckZero2}$. Otherwise, it follows protocol instructions.
16.
$\mathcal {S} _{\textsf{A}}$ follows the protocol instruction for $\textsf{CheckZero}$.

Now we argue that the ideal-world output and the real-world output are indistinguishable using a series of hybrids.

Hybrid 1 This is the real-world execution.
Hybrid 2 $\mathcal {S} _{\textsf{A}}$ extracts $\varDelta _{\textsf{A}}^1$ in step 1. If $\textsf{lsb} (\varDelta _{\textsf{A}}) \ne 1$ then $\mathcal {S} _{\textsf{A}}$ aborts in step 2. By Lemma 4, the two hybrids are $2^{-\rho }$-indistinguishable.
Hybrid 3 We make explicit the use of $\varDelta _{\textsf{B}}$ in this hybrid and mark them in blue.
- In step 6 g we compute $h_\textsf{B} = \textsf{H} ( \textsf{D}_\textsf{A} [1_\textsf{B} ] \oplus \textsf{D}_\textsf{A} [1_\textsf{A} ] \oplus ({\varDelta }_\textsf{A} ^1 \oplus \varDelta _{\textsf{A}}^2) \varDelta _{\textsf{B}} ) $ where $\varDelta _{\textsf{A}}^2$ is defined as in the simulation above.
- We compute $h_\textsf{B} $ in $\textsf{CheckZero2} (\langle {1_{\textsf{B}}^{(1)}}\rangle - \langle {1_{\textsf{B}}^{(2)}}\rangle , \langle {1_{\textsf{B}}^{(2)}}\rangle - \langle {1_{\textsf{B}}^{(3)}}\rangle )$ in step 12 as $ \textsf{H} ( \textsf{D}_\textsf{A} [1_\textsf{B} ^{(1)}] \oplus \textsf{D}_\textsf{A} [1_\textsf{B} ^{(2)}] \oplus ((\varDelta _{\textsf{A}}')^{(1)} \oplus (\varDelta _{\textsf{A}}')^{(2)}) \varDelta _{\textsf{B}}, \textsf{D}_\textsf{A} [1_\textsf{B} ^{(2)}] \oplus \textsf{D}_\textsf{A} [1_\textsf{B} ^{(3)}] \oplus ((\varDelta _{\textsf{A}}')^{(2)} \oplus (\varDelta _{\textsf{A}}')^{(3)}) \varDelta _{\textsf{B}} )$.
- In step 15, we compute $h_\textsf{B} $ as $ \textsf{H} ( \textsf{D}_\textsf{A} [y] \oplus y \cdot \textsf{D}_\textsf{A} [1_\textsf{B} ] \oplus \sum _k \chi ^k e_k \varDelta _{\textsf{A}}^1 \varDelta _{\textsf{B}})$ where $e_k$ is the error in ${\tilde{b}}_k$ that $\mathcal {A} $ sends in step 9.
Since we merely rewrite the input inside the $\textsf{H} $ function, $\mathbf {Hybrid_{2}}$ and $\mathbf {Hybrid_{3}}$ are identical.
Hybrid 4 $\mathcal {S} _{\textsf{A}}$ replaces the blue terms in the previous hybrid with uniform randomness. Since the preimage in the blue terms is uniformly random to $\mathcal {A} $, except with probability $\frac{\tau }{2^\kappa }$ the blue values are uniformly random ($\tau $ upper bounds the running time of ${{\mathcal {A} }} $). Thus, $\mathbf {Hybrid_{3}}$ and $\mathbf {Hybrid_{4}}$ are $\frac{\tau }{2^\kappa }$-indistinguishable.
Hybrid 5 $\mathcal {S} _{\textsf{A}}$ sends $\textsf{true}$ to $\mathcal {A} $ and locally verify the multiplicative relation to simulate $\mathcal {F}_\mathsf {[}$ DVZK] in all subsequent hybrids. Since the functionality $\mathcal {F}_\mathsf {[}$ DVZK] is ideal, the two hybrids are identically distributed.
Hybrid 6 $\mathcal {S} _{\textsf{A}}$ receives the message $m_{\textsf{A}}^2$ from $\mathcal {A} $. If $m_\textsf{A} ^2 \ne \textsf{lsb} (\textsf{D}_\textsf{A} [x_1]),...,\textsf{lsb} (\textsf{D}_\textsf{A} [x_\rho ])$ then $\mathcal {S} _{\textsf{A}}$ aborts. By Lemma 4, the two hybrids are $2^{-\rho }$-indistinguishable.
Hybrid 7 If $\varDelta _{\textsf{A}}^1 \ne \varDelta _{\textsf{A}}^2$ in step 6c then $\mathcal {S} _{\textsf{A}}$ aborts. Since $h_\textsf{B} $ is uniformly random to $\mathcal {A} $ if $\varDelta _{\textsf{A}}^1 \ne \varDelta _{\textsf{A}}^2$, we have that $\mathbf {Hybrid_{6}}$ and $\mathbf {Hybrid_{7}}$ are $2^{-\kappa }$-indistinguishable.
Hybrid 8 Let $(\varDelta _{\textsf{A}}')^{(1)}$ and $(\varDelta _{\textsf{A}}')^{(2)}$ be the $\textsf{Fix}$ command input of $\mathcal {A} $ in step 4 and step 5, respectively. Let $(\varDelta _{\textsf{A}}')^{(3)}$ be the input of $\mathcal {F}_\mathsf {[}$ COT] in step 12. If $(\varDelta _{\textsf{A}}')^{(1)} \ne (\varDelta _{\textsf{A}}')^{(2)}$ or $(\varDelta _{\textsf{A}}')^{(2)} \ne (\varDelta _{\textsf{A}}')^{(3)}$ then $\mathcal {S} _{\textsf{A}}$ aborts to simulate $\textsf{CheckZero2}$. Using the previous argument, the two hybrids are $2^{-\kappa }$-indistinguishable.
Hybrid 9 If $\mathcal {A} $ sends incorrect $\textsf{lsb} (\textsf{D}_{\textsf{A}}[{\tilde{b}}_k])$ values in step 9 then $\mathcal {S} _{\textsf{A}}$ simulates the $\textsf{CheckZero2}$ command using previous strategy. By the Schwartz–Zippel lemma, the two hybrids are ($\frac{t + 1}{2^\kappa }$)-indistinguishable. This is the ideal-world execution.

Therefore, the ideal-world and real-world executions are ($\frac{2}{2^{\rho }} + \frac{t + \tau + 3}{2^{\kappa }}$)-indistinguishable in the corrupted ${\mathsf{P_{A}}} $ case.

Corrupted ${\mathsf{P_{B}}} $. $\mathcal {S} _{\textsf{B}}$ first simulates the key sampling protocol $\varPi _\textsf {[} samp]$ as follows:

1.
$\mathcal {S} _{\textsf{B}}$ simulates the $\textsf{init} $ and $\textsf{extend} $ command internally.
2.
$\mathcal {S} _{\textsf{B}}$ sends $m_{\textsf{A}}^0$ following protocol instruction.
3.
$\mathcal {S} _{\textsf{B}}$ extracts $\tilde{\varDelta }_{\textsf{B}}^1$ from the $\textsf{Fix} $ macro, sends $m_{\textsf{A}}^1$ and receives $m_{\textsf{B}}^1$. It fixes $[\![\tilde{\varDelta }_{\textsf{B}}^1]\!]_{\varDelta _{\textsf{A}}}$ according to protocol instruction.
4.
$\mathcal {S} _{\textsf{B}}$ extracts $\varDelta _{\textsf{B}}^2$ from the $\textsf{init} $ command.
5.
$\mathcal {S} _{\textsf{B}}$ receives $m_{\textsf{B}}^0$ from ${{\mathcal {A} }} $ and aborts if $\textsf{msb} (\varDelta _{\textsf{B}}^2) \ne 1$.
6.
$\mathcal {S} _{\textsf{B}}$ simulates the checking procedure as follows:
1. (a)
  $\mathcal {S} _{\textsf{B}}$ sends ${\varvec{x}}\leftarrow \mathbb {F} _{2^\rho } $ to simulate $\textsf{extend} $. It also extracts the input from the $\textsf{Fix} $ command. If the multiplication correlation does not hold then it aborts.
2. (b)
  $\mathcal {S} _{\textsf{B}}$ sends $m_{\textsf{A}}^2$ according to the protocol instruction.
3. (c)
  $\mathcal {S} _{\textsf{B}}$ samples $\varDelta _{\textsf{A}}$ to simulate $\textsf{Fix} $.
4. (d)
  $\mathcal {S} _{\textsf{B}}$ samples ${\varvec{y}}$ to simulate $\textsf{extend} $ and $\textsf{Fix} $. It then sends $\textsf{true} $ to ${{\mathcal {A} }} $ to simulate $\mathcal {F}_\mathsf {[} DVZK]$.
5. (e)
  $\mathcal {S} _{\textsf{B}}$ receives $m_{\textsf{B}}^2$ from ${{\mathcal {A} }} $ and aborts if $m_\textsf{B} ^2 \ne \textsf{lsb} (\textsf{D}_\textsf{B} [y_1]),...,\textsf{lsb} (\textsf{D}_\textsf{B} [y_\rho ])$ then $\mathcal {S} _{\textsf{B}}$ aborts.
6. (f)–(g)
  If $\tilde{\varDelta }_{\textsf{B}}^1 \ne \varDelta _{\textsf{B}}^2$ then $\mathcal {S} _{\textsf{B}}$ sends $h \leftarrow \mathbb {F} _{2^\kappa } $ and aborts to simulate $\textsf{CheckZero2} $.

$\mathcal {S} _{\textsf{B}}$ then simulates the main protocol $\varPi _\textsf {[}$ cpre] as follows.

1.
$\mathcal {S} _{\textsf{B}}$ receives the compression matrix $\textbf{M}$ from $\mathcal {A} $.
2.
$\mathcal {S} _{\textsf{B}}$ receives ${\varvec{b}}^*$ from $\mathcal {A} $ to simulate the $\textsf{extend}$ command.
3.
$\mathcal {S} _{\textsf{B}}$ extracts the inputs $\{ b^*_i \varDelta _{\textsf{B}} \}_{i \in [L]}$ from the $\textsf{Fix}$ command of $\mathcal {A} $.
4–5
$\mathcal {S} _{\textsf{B}}$ extracts the input ($\beta _1,...,\beta _L, \varDelta _{\textsf{B}}^{3}$) and ($\beta _0, \varDelta _{\textsf{B}}^{4}$) from the $\textsf{init}$ command. Then, $\mathcal {S} _{\textsf{B}}$ follows protocol instructions.
6–8
$\mathcal {S} _{\textsf{B}}$ follows protocol specifications to generate $a_{i,j}$ for each AND gate ($i,j,k,\wedge $). Then, it extracts $b_{i,j}$ from $\mathcal {A} $ ’s input to $\textsf{Fix}$ and generates $\langle {\hat{a}_k}\rangle , \langle {a_{i,j}}\rangle $ following protocol specifications.
9.
$\mathcal {S} _{\textsf{B}}$ follows protocol specifications and sends $\textsf{lsb} (\textsf{D}_\textsf{A} [{\tilde{b}}_k])$.
10.
$\mathcal {S} _{\textsf{B}}$ extracts the input $\{ \hat{b}_k^2 \}$ of the $\textsf{Fix}$ command.
11.
$\mathcal {S} _{\textsf{B}}$ simulates the $\mathcal {F}_\mathsf {[}$ DVZK] functionality by sending $\textsf{true}$ to $\mathcal {A} $. If the extracted values in previous step 3 and step 6 do not satisfy the multiplicative relation then $\mathcal {S} _{\textsf{B}}$ aborts.
12.
$\mathcal {S} _{\textsf{B}}$ extracts the $\mathcal {A} $ ’s input $\varDelta _{\textsf{B}}^{5}$ from the $\textsf{Fix}$ command. If $\varDelta _{\textsf{B}}^{3} \ne \varDelta _{\textsf{B}}^{4}$ or $\varDelta _{\textsf{B}}^{4} \ne \varDelta _{\textsf{B}}^{5}$ then $\mathcal {S} _{\textsf{B}}$ sends $h \leftarrow \mathbb {F} _{2^\kappa } $ to $\mathcal {F}_\mathsf {[}$ EQ] and aborts to simulate $\textsf{CheckZero2}$. If $\varDelta _{\textsf{B}}^{5} \ne \varDelta _{\textsf{B}}^1$ (the latter one is from simulation of $\varPi _\textsf {[}$ samp]) or the $\{\beta _i\}$ inputs from step 3 are inconsistent then $\mathcal {S} _{\textsf{B}}$ aborts to simulate $\textsf{EQCheck}$.
13.
$\mathcal {S} _{\textsf{B}}$ receives ${\varvec{r}}\leftarrow \mathbb {F} _2^\kappa $ to simulate $\textsf{extend}$. Define $r:= \textsf{B2F} ({\varvec{r}})$. Then, it extracts $r \cdot \varDelta _{\textsf{B}}^6$ in the $\textsf{Fix}$ command.
14.
$\mathcal {S} _{\textsf{B}}$ simulates $\mathcal {F}_\mathsf {[}$ Rand] by sending $\chi \leftarrow \mathbb {F} _{2^\kappa } $ to $\mathcal {A} $. Define $y:= \sum _{k \in \mathcal {W}} \chi ^k \cdot {\tilde{b}}_k + r$.
15.
$\mathcal {S} _{\textsf{B}}$ receives ${y}^2$ from $\mathcal {A} $. If $y \ne {y}^2$ or $\varDelta _{\textsf{B}}^6 \ne \varDelta _{\textsf{B}}^1$ then $\mathcal {S} _{\textsf{B}}$ sends $h \leftarrow \mathbb {F} _{2^\kappa } $ to $\mathcal {F}_\mathsf {[}$ EQ] and aborts to simulate $\textsf{CheckZero2}$.
16.
If the $\hat{b}_k$ extracted in step 10 are incorrect then $\mathcal {S} _{\textsf{B}}$ aborts.

Now we argue that the ideal world and real world are indistinguishable by a series of hybrid experiments.

Hybrid 1 This is the real-world execution.
Hybrid 2 $\mathcal {S} _{\textsf{B}}$ extracts $\tilde{\varDelta }_{\textsf{B}}^{1}$ from the $\textsf{Fix}$ command in step 3. If $\textsf{msb} (\tilde{\varDelta }[\textsf{B} ]^1) \ne 1$ then $\mathcal {S} _{\textsf{B}}$ aborts. By Lemma 4, the two hybrids are $2^{-\rho }$-indistinguishable.
Hybrid 3 We make explicit the usage of $\varDelta _{\textsf{A}}$ in this hybrid and mark them in blue.
- In step 6 g we compute $h_\textsf{A} = \textsf{H} ( \textsf{D}_\textsf{B} [1_\textsf{B} ] \oplus \textsf{D}_\textsf{B} [1_\textsf{A} ] \oplus (\tilde{\varDelta }_\textsf{B} ^1 \oplus \varDelta _{\textsf{B}}^2) \varDelta _{\textsf{A}} ) $ where $\varDelta _{\textsf{B}}^2$ is extracted as in the previous simulation.
- In step 12 we compute $h_\textsf{A} $ in $\textsf{CheckZero2} (\langle {1_{\textsf{B}}^{(1)}}\rangle - \langle {1_{\textsf{B}}^{(2)}}\rangle , \langle {1_{\textsf{B}}^{(2)}}\rangle - \langle {1_{\textsf{B}}^{(3)}}\rangle )$ as $ \textsf{H} ( \textsf{D}_\textsf{B} [1_\textsf{B} ^{(1)}] \oplus \textsf{D}_\textsf{B} [1_\textsf{B} ^{(2)}] \oplus (\varDelta _{\textsf{B}}^{3} \oplus \varDelta _{\textsf{B}}^{4}) \varDelta _{\textsf{A}}, \textsf{D}_\textsf{B} [1_\textsf{B} ^{(2)}] \oplus \textsf{D}_\textsf{B} [1_\textsf{B} ^{(3)}] \oplus (\varDelta _{\textsf{B}}^{4} \oplus \varDelta _{\textsf{B}}^{5}) \varDelta _{\textsf{A}} )$. For the $\textsf{EQCheck}$ commands, we simulate them as $ \textsf{H} ( \textsf{M}[{\tilde{v}}_1]_{\varDelta } \oplus \textsf{M}[{\tilde{v}}_2]_{\varDelta '} \oplus (v_1 \oplus v_2) \varDelta \varDelta ' ) $ where $v_1, v_2$ are two values to be checked and $\varDelta , \varDelta '$ are two keys.
- In step 15, we compute $h_\textsf{A} $ as $ \textsf{H} ( \textsf{D}_\textsf{B} [y] \oplus y \cdot \textsf{D}_\textsf{B} [1] \oplus (e \varDelta _{\textsf{B}}^1 \oplus r (\varDelta _{\textsf{B}}^1 \oplus \varDelta _{\textsf{B}}^6) ) \varDelta _{\textsf{A}})$ where e is the error in y that $\mathcal {A} $ sends in step 15 and $\varDelta _{\textsf{B}}^6$ is defined as in the above simulation.
Since we merely rewrite the input inside the $\textsf{H} $ function, $\mathbf {Hybrid_{2}}$ and $\mathbf {Hybrid_{3}}$ are identical.
Hybrid 4 $\mathcal {S} _{\textsf{B}}$ replaces the blue terms in the previous hybrid with uniform randomness. Since the preimage in the blue terms are uniformly random to $\mathcal {A} $, except with probability $\frac{\tau + 1}{2^\kappa }$ the blue values are uniformly random ($\tau $ upper bounds the running time of ${{\mathcal {A} }} $). Thus, $\mathbf {Hybrid_{3}}$ and $\mathbf {Hybrid_{4}}$ are $\frac{\tau + 1}{2^\kappa }$-indistinguishable.^{Footnote 6}
Hybrid 5 $\mathcal {S} _{\textsf{B}}$ sends $\textsf{true}$ to $\mathcal {A} $ and locally verify the multiplicative relation to simulate $\mathcal {F}_\mathsf {[}$ DVZK] in all subsequent hybrids. Since the functionality $\mathcal {F}_\mathsf {[}$ DVZK] is ideal, the two hybrids are identically distributed.
Hybrid 6 $\mathcal {S} _{\textsf{B}}$ receives the message $m_{\textsf{B}}^2$ from $\mathcal {A} $. If $m_\textsf{B} ^2 \ne \textsf{lsb} (\textsf{D}_\textsf{B} [y_1]),...,\textsf{lsb} (\textsf{D}_\textsf{B} [y_\rho ])$ then $\mathcal {S} _{\textsf{A}}$ aborts. By Lemma 4 the two hybrids are $2^{-\rho }$-indistinguishable.
Hybrid 7 If $\tilde{\varDelta }_{\textsf{B}}^1 \ne \varDelta _{\textsf{B}}^2$ in step 3 then $\mathcal {S} _{\textsf{B}}$ aborts. Since $h_\textsf{A} $ is uniformly random to $\mathcal {A} $, $\mathbf {Hybrid_{6}}$ and $\mathbf {Hybrid_{7}}$ are $2^{-\kappa }$-indistinguishable.
Hybrid 8 Let $\varDelta _{\textsf{B}}^{3}$ and $\varDelta _{\textsf{B}}^{4}$ be the $\textsf{init}$ command input of $\mathcal {A} $ in step 4 and step 5, respectively. Let $(\varDelta _{\textsf{B}})^{5}$ be the input of $\textsf{Fix}$ in step 12. If $\varDelta _{\textsf{B}}^{3} \ne \varDelta _{\textsf{B}}^{4}$ or $\varDelta _{\textsf{B}}^{4} \ne \varDelta _{\textsf{B}}^{5}$ then $\mathcal {S} _{\textsf{B}}$ aborts to simulate $\textsf{CheckZero2}$. Using the previous argument, the two hybrids are $2 \cdot 2^{-\kappa }$-indistinguishable.
Hybrid 9 In step 12, if the input to $\textsf{EQCheck}$ does not equal then $\mathcal {S} _{\textsf{B}}$ aborts. Since the $h_\textsf{A} $ values are uniformly random to $\mathcal {A} $, $\mathbf {Hybrid_{8}}$ and $\mathbf {Hybrid_{9}}$ are $2 \cdot 2^{-\kappa }$-indistinguishable.
Hybrid 10 If the $y^2$ that $\mathcal {A} $ sends in step 15 does not satisfy $ y^2 = \sum _{k \in \mathcal {W}} \chi ^k \cdot {\tilde{b}}_k + r $ or $\varDelta _{\textsf{B}}^6 \ne \varDelta _{\textsf{B}}^1$ then $\mathcal {S} _{\textsf{B}}$ aborts. The two hybrids are $2^{-\kappa }$-indistinguishable.
Hybrid 11 If the $\hat{b}_k$ are incorrect in step 10 then $\mathcal {S} _{\textsf{B}}$ aborts in step 16. By the Schwartz–Zippel lemma, the two hybrids are ($\frac{t + 1}{2^{\kappa }}$)-indistinguishable. This is the ideal-world execution.

Therefore, in the corrupted ${\mathsf{P_{B}}} $ case the real-world and ideal world executions are ($\frac{2}{2^{\rho }} + \frac{t + \tau + 8}{2^{\kappa }} $)-indistinguishable.

We conclude that the protocol $\varPi _\textsf {[} cpre]$ in Figs. 5 and 6 securely computes the $\varPi _\textsf {[} cpre]$ functionality in Fig. 3 in the ($\mathcal {F}_\mathsf {[}$ COT], $\mathcal {F}_\mathsf {[}$ bCOT], $\mathcal {F}_\mathsf {[}$ DVZK], $\mathcal {F}_\mathsf {[}$ EQ], $\mathcal {F}_\mathsf {[}$ Rand])-hybrid model. $\square $

1.4 Proofs of Security Lemmas in Dual Execution

In this subsection, we prove that with compressed preprocessing $\mathcal {F}_\mathsf {[} cpre]$, the KRRW distributed garbling scheme still has $2^{-\rho }$-selective failure resilience. This is essentially a formalization of the results in the work of Dittmer et al. [19, Appendix B.2].

Proof of Lemma 8

Observe the equation $z_w = a_w \oplus b_w \oplus \varLambda _w$. Fixing an arbitrary $ {\varvec{y}}\in \mathbb {F}_2^{|\mathcal {I} _\textsf{A} |}$, we analyze the event $ \textsf{Bad}_{{\varvec{y}}}$ inductively. Consider the following pebbling game, where we consider every input wire, internal gate and output wire as nodes on a DAG and place a pebble on that node once the wire label and masked value for that wire/gate output is known. Specifically, we place a blue pebble if the masked value of that wire is always correct and a red pebble if the probability that the wire value is inconsistent with respect to its two predecessor wires (denote this event as $\textsf{Bad}'_{{\varvec{y}}}$) is nonzero.

Initially, we can place blue pebbles on all input wires, since they are correct by definition.

As an inductive step, given the preprocessing information and garbler’s share of the garbled circuit $\mathcal{G}\mathcal{C} _\textsf{A} $ (possibly malformed), the evaluator’s share $\mathcal{G}\mathcal{C} _\textsf{B} $, we can pebble those gates whose two input wires are both pebbled. If this is an XOR gate, we place a blue pebble. Otherwise (this is an AND gate), we can identify the errors in the bit position where the evaluator extracts the masked wire value (usually this is the LSB). Denote this gate as $(i,j,k,\wedge )$, if there are errors in $G_{k,0}$ or $G_{k,1}$ then we place a red pebble on this gate. If there are no errors regardless of the choice of $\varLambda _i, \varLambda _j$ then we place a blue pebble.

Inductively, we can go through the entire DAG until all nodes are pebbled. Notice that the event $ \textsf{Bad}_{{\varvec{y}}}$ occurs if the event $\textsf{Bad}'_{{\varvec{y}}}$ occurs on any of the nodes with red pebbles. Let $\ell $ be the number of red pebble nodes and consider the following two cases.

$\ell \le \rho $: In this case, the ($2\rho $, L)-independence of $\textbf{M}$ ensures that the $\varLambda _w$ values that underlie all the $\textsf{Bad}'$ events are completely masked by ${\varvec{b}}$ and so probability of Bad is independent of the evaluator’s input.
$\ell > \rho $: In this case, the event $ \textsf{Bad}_{{\varvec{y}}}$ not happening implies that $\rho $ consecutive coin flips all equal to head, which occurs except with probability $2^{-\rho }$.

Therefore, for different evaluator’s inputs ${\varvec{y}}$ and ${\varvec{y}}'$, the probabilities of $\textsf {Bad}_{{\varvec{y}}}$ and $ \textsf{Bad}_{{\varvec{y}}'}$ differ with at most $2^{-\rho }$ probability. In other words, the KRRW scheme with compressed preprocessing is $2^{-\rho }$-selective failure resilient. $\square $

Proof of Lemma 10

We prove that the difference of the $V_w^\textsf{A} $ and $V_w^\textsf{B} $ values in the consistency checking phase actually captures the error on the wire w (indicating whether the result of w is flipped).

In particular, we can rewrite $V_w^{\textsf{B}}$ using the notations from Lemma 9.

$$\begin{aligned} V_w^{\textsf{B}}&= (b_w \oplus b_w' \oplus \varLambda _w) \varDelta _{\textsf{B}} \oplus \textsf{M}_{\textsf{B}}[b_w \oplus b_w' \oplus \varLambda _w] \oplus \textsf{K}_{\textsf{B}}[a_w \oplus a_w' \oplus \varLambda _w'] \\&= (b_w \oplus b_w' \oplus \varLambda _w) \varDelta _{\textsf{B}} \oplus (b_w \oplus b_w' \oplus \varLambda _w) \varDelta _{\textsf{A}} \oplus \textsf{K}_{\textsf{A}}[b_w \oplus b_w' \oplus \varLambda _w] \\&\qquad \oplus (a_w \oplus a_w' \oplus \varLambda _w') \varDelta _{\textsf{B}} \oplus \textsf{M}_{\textsf{A}}[a_w \oplus a_w' \oplus \varLambda _w'] \\&\qquad \oplus (a_w \oplus a_w' \oplus \varLambda _w') \varDelta _{\textsf{A}} \oplus (a_w \oplus a_w' \oplus \varLambda _w') \varDelta _{\textsf{A}} \\&= (a_w \oplus b_w \oplus \varLambda _w \oplus a_w' \oplus b_w' \oplus \varLambda _w') \varDelta _{\textsf{B}} \\&\qquad \oplus (a_w \oplus b_w \oplus \varLambda _w \oplus a_w' \oplus b_w' \oplus \varLambda _w') \varDelta _{\textsf{A}} \\&\qquad \oplus \textsf{K}_{\textsf{A}}[b_w \oplus b_w' \oplus \varLambda _w] \oplus \textsf{M}_{\textsf{A}}[a_w \oplus a_w' \oplus \varLambda _w'] \oplus (a_w \oplus a_w' \oplus \varLambda _w') \varDelta _{\textsf{A}} \\&= V_w^{\textsf{A}} \oplus e_w \cdot (\varDelta _{\textsf{A}} \oplus \varDelta _{\textsf{B}}) \hspace{5.0pt}. \end{aligned}$$

$\square $

1.5 Proof of Theorem 2

In this subsection, we prove the security of the two-party computation protocol $\varPi _\textsf {[}$ 2PC] based on dual execution as shown in Figs. 7 and 8.

Proof

We first prove the security against a malicious ${\mathsf{P_{A}}} $ and then prove the case for a malicious ${\mathsf{P_{B}}} $. The running time of $\mathcal {A} $ is bounded by $\tau = \textsf{poly}(\kappa )$. We first describe the simulator and then argue its effectiveness through a series of hybrid experiments. In the following, we simulate the random oracle by recording all the query-answer pairs and answer the queries from ${{\mathcal {A} }} $ consistently.

Simulator ${\mathcal {S} _{\textsf{A}}} $ for malicious ${\mathsf{P_{A}}} $

1–3
During the simulation of $\mathcal {F}_\mathsf {[}$ cpre], $\mathcal {S} _{\textsf{A}}$ receives $\varDelta _{\textsf{A}}$, ${\varvec{a}}$, $\hat{{\varvec{a}}}$, $\textsf{M}_\textsf{A} [{\varvec{a}}]$, $\textsf{M}_\textsf{A} [\hat{{\varvec{a}}}]$, $\textsf{K}_\textsf{A} [{\varvec{b}}^*]$, and $\textsf{K}_\textsf{A} [\hat{{\varvec{b}}}]$ from ${{\mathcal {A} }} $ and locally records those values. Then, $\mathcal {S} _{\textsf{A}}$ internally samples $ {\varvec{b}}^*, \hat{{\varvec{b}}} $ and computes $\textsf{K}_\textsf{A} [{\varvec{b}}^*], \textsf{K}_\textsf{A} [\hat{{\varvec{b}}}]$ accordingly. Then, the wire masks $a_w, b_w$ for each wire w in the circuit are derived according to the protocol. $\mathcal {S} _{\textsf{A}}$ also receives $\mathcal{G}\mathcal{C} _\textsf{A} $ from ${{\mathcal {A} }} $.
4.
$\mathcal {S} _{\textsf{A}}$ receives the wire masks and labels $(\varLambda _w, \textsf{L} _{w, \varLambda _w})$ for each $w \in \mathcal {I} _\textsf{A} $ and extracts the input ${\varvec{x}}$ of ${{\mathcal {A} }} $ by computing $x_w:= \varLambda _w \oplus a_w$. $\mathcal {S} _{\textsf{A}}$ sends the extracted input ${\varvec{x}}$ to $\mathcal {F}_\mathsf {[} 2PC]$.
5.
$\mathcal {S} _{\textsf{A}}$ uses the all-zero input ${\varvec{y}}$ (i.e., $\varLambda _w = b_w$) to simulate the $\textsf{Fix}$ command. Then, it receives $m_{w, 0}, m_{w, 1}$ for $w \in \mathcal {I} _\textsf{B} $ and computes the input label $\textsf{L} _{w, \varLambda _w}:= m_{w, \tilde{\varLambda }_w} \oplus \textsf{H} _{\textsf{tcr}} (\textsf{M}_\textsf{B} [\tilde{\varLambda }_w], w \Vert 0)$.
6.
$\mathcal {S} _{\textsf{A}}$ simulates the $\textsf{Open}$ command with $\mathcal {A} $.
7.
Using the information from preprocessing and the adversary’s random tape, $\mathcal {S} _{\textsf{A}}$ defines the additive error for each AND gate k as $e_{k,0}^{\textsf{A}}, e_{k,1}^{\textsf{A}}$. $\mathcal {S} _{\textsf{A}}$ then evaluates the garbled circuit using the information from previous simulation and derives the result $\{\varLambda _{w}, \textsf{L} _{w, \varLambda _{w}}\}$.
8.
$\mathcal {S} _{\textsf{A}}$ simulates the preprocessing functionality $\mathcal {F}_\mathsf {[}$ cpre] by receiving $({\varvec{a}}^*)'$, $\hat{{\varvec{a}}}'$, $\textsf{M}_\textsf{A} [({\varvec{a}}^*)']$, $\textsf{M}_\textsf{A} [\hat{{\varvec{a}}}']$, $\textsf{K}_\textsf{A} [{\varvec{b}}']$, and $\textsf{K}_\textsf{A} [\hat{{\varvec{b}}}']$ from $\mathcal {A} $. $\mathcal {S} _{\textsf{A}}$ randomly samples ${\varvec{b}}', \hat{{\varvec{b}}}'$ and computes $\textsf{M}_\textsf{A} [{\varvec{b}}']$, $\textsf{M}_\textsf{A} [\hat{{\varvec{b}}}']$ accordingly.
9.
$\mathcal {S} _{\textsf{A}}$ simulates the garbling process by generating $\mathcal{G}\mathcal{C} _\textsf{B} '$ and the active path (the labels to be acquired by $\mathcal {A} $) topologically as follows.
- For an XOR gate $(i,j,k,\oplus )$, $\mathcal {S} _{\textsf{A}}$ defines $\varLambda _k' = \varLambda _i' \oplus \varLambda _j'$ and $\textsf{L} '_{k, \varLambda _k'} = \textsf{L} '_{i, \varLambda _i'} \oplus \textsf{L} '_{j, \varLambda _j'}$.
- For an AND gate $(i,j,k,\wedge )$, $\mathcal {S} _{\textsf{A}}$ samples $\varLambda _k' \leftarrow \mathbb {F}_2$ and generates $G'_{k,0} \leftarrow \mathbb {F}_{2^\kappa }$, $G'_{k,1} \leftarrow \mathbb {F}_{2^\kappa }$. Then, $\mathcal {S} _{\textsf{A}}$ evaluates $\textsf{L} '_{k,\varLambda _k'}$ according to the protocol specification in KRRW and defines $c'_k = \textsf{ExtBit} (\textsf{L} '_{k,\varLambda _k'}) \oplus \varLambda _k'$.
Finally, $\mathcal {S} _{\textsf{A}}$ sends the simulated $\mathcal{G}\mathcal{C} _\textsf{B} '$ to $\mathcal {A} $.
10.
$\mathcal {S} _{\textsf{A}}$ simulates the online phase as follows.
1. (a)
  For each $w \in \mathcal {I} _\textsf{B} $, $\mathcal {S} _{\textsf{A}}$ uses the all-zero input ${\varvec{y}}$ and sends $ ( \varLambda _w', \textsf{L} '_{w, \varLambda '_w} ) $ to $\mathcal {A} $.
2. (b)
  For each $w \in \mathcal {I} _\textsf{A} $, $\mathcal {S} _{\textsf{A}}$ extracts the input ${\varvec{x}}'$ of $\mathcal {A} $ by simulating the $\textsf{Fix}$ command. Then, $\mathcal {S} _{\textsf{A}}$ simulates the message $m'_{w, \varLambda _w'}:= \textsf{H} _{\textsf{tcr}}(\textsf{M}_\textsf{A} [\varLambda _w'], w \Vert 1 ) \oplus \textsf{L} _{w, \varLambda _w'}' $ and $m'_{w, \bar{\varLambda }_w'} \leftarrow {{\{0,1\}}^{\kappa }} $ for $w \in \mathcal {I} _\textsf{A} $ and sends them to $\mathcal {A} $.
3. (c)
  $\mathcal {S} _{\textsf{A}}$ simulates the $\textsf{Open}$ command by opening $\varLambda '_w \oplus \tilde{\varLambda }_w' $ for $w \in \mathcal {I} _\textsf{A} $. Since $\mathcal {S} _{\textsf{A}}$ knows the key $\varDelta _{\textsf{A}}$ this can be done efficiently.
4. (d)
  $\mathcal {S} _{\textsf{A}}$ locally defines $\textsf{M}_\textsf{A} [\varLambda _w']$ for $w \in \mathcal {W} $ using $\textsf{Eval}$.
11.
$\mathcal {S} _{\textsf{A}}$ receives ${\tilde{h}}_\textsf{A} $ from $\mathcal {A} $ and locally computes $h_\textsf{A} $ according to the protocol specification. Then, we define $e_w$ to be the error for wire $w \in \mathcal {W} \cup \mathcal {I} $ as follows. For each input wire $w \in \mathcal {I} _\textsf{A} $ define $e_w:= x_w \oplus x'_w$, for $w \in \mathcal {I} _\textsf{B} $ define $e_w = 0$, and for the AND gate $(i,j,k,\wedge )$ define $e_k:= (\varLambda _i \oplus a_i \oplus b_i) \cdot (\varLambda _j \oplus a_j \oplus b_j) \oplus \varLambda _k \oplus a_k \oplus b_k $. $\mathcal {S} _{\textsf{A}}$ checks that ${\tilde{h}}_\textsf{A} = h_\textsf{A} $ and $e_w = 0$ for all $w \in \mathcal {W} \cup \mathcal {I} $. If not then $\mathcal {S} _{\textsf{A}}$ sends $\textsf{abort}$ to $\mathcal {F}_\mathsf {[}$ 2PC], otherwise it sends $\textsf{continue}$.
12.
$\mathcal {S} _{\textsf{A}}$ checks that $\mathcal {A} $ sends the correct MAC tag $\textsf{M}_\textsf{A} [a_w]$ for $w \in \mathcal {O} $. If not it sends $\textsf{abort}$, otherwise it sends $\textsf{continue}$.

Now consider the series of hybrids where the first one is the real protocol execution and the last one is the above simulated execution.

Hybrid 1 This is the real execution where ${\mathcal {S} _{\textsf{A}}} $ plays the role of an honest ${\mathsf{P_{B}}} $ using the actual input ${\varvec{y}}$.
Hybrid 2 In this hybrid, we make explicit the usage of the honest party’s secret $\varDelta _{\textsf{B}}$ and mark them in blue. In particular,
- In step 10b $\mathcal {S} _{\textsf{A}}$ generates $m'_{w,\varLambda _w} = \textsf{H} _{\textsf{tcr}} (\textsf{M}_\textsf{A} [\tilde{\varLambda }'_w], w \Vert 1) \oplus \textsf{L} '_{w, \varLambda '_w}$ and $m'_{w, \bar{\varLambda }'_w} = \textsf{H} _{\textsf{tcr}} (\textsf{M}_\textsf{A} [\tilde{\varLambda }'_w] \oplus \Gamma _\textsf{B}, w \Vert 1) \oplus \varDelta _{\textsf{B}}$ $\oplus \, \textsf{L} '_{w, \varLambda '_w}$ for $w \in \mathcal {I} _\textsf{A} $.
- In step 11b $\mathcal {S} _{\textsf{A}}$ computes the checking value $h_\textsf{B} $ as $ \textsf{H} ( \{ V_i^\textsf{A} \oplus e_w \cdot \varDelta _{\textsf{A}} \oplus e_w \cdot \varDelta _{\textsf{B}} \} )$, where $e_w$ is the error for each wire $w \in \mathcal {W} \cup \mathcal {I} $ during $\textsf{Eval}$ in step 7.
- In step 9 $\mathcal {S} _{\textsf{A}}$ generates each gate in the garbled circuit $\mathcal{G}\mathcal{C} _\textsf{B} '$ as follows. The XOR gates are garbled as usual, while the AND gates are garbled as $G'_{k,0} = \textsf{H} _{\textsf{ccrnd}}(\textsf{L} _{i, \varLambda _i'}', w \Vert 10) \oplus \textsf{K}[a_j'] \oplus \textsf{H} _{\textsf{ccrnd}}(\textsf{L} _{i, \varLambda _i'}' \oplus \varDelta _{\textsf{B}}, w \Vert 10) \oplus b_j' \cdot \varDelta _{\textsf{B}} $ and $G'_{k,1} = \textsf{H} _{\textsf{ccrnd}}(\textsf{L} _{j, \varLambda _j'}', w \Vert 11) \oplus \textsf{K}[a_i'] \oplus \textsf{L} _{i, \varLambda _i'}' \oplus \textsf{H} _{\textsf{ccrnd}}(\textsf{L} _{j, \varLambda _j'}' \oplus \varDelta _{\textsf{B}}, w \Vert 11) \oplus (b_i' \oplus \varLambda _i') \cdot \varDelta _{\textsf{B}} $ while the output label $\textsf{L} '_{k, \varLambda '_k}$ is derived using the $\textsf{Eval}$ algorithm.
The first two changes make no difference to the view of the adversary since we just rewrite the hash function input. Due to the observation in Lemma 10, the third change also brings no change to the adversary’s view. Therefore, $\mathbf {Hybrid_{1}}$ and $\mathbf {Hybrid_{2}}$ are identically distributed.
Hybrid 3 In this hybrid, we replace the first blue term with uniformly random values. Due to the tweakable correlation robust property, $\mathbf {Hybrid_{2}}$ and $\mathbf {Hybrid_{3}}$ are $\epsilon _\textsf{tcr} $-indistinguishable.
Hybrid 4 In this hybrid, we replace the second blue term with uniformly random values if $e_w \ne 0$ for some $w \in \mathcal {I} \cup \mathcal {W} $. Except when $\mathcal {A} $ queries the value $V_i^\textsf{A} \oplus e_w \cdot \varDelta _{\textsf{A}} \oplus e_w \cdot \varDelta _{\textsf{B}}$ the random permuted output appears uniformly random to $\mathcal {A} $. Thus, $\mathbf {Hybrid_{3}}$ and $\mathbf {Hybrid_{4}}$ are $\frac{\tau }{2^\kappa }$-indistinguishable.
Hybrid 5 In this hybrid, we replace the third blue term with uniformly random values. Due to the circular correlation robust under naturally derived keys property, $\mathbf {Hybrid_{4}}$ and $\mathbf {Hybrid_{5}}$ are $\epsilon _\textsf{ccrnd} $-indistinguishable.
Hybrid 6 In this hybrid, we change the simulation of the checking phase. Namely, $\mathcal {S} _{\textsf{A}}$ sends $\textsf{abort}$ whenever $e_w \ne 0$ for a wire $w \in \mathcal {W} $. If $e_w \ne 0$ in $\mathbf {Hybrid_{4}}$ then $h_\textsf{B} $ is uniformly random in the view of $\mathcal {A} $, therefore an honest $\mathsf P_{B}$ would abort except with probability $2^{-\kappa }$. $\mathbf {Hybrid_{5}}$ and $\mathbf {Hybrid_{6}}$ are $2^{-\kappa }$-indistinguishable.
Hybrid 7 In this hybrid, we change the input of $\mathsf P_{B}$ from ${\varvec{y}}$ to all zeros. Since in step 5 $\mathsf P_{B}$ ’s input is completely masked the view of $\mathcal {A} $ is not changed. As for the honest party’s output, due to Lemma 8 the probability that $\mathsf P_{B}$ aborts changes at most with probability $2^{-\rho }$. Therefore, $\mathbf {Hybrid_{6}}$ and $\mathbf {Hybrid_{7}}$ are $2^{-\rho }$-indistinguishable. This is exactly the ideal distribution.

Altogether, the ideal-world and real-world executions are ($\epsilon _{\textsf{tcr}} + \epsilon _\textsf{ccrnd} + \frac{\tau + 1}{2^\kappa } + \frac{1}{2^\rho } $)-indistinguishable in the corrupted ${\mathsf{P_{A}}} $ case.

Simulator ${\mathcal {S} _{\textsf{B}}} $ for malicious ${\mathsf{P_{B}}} $

1–3
During the simulation of $\mathcal {F}_\mathsf {[}$ cpre], $\mathcal {S} _{\textsf{B}}$ receives $\varDelta _{\textsf{B}}$, ${\varvec{b}}^*$, $\hat{{\varvec{b}}}$, $\textsf{M}_\textsf{B} [{\varvec{b}}^*]$, $\textsf{M}_\textsf{B} [\hat{{\varvec{b}}}]$, $\textsf{K}_\textsf{B} [{\varvec{a}}]$, and $\textsf{K}_\textsf{B} [\hat{{\varvec{a}}}]$ from ${{\mathcal {A} }} $ and locally records those values. Then $\mathcal {S} _{\textsf{B}}$ internally samples $ {\varvec{a}}, \hat{{\varvec{a}}} $ and computes $\textsf{K}_\textsf{B} [{\varvec{a}}], \textsf{K}_\textsf{B} [\hat{{\varvec{a}}}]$ accordingly. Then, the wire masks $a_w, b_w$ for each wire w in the circuit are derived according to the protocol. $\mathcal {S} _{\textsf{B}}$ simulates the garbling phase by generating $\mathcal{G}\mathcal{C} _\textsf{A} $ and the active path (the labels to be acquired by $\mathcal {A} $) topologically as follows.
- For an XOR gate $(i,j,k,\oplus )$, $\mathcal {S} _{\textsf{B}}$ defines $\varLambda _k = \varLambda _i \oplus \varLambda _j$ and $\textsf{L} _{k, \varLambda _k} = \textsf{L} _{i, \varLambda _i} \oplus \textsf{L} _{j, \varLambda _j}$.
- For an AND gate $(i,j,k,\wedge )$, $\mathcal {S} _{\textsf{A}}$ samples $\varLambda _k \leftarrow \mathbb {F}_2$ and generates $G_{k,0} \leftarrow \mathbb {F}_{2^\kappa }$, $G_{k,1} \leftarrow \mathbb {F}_{2^\kappa }$. Then, $\mathcal {S} _{\textsf{A}}$ evaluates $\textsf{L} _{k,\varLambda _k}$ according to the protocol specification in KRRW and defines $c_k = \textsf{ExtBit} (\textsf{L} _{k,\varLambda _k}) \oplus \varLambda _k$.
Finally, $\mathcal {S} _{\textsf{B}}$ sends the simulated $\mathcal{G}\mathcal{C} _\textsf{A} $ to $\mathcal {A} $.
4.
$\mathcal {S} _{\textsf{B}}$ sets $\varLambda _w = a_w $ (using all-zero inputs) and then sends $\varLambda _w, \textsf{L} _{w, \varLambda _w}$ for $w \in \mathcal {I} _\textsf{A} $ to $\mathcal {A} $.
5.
$\mathcal {S} _{\textsf{B}}$ simulates the $\textsf{Fix}$ command and extracts the input ${\varvec{y}}$ of $\mathcal {A} $ and sends it to $\mathcal {F}_\mathsf {[}$ 2PC]. Then, $\mathcal {S} _{\textsf{B}}$ generates the input messages $m_{w, \varLambda _w} = \textsf{H} _{\textsf{tcr}} (\textsf{M}_\textsf{B} [\tilde{\varLambda }_w], w \Vert 0) \oplus \textsf{L} _{w, \varLambda _w} $ and $m_{\bar{\varLambda }_w} \leftarrow \mathbb {F}_{2^\kappa }$ and sends them to $\mathcal {A} $.
6.
$\mathcal {S} _{\textsf{B}}$ simulates the $\textsf{Open}$ command by opening $\varLambda _w \oplus \tilde{\varLambda }_w $ for $w \in \mathcal {I} _\textsf{B} $. Since $\mathcal {S} _{\textsf{B}}$ knows the key $\varDelta _{\textsf{B}}$ this can be done efficiently.
7.
$\mathcal {S} _{\textsf{B}}$ locally defines $\textsf{M}_\textsf{B} [\varLambda _w]$ for $w \in \mathcal {W} $ using $\textsf{Eval}$.
8–9
$\mathcal {S} _{\textsf{B}}$ simulates the preprocessing functionality $\mathcal {F}_\mathsf {[}$ cpre] by receiving ${\varvec{b}}'$, $\hat{{\varvec{b}}}'$, $\textsf{M}_\textsf{B} [{\varvec{b}}']$, $\textsf{M}_\textsf{B} [\hat{{\varvec{b}}}']$, $\textsf{K}_\textsf{B} [({\varvec{a}}^*)']$, and $\textsf{K}_\textsf{B} [\hat{{\varvec{a}}}']$ from $\mathcal {A} $. $\mathcal {S} _{\textsf{A}}$ randomly samples $({\varvec{a}}^*)', \hat{{\varvec{a}}}'$ and computes $\textsf{M}_\textsf{A} [({\varvec{a}}^*)']$, $\textsf{M}_\textsf{A} [\hat{{\varvec{a}}}']$ accordingly. $\mathcal {S} _{\textsf{B}}$ receives the garbled circuit $\mathcal{G}\mathcal{C} '_\textsf{B} $ from $\mathcal {A} $. Using the information from preprocessing and the adversary’s random tape, $\mathcal {S} _{\textsf{B}}$ defines the additive error for each AND gate k as $(e')_{k,0}^{\textsf{B}}, (e')_{k,1}^{\textsf{B}}$.
10.
$\mathcal {S} _{\textsf{B}}$ simulates the online phase as follows.
1. (a)
  For each $w \in \mathcal {I} _\textsf{B} $ $\mathcal {S} _{\textsf{B}}$ receives $\varLambda '_w, \textsf{L} '_{w, \varLambda '_w}$ and recovers the input of $\mathcal {A} $ as ${\varvec{y}}'$.
2. (b)
  $\mathcal {S} _{\textsf{B}}$ simulates the $\textsf{Fix}$ command and recovers the input labels $ \textsf{L} '_{w, \varLambda '_w}$ for $w \in \mathcal {I} _\textsf{A} $.
3. (c)
  $\mathcal {S} _{\textsf{B}}$ simulates the $\textsf{Open}$ command with $\mathcal {A} $.
4. (d)
  $\mathcal {S} _{\textsf{B}}$ evaluates the garbled circuit using the information from previous simulation and derives the result $\{\varLambda '_w, \textsf{L} '_{w, \varLambda '_w}\}$ for $w \in \mathcal {W} $.
11.
$\mathcal {S} _{\textsf{B}}$ checks that the $\varLambda '_w$ values derived from the evaluation of $\mathcal{G}\mathcal{C} '_\textsf{A} $ and $\mathcal{G}\mathcal{C} '_\textsf{B} $ are consistent with $\mathcal {C} (0, {\varvec{y}})$ and that ${\varvec{y}}= {\varvec{y}}'$. In particular, for each AND gate $(i,j,k,\wedge )$, $\mathcal {S} _{\textsf{A}}$ checks that $(\varLambda '_i \oplus a'_i \oplus b'_i) \cdot (\varLambda '_j \oplus a'_j \oplus b'_j) = \varLambda '_k \oplus a'_k \oplus b'_k$. If not then $\mathcal {S} _{\textsf{B}}$ samples $h_\textsf{A} \leftarrow \mathbb {F}_{2^\kappa }$ and sends it to $\mathcal {A} $. Otherwise, $\mathcal {S} _{\textsf{B}}$ computes $h_\textsf{B} = \textsf{H} ( \{ V_w \}_{w \in \mathcal {I} \cup \mathcal {W}} ) $ according to protocol specification and sends it to $\mathcal {A} $.
12.
If the previous step does not abort, then $\mathcal {S} _{\textsf{B}}$ receives the correct output $z_w$ from $\mathcal {F}_\mathsf {[}$ 2PC] for $w \in \mathcal {O} $. Then, $\mathcal {S} _{\textsf{B}}$ sends the corrected MAC tag $\textsf{M}_\textsf{A} [a_w] \oplus (z^0_w \oplus z_w) \cdot \varDelta _{\textsf{B}}$ to $\mathcal {A} $, simulating the $\textsf{Open}$ command. Here, ${\varvec{z}}^0$ denotes the output value of $\mathcal {C} (0, {\varvec{y}})$.

Hybrid 1 This is the real execution where $\mathcal {S} _{\textsf{B}}$ plays the role of an honest ${\mathsf{P_{A}}} $ using the actual input ${\varvec{x}}$.
Hybrid 2 In this hybrid, we make explicit the usage of the honest party’s secret $\varDelta _{\textsf{A}}$ and mark them in blue. In particular,
- In step 5 $\mathcal {S} _{\textsf{B}}$ generates $m_{w,\varLambda _w} = \textsf{H} _{\textsf{tcr}} (\textsf{M}_\textsf{B} [\tilde{\varLambda }_w], w \Vert 0) \oplus \textsf{L} _{w, \varLambda _w}$ and $m_{w, \bar{\varLambda }_w} = \textsf{H} _{\textsf{tcr}} (\textsf{M}_\textsf{B} [\tilde{\varLambda }_w] \oplus \Gamma _\textsf{B}, w \Vert 1) \oplus \varDelta _{\textsf{A}}$ $\oplus \, \textsf{L} _{w, \varLambda _w}$ for $w \in \mathcal {I} _\textsf{B} $.
- In step 11b $\mathcal {S} _{\textsf{B}}$ computes the checking value $h_\textsf{A} $ as $ \textsf{H} ( \{ V_i^\textsf{B} \oplus e_w \cdot \varDelta _{\textsf{B}} \oplus e_w \cdot \varDelta _{\textsf{B}} \} )$, where $e_w$ is the error for $w \in \mathcal {W} \cup \mathcal {I} $ during $\textsf{Eval}$ in step 10d.
- In step 3 $\mathcal {S} _{\textsf{B}}$ generates each gate in the garbled circuit $\mathcal{G}\mathcal{C} _\textsf{A} $ as follows. The XOR gates are garbled as usual, while the AND gates are garbled as $G_{k,0} = \textsf{H} _{\textsf{ccrnd}}(\textsf{L} _{i, \varLambda _i}, w \Vert 00) \oplus \textsf{K}[b_j] \oplus \textsf{H} _{\textsf{ccrnd}}(\textsf{L} _{i, \varLambda _i} \oplus \varDelta _{\textsf{A}}, w \Vert 00) \oplus a_j \cdot \varDelta _{\textsf{A}} $ and $G_{k,1} = \textsf{H} _{\textsf{ccrnd}}(\textsf{L} _{j, \varLambda _j}, w \Vert 01) \oplus \textsf{K}[b_i] \oplus \textsf{L} _{i, \varLambda _i} \oplus \textsf{H} _{\textsf{ccrnd}}(\textsf{L} _{j, \varLambda _j} \oplus \varDelta _{\textsf{A}}, w \Vert 01) \oplus (a_i \oplus \varLambda _i) \cdot \varDelta _{\textsf{A}} $ while the output label $\textsf{L} _{k, \varLambda _k}$ is derived using the $\textsf{Eval}$ algorithm.
Due to the observation in Lemma 10, the third change also brings no change to the adversary’s view. Therefore, $\mathbf {Hybrid_{1}}$ and $\mathbf {Hybrid_{2}}$ are identically distributed.
Hybrid 3 In this hybrid, we replace the first blue term in $\mathbf {Hybrid_{2}}$ with uniformly random values. Due to the tweakable correlation robust property of $\textsf{H} _{\textsf{tcr}}$, $\mathbf {Hybrid_{2}}$ and $\mathbf {Hybrid_{3}}$ are $\epsilon _\textsf{tcr} $-indistinguishable.
Hybrid 4 In this hybrid, we replace the second blue term in $\mathbf {Hybrid_{2}}$ with uniformly random values if $e_w \ne 0$ for some $w \in \mathcal {W} \cup \mathcal {I} $. Except when $\mathcal {A} $ queries the value $V_i^\textsf{B} \oplus e_w \cdot \varDelta _{\textsf{A}} \oplus e_w \cdot \varDelta _{\textsf{B}}$ the random permuted output appears uniformly random to $\mathcal {A} $. Thus, $\mathbf {Hybrid_{3}}$ and $\mathbf {Hybrid_{4}}$ are $\frac{\tau }{2^\kappa }$-indistinguishable.
Hybrid 5 In this hybrid, we replace the third blue term in $\mathbf {Hybrid_{2}}$ with uniformly random values. Due to the circular correlation robust under naturally derived keys property, $\mathbf {Hybrid_{4}}$ and $\mathbf {Hybrid_{5}}$ are $\epsilon _\textsf{ccrnd} $-indistinguishable.
Hybrid 6 In this hybrid, we change the input of $\mathsf P_{A}$ from ${\varvec{x}}$ to all zeros. Since in step 4 $\mathsf P_{A}$ ’s input is completely masked the view of $\mathcal {A} $ is not changed. As for the honest party’s output, due to Lemma 8 the probabilities that $ \exists w \in \mathcal {W}, e_w = 0$ under any pair of input values differ changes at most with probability $2^{-\rho }$. Therefore, $\mathbf {Hybrid_{3}}$ and $\mathbf {Hybrid_{4}}$ are $2^{-\rho }$-indistinguishable. This is exactly the ideal distribution.

Altogether, the ideal-world and real-world executions are ($\epsilon _{\textsf{tcr}} + \epsilon _\textsf{ccrnd} + \frac{\tau }{2^\kappa } + 2^{-\rho }$)-indistinguishable in the corrupted ${\mathsf{P_{B}}} $ case. This implies that the protocol $\varPi _\textsf {[} 2PC]$ shown in Figs. 7 and 8 securely realizes $\mathcal {F}_\mathsf {[} 2PC]$ against malicious adversary in the $\mathcal {F}_\mathsf {[} cpre],\mathcal {F}_\mathsf {[} COT]$-hybrid model. $\square $

1.6 Proof of Lemma 11

In this subsection, we prove the soundness of the consistency checking procedure in Fig. 10.

Proof

Let $e_k:= (a_i \oplus b_i \oplus \varLambda _i) \cdot (a_j \oplus b_j \oplus \varLambda _j) \oplus (a_k \oplus b_k \oplus \varLambda _k)$ be the error of the output wire for an AND gate $(i,j,k,\wedge )$. Then, we can show that the errors are captured in the XOR of $h_\textsf{A} $ and $h_\textsf{B} $.

In particular, we can rewrite $h_\textsf{B} $ as follows.

$$\begin{aligned} h_\textsf{B}&= \sum _{k} \chi _k \cdot B_k \oplus D_k \\&= \sum _{k} \chi _k (B'_k \varDelta _{\textsf{B}} \oplus \textsf{K}_\textsf{B} [a_k] \oplus \textsf{K}_\textsf{B} [\hat{a}_k] \oplus \varLambda _i \cdot \textsf{K}_\textsf{B} [a_j] \oplus \varLambda _j \cdot \textsf{K}_\textsf{B} [a_i]) \oplus D_k \\&= \sum _{k} \chi _k((\varLambda _i \cdot \varLambda _j \oplus \varLambda _k \oplus b_k \oplus \hat{b}_k \oplus \varLambda _i \cdot b_j \oplus \varLambda _j \cdot b_i) \cdot \varDelta _{\textsf{B}} \\&\quad \oplus \textsf{K}_\textsf{B} [a_k] \oplus \textsf{K}_\textsf{B} [\hat{a}_k] \oplus \varLambda _i \cdot \textsf{K}_\textsf{B} [a_j] \oplus \varLambda _j \cdot \textsf{K}_\textsf{B} [a_i]) \oplus D_k \\&= \sum _{k} \chi _k ((e_k \cdot \varDelta _{\textsf{B}}) \oplus \textsf{M}_\textsf{A} [a_k] \oplus \\&\textsf{M}_\textsf{A} [\hat{a}_k] \oplus \varLambda _i \cdot \textsf{M}_\textsf{A} [a_j] \oplus \varLambda _j \cdot \textsf{M}_\textsf{A} [a_i]) \oplus \varLambda _k \cdot A_{k,1} \oplus C_k \\&= \sum _{k} \chi _k e_k \cdot \varDelta _{\textsf{B}} \oplus \sum _k (\chi _k \cdot A_{k, 0} \oplus C_k) \oplus \sum _k \chi _k \cdot (\varLambda _i \cdot \textsf{M}_\textsf{A} [a_j] \oplus \varLambda _j \cdot \textsf{M}_\textsf{A} [a_i]) \oplus \\&\sum _k \varLambda _k \cdot A_{k,1} \hspace{5.0pt}. \end{aligned}$$

Now we claim that the term marked blue is zero. Recall that we define $ A_{k, 1}:= \sum _{ (i', j', k', \wedge ) \in \mathcal {C}} \chi _{k'} \cdot ( c_{k}^{i'} \cdot \textsf{M}_\textsf{A} [a_{j'}] \oplus c_{k}^{j'} \cdot \textsf{M}_\textsf{A} [a_{i'}] ) $ and ${\varvec{c}}_k^i$ is the public vector subject to $\sum _k c_k^i \cdot \varLambda _k = \varLambda _i$. Then by exchanging the summation order in the second part of the blue term, we can get the following result.

$$\begin{aligned} \sum _k \varLambda _k \cdot A_{k,1}&= \sum _k \varLambda _k \cdot ( \sum _{ (i', j', k', \wedge ) \in \mathcal {C}} \chi _{k'} \cdot ( c_{k}^{i'} \cdot \textsf{M}_\textsf{A} [a_{j'}] \oplus c_{k}^{j'} \cdot \textsf{M}_\textsf{A} [a_{i'}] ) ) \\&= \sum _{ (i', j', k', \wedge ) \in \mathcal {C}} \chi _{k'} \cdot \sum _k \varLambda _k \cdot ( c_{k}^{i'} \cdot \textsf{M}_\textsf{A} [a_{j'}] \oplus c_{k}^{j'} \cdot \textsf{M}_\textsf{A} [a_{i'}] ) \\&= \sum _{k'} \chi _{k'} \cdot \sum _k \varLambda _k \cdot c_{k}^{i'} \cdot \textsf{M}_\textsf{A} [a_{j'}] \oplus \sum _{k'} \chi _{k'} \cdot \sum _k \varLambda _k \cdot c_{k}^{j'} \cdot \textsf{M}_\textsf{A} [a_{i'}] \\&= \sum _{k'} \chi _{k'} \cdot \varLambda _{i'} \cdot \textsf{M}_\textsf{A} [a_{j'}] \oplus \sum _{k'} \chi _{k'} \cdot \varLambda {j'} \cdot \textsf{M}_\textsf{A} [a_{i'}] \hspace{5.0pt}. \end{aligned}$$

This implies that the blue term is actually zero. Therefore, we have that $h_\textsf{B} = h_\textsf{A} \oplus \sum _{k} \chi _k \cdot e_k$. Recall that $\chi _1,...,\chi _t$ are uniformly random. Suppose $e_k \ne 0$ for some AND gate $(i,j,k,\wedge )$ then except with probability $\frac{1}{2^{\rho }}$ we have $h_\textsf{A} \ne h_\textsf{B} $. In this case, suppose $\mathcal {A} $ sends a $h_\textsf{A} $ that passes the test, then it implies that $\varDelta _{\textsf{B}} = (h_\textsf{A} \oplus h_\textsf{B}) \cdot (\sum _{k} \chi _k \cdot e_k)^{-1}$. Since $\varDelta _{\textsf{B}}$ is uniformly random for $\mathcal {A} $ in the $\mathcal {F}_\mathsf {[}$ cpre]-hybrid model, this happens except with probability $2^{-\rho }$.

Using the union bound, we conclude that the soundness error of the consistency checking phase is bounded by $\frac{2}{2^{\rho }}$. $\square $

1.7 Proof of Theorem 3

In this subsection, we prove the security of the two-party computation protocol $\varPi _\textsf {[}$ 2PC-2way] in Fig. 9 that optimizes toward total communication complexity.

Proof

We first prove the security against a malicious ${\mathsf{P_{A}}} $ and then prove the case for a malicious ${\mathsf{P_{B}}} $. We first describe the simulator and then argue its effectiveness through a series of hybrid experiments.

Simulator ${\mathcal {S} _{\textsf{A}}} $ for malicious ${\mathsf{P_{A}}} $

1–3
During the simulation of $\mathcal {F}_\mathsf {[}$ cpre], $\mathcal {S} _{\textsf{A}}$ receives $\varDelta _{\textsf{A}}$, ${\varvec{a}}$, $\hat{{\varvec{a}}}$, $\textsf{M}_\textsf{A} [{\varvec{a}}]$, $\textsf{M}_\textsf{A} [\hat{{\varvec{a}}}]$, $\textsf{K}_\textsf{A} [{\varvec{b}}^*]$, $\textsf{K}_\textsf{A} [\hat{{\varvec{b}}}]$, and $ \mathcal{G}\mathcal{C} _\textsf{A} $ from ${{\mathcal {A} }} $ and locally records those values. Then, $\mathcal {S} _{\textsf{A}}$ internally samples $ {\varvec{b}}^*, \hat{{\varvec{b}}} $ and computes $\textsf{M}_\textsf{B} [{\varvec{b}}^*], \textsf{M}_\textsf{B} [\hat{{\varvec{b}}}]$ accordingly. Then, the wire masks $a_w, b_w$ for each wire w in the circuit are derived according to the protocol.
4.
$\mathcal {S} _{\textsf{A}}$ receives the masked wire values and labels $(\varLambda _w, \textsf{L} _{w, \varLambda _w})$ for each $w \in \mathcal {I} _\textsf{A} $ and extracts the input ${\varvec{x}}$ of ${{\mathcal {A} }} $ by computing $x_w:= \varLambda _w \oplus a_w$. $\mathcal {S} _{\textsf{A}}$ sends the extracted input ${\varvec{x}}$ to $\mathcal {F}_\mathsf {[} 2PC]$.
5.
$\mathcal {S} _{\textsf{A}}$ simulates the $\textsf{Fix}$ command using the all-zero input ${\varvec{y}}$ (i.e., $\tilde{\varLambda }_w = b_w$). Then, it receives $m_{w, 0}, m_{w, 1}$ for $w \in \mathcal {I} _\textsf{B} $ from $\mathcal {A} $ and computes $\textsf{L} _{w, \varLambda _w} = \textsf{H} _{\textsf{tcr}} (\textsf{M}_\textsf{B} [\tilde{\varLambda }_{w}]) \oplus m_{w, \tilde{\varLambda }_w}$ for $w \in \mathcal {I} _\textsf{B} $.
6.
$\mathcal {S} _{\textsf{A}}$ simulates the $\textsf{Open}$ command and computes $\varLambda _w$ for $w \in \mathcal {I} _\textsf{B} $.
7.
$\mathcal {S} _{\textsf{A}}$ evaluates the garbled circuit using the information from previous simulation and derives the result $\{\varLambda _{w}, \textsf{L} _{w, \varLambda _{w}}\}$.
8.
$\mathcal {S} _{\textsf{A}}$ simulates the protocol $\varPi _\textsf {[}$ $\textsf{GCCheck}$ ] as follows.
1. (a)
  $\mathcal {S} _{\textsf{A}}$ samples a random challenge $\chi $ and sends it to ${{\mathcal {A} }} $.
2. (b)
  $\mathcal {S} _{\textsf{A}}$ locally computes $A_{k,0}, A_{k,1}$ from $\mathcal {A} $ ’s previous input to $\mathcal {F}_\mathsf {[}$ cpre].
3. (c)
  ${\mathcal {S} _{\textsf{A}}} $ receives the $G'_k$ messages from ${{\mathcal {A} }} $ and computes the $D_k$ values for each AND gate $(i,j,k,\wedge )$ as well as the $C_k$ values.
4. (d)
  ${\mathcal {S} _{\textsf{A}}} $ receives the tag ${\tilde{h}}_\textsf{A} $ from ${{\mathcal {A} }} $ and computes the $h_\textsf{A} $ value according to the protocol specification. Let $e_k$ be the error of the AND gate $(i,j,k,\wedge )$ defined as $e_k = (a_i \oplus b_i \oplus \varLambda _i) \cdot (a_j \oplus b_j \oplus \varLambda _j) \oplus (a_k \oplus b_k \oplus \varLambda _k)$. If ${\tilde{h}}_\textsf{A} \ne h_\textsf{A} $ or $e_k \ne 0$ for some k, then $\mathcal {S} _{\textsf{A}}$ sends $\textsf{abort}$ to $\mathcal {F}_\mathsf {[}$ 2PC]. Otherwise, it sends $\textsf{continue}$.
9.
$\mathcal {S} _{\textsf{A}}$ simulates the verification operation inside the $\textsf{Open}$ command. For $ w \in \mathcal {O} $, let $ {\tilde{a}}_w $ be the message that $\mathcal {A} $ sends in this step. If $ a_w \ne {\tilde{a}}_w$ for any $ w \in \mathcal {O} $ then $\mathcal {S} _{\textsf{A}}$ sends $\textsf{abort}$ to $\mathcal {F}_\mathsf {[}$ 2PC]. Otherwise, it sends $\textsf{continue}$.

Now consider the series of hybrids where the first one is the real protocol execution and the last one is the above simulated execution.

Hybrid 1 This is the real execution where ${\mathcal {S} _{\textsf{A}}} $ plays the role of an honest ${\mathsf{P_{B}}} $ using the actual input ${\varvec{y}}$.
Hybrid 2 In this hybrid, we simulate the $\textsf{Open}$ command as in the simulation described above, i.e., whenever $\mathcal {A} $ sends inconsistent messages $\mathcal {S} _{\textsf{A}}$ sends $\textsf{abort}$ to $\mathcal {F}_\mathsf {[}$ 2PC]. By the soundness of IT-MAC, $\mathbf {Hybrid_{1}}$ and $\mathbf {Hybrid_{2}}$ are $2^{-\rho }$-indistinguishable.
Hybrid 3 In this hybrid, we simulate the consistency checking in step 4 as in the step 8d in simulation above. Due to Lemma 11, $\mathbf {Hybrid_{2}}$ and $\mathbf {Hybrid_{3}}$ are $\frac{2}{2^\rho }$-indistinguishable.
Hybrid 4 In this hybrid, we change the input of $\mathsf P_{B}$ from ${\varvec{y}}$ to all zeros. Since in step 5 $\mathsf P_{B}$ ’s input is completely masked the view of $\mathcal {A} $ is not changed. As for the honest party’s output, due to Lemma 8 the probability that $\mathsf P_{B}$ aborts changes at most with probability $2^{-\rho }$. Therefore, $\mathbf {Hybrid_{3}}$ and $\mathbf {Hybrid_{4}}$ are $2^{-\rho }$-indistinguishable. This is exactly the ideal distribution.

Altogether, the ideal-world and real-world executions are $\frac{4}{2^\rho }$-indistinguishable in the corrupted ${\mathsf{P_{A}}} $ case.

Simulator ${\mathcal {S} _{\textsf{B}}} $ for malicious ${\mathsf{P_{B}}} $

1–2
During the simulation of $\mathcal {F}_\mathsf {[}$ cpre], $\mathcal {S} _{\textsf{B}}$ receives $\varDelta _{\textsf{B}}$, ${\varvec{b}}^*$, $\hat{{\varvec{b}}}$, $\textsf{M}[{\varvec{b}}^*]$, $\textsf{M}[\hat{{\varvec{b}}}]$, $\textsf{K}[{\varvec{a}}]$ and $\textsf{K}[\hat{{\varvec{a}}}]$ from ${{\mathcal {A} }} $ and locally records those values. Then, $\mathcal {S} _{\textsf{B}}$ internally samples $ {\varvec{a}}, \hat{{\varvec{a}}} $ and computes $\textsf{M}[{\varvec{a}}], \textsf{M}[\hat{{\varvec{a}}}]$ accordingly. Then, the wire masks $a_w, b_w$ for each wire w in the circuit are derived according to the protocol.
3.
$\mathcal {S} _{\textsf{B}}$ simulates the garbling phase by generating $\mathcal{G}\mathcal{C} _\textsf{A} $ and the active path (the labels to be acquired by $\mathcal {A} $) topologically as follows.
- For the input wires $w \in \mathcal {I} _\textsf{A} $, $\mathcal {S} _{\textsf{B}}$ defines $\varLambda _w = a_w $ (using all-zero inputs) and randomly samples $ \textsf{L} _{w, \varLambda _w} \leftarrow \mathbb {F}_{2^\kappa }$. Then, it samples $ \varLambda _w \leftarrow \mathbb {F}_2$ and $ \textsf{L} _{w, \varLambda _w} \leftarrow \mathbb {F}_{2^\kappa }$ for $w \in \mathcal {I} _\textsf{B} $.
- For an XOR gate $(i,j,k,\oplus )$, $\mathcal {S} _{\textsf{B}}$ defines $\varLambda _k = \varLambda _i \oplus \varLambda _j$ and $\textsf{L} _{k, \varLambda _k} = \textsf{L} _{i, \varLambda _i} \oplus \textsf{L} _{j, \varLambda _j}$.
- For an AND gate $(i,j,k,\wedge )$, $\mathcal {S} _{\textsf{A}}$ samples $\varLambda _k \leftarrow \mathbb {F}_2$ and generates $G_{k,0} \leftarrow \mathbb {F}_{2^\kappa }$, $G_{k,1} \leftarrow \mathbb {F}_{2^\kappa }$. Then, $\mathcal {S} _{\textsf{A}}$ evaluates $\textsf{L} _{k,\varLambda _k}$ according to the protocol specification in KRRW and defines $c_k = \textsf{ExtBit} (\textsf{L} _{k,\varLambda _k}) \oplus \varLambda _k$.
Finally, $\mathcal {S} _{\textsf{B}}$ sends the simulated $\mathcal{G}\mathcal{C} _\textsf{A} $ to $\mathcal {A} $ and locally defines $\textsf{M}_\textsf{B} [\varLambda _w]$ for $w \in \mathcal {W} $ using $\textsf{Eval}$.
4.
$\mathcal {S} _{\textsf{B}}$ sends $\varLambda _w, \textsf{L} _{w, \varLambda _w}$ for $w \in \mathcal {I} _\textsf{A} $ to $\mathcal {A} $.
5.
$\mathcal {S} _{\textsf{B}}$ simulates the $\textsf{Fix}$ command, extracts the input $ y_w = \varLambda _w' \oplus b_w $, and sends it to $\mathcal {F}_\mathsf {[}$ 2PC]. Then, $\mathcal {S} _{\textsf{B}}$ generates the input messages $m_{w, \varLambda _w} = \textsf{H} _{\textsf{tcr}} (\textsf{M}_\textsf{B} [\tilde{\varLambda }_w], w \Vert 0) \oplus \textsf{L} _{w, \varLambda _w} $ and $m_{\bar{\varLambda }_w} \leftarrow \mathbb {F}_{2^\kappa }$ and sends them to $\mathcal {A} $.
6.
$\mathcal {S} _{\textsf{B}}$ simulates the $\textsf{Open}$ command by opening the corrected input mask $\tilde{\varLambda }_w \oplus \varLambda _w$ for $w \in \mathcal {I} _\textsf{B} $.
7.
We don’t need to simulate this step since it’s noninteractive.
8.
$\mathcal {S} _{\textsf{B}}$ simulates the protocol $\varPi _\textsf {[}$ $\textsf{GCCheck}$ ] as follows:
1. (a)
  $\mathcal {S} _{\textsf{B}}$ receives the random challenge $\chi $ from $\mathcal {A} $
2. (b)
  $\mathcal {S} _{\textsf{B}}$ locally computes $B_k$ for each AND gate $(i,j,k,\wedge )$.
3. (c)
  $\mathcal {S} _{\textsf{B}}$ samples $G'_k \leftarrow \mathbb {F} _{2^\rho } $ for each AND gate $(i,j,k,\wedge )$ and sends them to $\mathsf P_{B}$. Then, it locally evaluates $D_k$ according to the protocol specification.
4. (d)
  $\mathcal {S} _{\textsf{B}}$ computes $h_\textsf{B} = \sum _k \chi _k \cdot B^k \oplus D_k$ and sends it to $\mathcal {A} $.
9.
If the previous step does not abort, then $\mathcal {S} _{\textsf{B}}$ receives the correct output $z_w$ from $\mathcal {F}_\mathsf {[}$ 2PC] for $w \in \mathcal {O} $. Then, $\mathcal {S} _{\textsf{B}}$ sends the corrected MAC tag $\textsf{M}_\textsf{A} [a_w] \oplus (z^0_w \oplus z_w) \cdot \varDelta _{\textsf{B}}$ to $\mathcal {A} $, simulating the $\textsf{Open}$ command. Here, ${\varvec{z}}^0$ denotes the output value of $\mathcal {C} (0, {\varvec{y}})$.

Hybrid 1 This is the real execution where $\mathcal {S} _{\textsf{B}}$ plays the role of an honest ${\mathsf{P_{A}}} $ using the actual input ${\varvec{x}}$.
Hybrid 2 In this hybrid, we generate the masked bits $\varLambda _w$ for $w \in \mathcal {I} _\textsf{B} $ as in the simulation above, i.e., by first sampling $\varLambda _w \leftarrow \mathbb {F}_2$ and then opening the corrected mask $a_w \oplus \varLambda _w \oplus \varLambda '_w$. Since $a_w$ is uniformly random in the view of $\mathcal {A} $, $\mathbf {Hybrid_{1}}$ and $\mathbf {Hybrid_{2}}$ are identically distributed.
Hybrid 3 In this hybrid, we make explicit the usage of the honest party’s secret $\varDelta _{\textsf{A}}$ and mark them in blue. In particular,
- In step 5 $\mathcal {S} _{\textsf{B}}$ generates $m_{w,\varLambda _w} = \textsf{H} _{\textsf{tcr}} (\textsf{M}_\textsf{B} [\tilde{\varLambda }_w], w \Vert 0) \oplus \textsf{L} _{w, \varLambda _w}$ and $m_{w, \bar{\varLambda }_w} = \textsf{H} _{\textsf{tcr}} (\textsf{M}_\textsf{B} [\tilde{\varLambda }_w] \oplus \Gamma _\textsf{B}, w \Vert 0) \oplus \varDelta _{\textsf{A}}$ $\oplus \, \textsf{L} _{w, \varLambda _w}$ for $w \in \mathcal {I} _\textsf{B} $.
- In step 3 of Fig. 9$\mathcal {S} _{\textsf{B}}$ generates each gate in the garbled circuit $\mathcal{G}\mathcal{C} _\textsf{A} $ as follows. The XOR gates are garbled as usual, while the AND gates are garbled as $G_{k,0} = \textsf{H} _{\textsf{ccrnd}}(\textsf{L} _{i, \varLambda _i}, k \Vert 00) \oplus \textsf{K}[b_j] \oplus \textsf{H} _{\textsf{ccrnd}}(\textsf{L} _{i, \varLambda _i} \oplus \varDelta _{\textsf{A}}, k \Vert 00 ) \oplus a_j \cdot \varDelta _{\textsf{A}} $ and $G_{k,1} = \textsf{H} _{\textsf{ccrnd}}(\textsf{L} _{j, \varLambda _j}, k \Vert 01) \oplus \textsf{K}[b_i] \oplus \textsf{L} _{i, \varLambda _i} \oplus \textsf{H} _{\textsf{ccrnd}}(\textsf{L} _{j, \varLambda _j} \oplus \varDelta _{\textsf{A}}, k \Vert 01) \oplus (a_i \oplus \varLambda _i) \cdot \varDelta _{\textsf{A}} $ while the output label $\textsf{L} _{k, \varLambda _k}$ is derived using the $\textsf{Eval}$ algorithm.
- In step 3 of Fig. 10, $\mathcal {S} _{\textsf{B}}$ computes $G'_k = \textsf{H} _{\textsf{ccrnd}}' ( \textsf{L} _{k, \varLambda _k}, k \Vert 2 ) \oplus A_{k, 1} \oplus \textsf{H} _{\textsf{ccrnd}}' ( \textsf{L} _{k, \varLambda _k} \oplus \varDelta _{\textsf{A}}, k \Vert 2 )$.
Both changes all make no difference to the view of the adversary since we just rewrite the hash function inputs. Therefore, $\mathbf {Hybrid_{2}}$ and $\mathbf {Hybrid_{3}}$ are identically distributed.
Hybrid 4 In this hybrid, we replace the first blue term in $\mathbf {Hybrid_{3}}$ with uniformly random values. Due to the tweakable correlation robust property of $\textsf{H} _{\textsf{tcr}}$, the two hybrids are $\epsilon _\textsf{tcr} $-indistinguishable.
Hybrid 5 In this hybrid, we replace the second and the third blue values in $\mathbf {Hybrid_{3}}$ with uniformly random values. Due to the circular correlation robust under naturally derived keys property of $\textsf{H} _{\textsf{ccrnd}}$, the two hybrids are $\epsilon _\textsf{ccrnd} $-indistinguishable.
Hybrid 6 In this hybrid, we change the input of $\mathsf P_{A}$ from ${\varvec{x}}$ to all zeros. Since in step 4 $\mathsf P_{A}$ ’s input is completely masked the view of $\mathcal {A} $ is not changed. As for the honest party’s output, due to Lemma 8 the probabilities that $ \exists w \in \mathcal {W}, e_w = 0$ under any pair of input values differ changes at most with probability $2^{-\rho }$. Therefore, $\mathbf {Hybrid_{4}}$ and $\mathbf {Hybrid_{5}}$ are $2^{-\rho }$-indistinguishable. This is exactly the ideal distribution.

Therefore, the ideal-world and real-world executions are $\epsilon _\textsf{tcr} + \epsilon _\textsf{ccrnd} + 2^{-\rho }$-indistinguishable in the corrupted ${\mathsf{P_{A}}} $ case.

Altogether, the ideal-world and real-world executions are indistinguishable in the corrupted ${\mathsf{P_{B}}} $ case. This implies that the protocol $\varPi _\textsf {[} 2PC\text{- }2way]$ shown in Fig. 9 securely realizes $\mathcal {F}_\mathsf {[} 2PC]$ against malicious adversary in the $\mathcal {F}_\mathsf {[} cpre],\mathcal {F}_\mathsf {[} COT]$-hybrid model. $\square $

Construction of Distributed Garbling Schemes

In this section, we recall the constructions of two distributed garbling schemes.

1.1 KRRW Distributed Garbling

We recall the distributed half-gates garbling scheme by Katz et al. [33]. Let $\textsf{H}: {{\{0,1\}}^{\kappa }} \times {{\{0,1\}}^{\kappa }} \rightarrow {{\{0,1\}}^{\kappa }} $ be a hash function and $\varDelta _{\textsf{A}} \in {{\{0,1\}}^{\kappa }} $ be the global key held by $\mathsf P_{A}$.

${\textsf{Garble}} (\mathcal {C})$:
1. 1.
  For each circuit-input wire $w \in \mathcal {I} $, $\mathsf P_{A}$ samples $\textsf{L} _{w, 0} \leftarrow \mathbb {F} _2^\kappa $ and sets $\textsf{L} _{w, 1}:= \textsf{L} _{w, 0} \oplus \varDelta _\textsf{A}$.
2. 2.
  Process the gates topologically. For each XOR gate ($i, j, k, \oplus $), $\mathsf P_{A}$ sets $\textsf{L} _{k, 0}:= \textsf{L} _{i, 0} \oplus \textsf{L} _{j, 0}$ and $\textsf{L} _{k, 1}:= \textsf{L} _{i, 0} \oplus \varDelta _\textsf{A}$. For each AND gate ($i, j, k, \wedge $), $\mathsf P_{A}$ computes
  $$\begin{aligned} G_{k,0}^{(\textsf{A})}&:= \textsf{H} (\textsf{L} _{i, 0}, k \Vert 0 ) \oplus \textsf{H} (\textsf{L} _{i, 1}, k \Vert 0) \oplus a_{j} \varDelta _\textsf{A} \oplus \textsf{K}_{\textsf{A}}[b_j] \hspace{5.0pt}, \\ G_{k,1}^{(\textsf{A})}&:= \textsf{H} (\textsf{L} _{j, 0}, k \Vert 1) \oplus \textsf{H} (\textsf{L} _{j, 1}, k \Vert 1) \oplus a_i \varDelta _\textsf{A} \oplus \textsf{K}_{\textsf{A}}[b_i] \oplus \textsf{L} _{i, 0} \hspace{5.0pt}, \\ \textsf{L} _{k,0}&:= \textsf{H} (\textsf{L} _{i, 0}, k \Vert 0) \oplus \textsf{H} (\textsf{L} _{j, 0}, k \Vert 1) \oplus (a_k \oplus {\hat{a}}_k) \varDelta _\textsf{A} \oplus \textsf{K}_{\textsf{A}}[b_k] \oplus \textsf{K}_{\textsf{A}}[{\hat{b}}_k] \hspace{5.0pt}. \end{aligned}$$
  We also define $\textsf{L} _{k, 1}:= \textsf{L} _{k, 0} \oplus \varDelta _\textsf{A}$ and $c_k:= \textsf{ExtBit} (\textsf{L} _{k, 0})$ where $\textsf{ExtBit} $ is a bit selection normally instantiated by $\textsf{lsb} $.
3. 3.
  $\mathsf P_{A}$ outputs $\{\textsf{L} _{w, 0}, \textsf{L} _{w, 1}\}_{w \in \mathcal {I} _\textsf{A} \cup \mathcal {I} _\textsf{B} \cup \mathcal {W} \cup \mathcal {O}}$ and $\mathcal{G}\mathcal{C} _\textsf{A} = \{G_{w, 0}^{(\textsf{A})}, G_{w, 1}^{(\textsf{A})}, c_w\}_{w \in \mathcal {W}}$.
4. 4.
  For each $(i,j,k,\wedge ) \in \mathcal {W} $, $\mathsf P_{B}$ defines
  $$\begin{aligned} G_{k,0}^{(\textsf{B})}&:= \textsf{M}_{\textsf{B}}[b_j]\hspace{5.0pt},\\ G_{k, 1}^{(\textsf{B})}&:= \textsf{M}_{\textsf{B}}[b_i]\hspace{5.0pt}. \end{aligned}$$
5. 5.
  $\mathsf P_{B}$ outputs $\mathcal{G}\mathcal{C} _\textsf{B} = \{ G_{w,0}^{(\textsf{B})}, G_{w, 1}^{(\textsf{B})} \}_{w \in \mathcal {W}}$.
${\textsf{Eval}} (\mathcal{G}\mathcal{C} _\textsf{A}, \mathcal{G}\mathcal{C} _\textsf{B}, \{(\varLambda _w, \textsf{L} _{w, \varLambda _w})\}_{w \in \mathcal {I} _\textsf{A} \cup \mathcal {I} _\textsf{B}})$:
1. 1.
  $\mathsf P_{B}$ processes the gates topologically. For each XOR gate ($i, j, k, \oplus $) define $\varLambda _k:= \varLambda _i \oplus \varLambda _j$ and $\textsf{L} _{k, \varLambda _k}:= \textsf{L} _{i, \varLambda _i} \oplus \textsf{L} _{j, \varLambda _j}$.
2. 2.
  For each AND gate ($i, j, k, \wedge $) compute the output label
  $$\begin{aligned} G_{w, 0}&:= G_{w, 0}^{(\textsf{A})} \oplus G_{w, 0}^{(\textsf{B})} \\ G_{w, 1}&:= G_{w, 1}^{(\textsf{A})} \oplus G_{w, 1}^{(\textsf{B})} \oplus \textsf{L} _{i, \varLambda _w} \\ \textsf{L} _{k, \varLambda _k}&:= \textsf{H} (\textsf{L} _{i, \varLambda _i}, k \Vert 0) \oplus \textsf{H} (\textsf{L} _{j, \varLambda _j}, k \Vert 1) \oplus \textsf{M}_{\textsf{B}}[b_k] \oplus \textsf{M}_{\textsf{B}}[{\hat{b}}_k] \\&\qquad \oplus \varLambda _i (G_{k, 0} \oplus \textsf{M}_{\textsf{B}}[b_j]) \oplus \varLambda _j (G_{k, 1} \oplus \textsf{M}_{\textsf{B}}[b_i] \oplus \textsf{L} _{i, \varLambda _i}) \hspace{5.0pt}, \end{aligned}$$
  and the public value $\varLambda _k:= \textsf{ExtBit} (\textsf{L} _{k, \varLambda _k}) \oplus c_k$.
3. 3.
  Output $\{( \varLambda _w, \textsf{L} _{w, \varLambda _w} )\}_{w \in \mathcal {W} \cup \mathcal {O}}$.

1.2 WRK Distributed Garbling with Optimization

We recall the optimized WRK distributed garbling scheme by Dittmer et al. [19]. Let $\textsf{H}: {{\{0,1\}}^{\kappa }} \times {{\{0,1\}}^{\kappa }} \rightarrow {{\{0,1\}}^{\kappa }} $ and $ \textsf{H} ': {{\{0,1\}}^{\kappa }} \times {{\{0,1\}}^{\kappa }} \rightarrow {{\{0,1\}}^{\rho }} $ be two hash functions, and $\varDelta _{\textsf{A}} \in \mathbb {F} _{2^\kappa }, \varDelta _{\textsf{B}} \in \mathbb {F} _{2^\rho } $ be the global keys held by $\mathsf P_{A}$ and $\mathsf P_{B}$, respectively.

${\textsf{Garble}} (\mathcal {C})$:
1. 1.
  For each circuit-input wire $w \in \mathcal {I} $, $\mathsf P_{A}$ samples $\textsf{L} _{w, 0} \leftarrow \mathbb {F} _2^\kappa $ and sets $\textsf{L} _{w, 1}:= \textsf{L} _{w, 0} \oplus \varDelta _\textsf{A}$.
2. 2.
  Process the gates topologically. For each XOR gate $(i, j, k, \oplus )$, $\mathsf P_{A}$ computes $\textsf{L} _{k, 0}:= \textsf{L} _{i, 0} \oplus \textsf{L} _{j, 0}$ and $\textsf{L} _{k, 1}:= \textsf{L} _{i, 0} \oplus \varDelta _\textsf{A}$. For each AND gate $(i, j, k, \wedge )$, $\mathsf P_{A}$ computes
  $$\begin{aligned} G_{k,0}^{(\textsf{A})}&:= \textsf{H} (\textsf{L} _{i, 0}, k \Vert 0) \oplus \textsf{H} (\textsf{L} _{i, 1}, k \Vert 0) \oplus a_{j} \varDelta _\textsf{A} \oplus \textsf{K}_{\textsf{A}}[b_j] \hspace{5.0pt}, \\ G_{k,1}^{(\textsf{A})}&:= \textsf{H} (\textsf{L} _{j, 0}, k \Vert 1) \oplus \textsf{H} (\textsf{L} _{j, 1}, k \Vert 1) \oplus a_i \varDelta _\textsf{A} \oplus \textsf{K}_{\textsf{A}}[b_i] \oplus \textsf{L} _{i, 0} \hspace{5.0pt}, \\ \textsf{L} _{k,0}&:= \textsf{H} (\textsf{L} _{i, 0}, k \Vert 0) \oplus \textsf{H} (\textsf{L} _{j, 0}, k \Vert 1) \oplus (a_k \oplus {\hat{a}}_k) \varDelta _\textsf{A} \oplus \textsf{K}_{\textsf{A}}[b_k] \oplus \textsf{K}_{\textsf{A}}[{\hat{b}}_k] \hspace{5.0pt}, \\ G_{k,0}^{\prime (\textsf{A})}&:= \textsf{H} '(\textsf{L} _{i, 0}, k \Vert 0) \oplus \textsf{H} '(\textsf{L} _{i, 1}, k \Vert 0) \oplus \textsf{M}_{\textsf{A}}[a_k] \oplus \textsf{M}_{\textsf{A}}[\hat{a}_k] \hspace{5.0pt}, \\ G_{k,1}^{\prime (\textsf{A})}&:= \textsf{H} '(\textsf{L} _{i, 0}, k \Vert 1) \oplus \textsf{H} '(\textsf{L} _{i, 1}, k \Vert 1) \oplus \textsf{M}_{\textsf{A}}[a_j] \hspace{5.0pt}, \\ G_{k,2}^{\prime (\textsf{A})}&:= \textsf{H} '(\textsf{L} _{j, 0}, k \Vert 0) \oplus \textsf{H} '(\textsf{L} _{j, 1}, k \Vert 1) \oplus \textsf{M}_{\textsf{A}}[a_i] \hspace{5.0pt}. \end{aligned}$$
  We also define $\textsf{L} _{k, 1}:= \textsf{L} _{k, 0} \oplus \varDelta _\textsf{A}$.
3. 3.
  $\mathsf P_{A}$ outputs $\{\textsf{L} _{w, 0}, \textsf{L} _{w, 1}\}_{w \in \mathcal {I} _\textsf{A} \cup \mathcal {I} _\textsf{B} \cup \mathcal {W} \cup \mathcal {O}}$ and
  $$\begin{aligned} \mathcal{G}\mathcal{C} _\textsf{A} = \{G_{w, 0}^{(\textsf{A})}, G_{w, 1}^{(\textsf{A})}, G_{k,0}', G_{k,1}', G_{k,2}' \}_{w \in \mathcal {W}} \hspace{5.0pt}. \end{aligned}$$
4. 4.
  For each $(i,j,k,\wedge ) \in \mathcal {W} $, $\mathsf P_{B}$ defines
  $$\begin{aligned} G_{k,0}^{(\textsf{B})}&:= \textsf{M}_{\textsf{B}}[b_j]\hspace{5.0pt},\\ G_{k,1}^{(\textsf{B})}&:= \textsf{M}_{\textsf{B}}[b_i]\hspace{5.0pt},\\ G_{k,0}^{\prime ,(\textsf{B})}&:= \textsf{K}_{\textsf{B}}[a_k] \oplus \textsf{K}_{\textsf{B}}[\hat{a}_k] \hspace{5.0pt},\\ G_{k,1}^{\prime ,(\textsf{B})}&:= \textsf{K}_{\textsf{B}}[a_j]\hspace{5.0pt},\\ G_{k,2}^{\prime ,(\textsf{B})}&:= \textsf{K}_{\textsf{B}}[a_i] \hspace{5.0pt}. \end{aligned}$$
5. 5.
  $\mathsf P_{B}$ outputs $\mathcal{G}\mathcal{C} _\textsf{B} = \{ G_{w,0}^{(\textsf{B})}, G_{w, 1}^{(\textsf{B})}, G_{k,0}^{\prime ,(\textsf{B})}, G_{k,1}^{\prime ,(\textsf{B})}, G_{k,2}^{\prime ,(\textsf{B})} \}_{w \in \mathcal {W}}$.
${\textsf{Eval}} (\mathcal{G}\mathcal{C} _\textsf{A}, \mathcal{G}\mathcal{C} _\textsf{B}, \{(\varLambda _w, \textsf{L} _{w, \varLambda _w})\}_{w \in \mathcal {I} _\textsf{A} \cup \mathcal {I} _\textsf{B}})$:
1. 1.
  $\mathsf P_{B}$ processes the gates topologically. For each XOR gate ($i, j, k, \oplus $) define $\varLambda _k:= \varLambda _i \oplus \varLambda _j$ and $\textsf{L} _{k, \varLambda _k}:= \textsf{L} _{i, \varLambda _i} \oplus \textsf{L} _{j, \varLambda _j}$.
2. 2.
  For each AND gate ($i, j, k, \wedge $), $\mathsf P_{B}$ first recovers the garbled table as:
  $$\begin{aligned} G_{w, 0}&:= G_{w, 0}^{(\textsf{A})} \oplus G_{w, 0}^{(\textsf{B})} \\ G_{w, 1}&:= G_{w, 1}^{(\textsf{A})} \oplus G_{w, 1}^{(\textsf{B})} \oplus \textsf{L} _{i, \varLambda _w} \\ G'_{w,0}&:= G_{w,0}^{\prime (\textsf{A})} \oplus G_{w,0}^{\prime (\textsf{B})} \\ G'_{w,1}&:= G_{w,1}^{\prime (\textsf{A})} \oplus G_{w,1}^{\prime (\textsf{B})} \\ G'_{w,2}&:= G_{w,2}^{\prime (\textsf{A})} \oplus G_{w,2}^{\prime (\textsf{B})} \hspace{5.0pt}, \end{aligned}$$
  Then $\mathsf P_{B}$ computes the label and masked wire value of the AND gate output wire as follows. Notice that if the value $(\textsf{H} '(\textsf{L} _{i, \varLambda _i}, k \Vert 0) \oplus \textsf{H} '(\textsf{L} _{j, \varLambda _j}, k \Vert 1) \oplus G'_{w, 0} \oplus \varLambda _i G'_{w, 1} \oplus \varLambda _j G'_{w, 2}) \cdot \varDelta _{\textsf{B}}^{-1}\not \in \mathbb {F}_2$ then $\mathsf P_{B}$ aborts.
  $$\begin{aligned} \textsf{L} _{k, \varLambda _k}&:= \textsf{H} (\textsf{L} _{i, \varLambda _i}, k \Vert 0) \oplus \textsf{H} (\textsf{L} _{j, \varLambda _j}, k \Vert 1) \oplus \textsf{M}_{\textsf{B}}[b_k] \oplus \textsf{M}_{\textsf{B}}[{\hat{b}}_k] \\&\qquad \oplus \varLambda _i (G_{k, 0} \oplus \textsf{M}_{\textsf{B}}[b_j]) \oplus \varLambda _j (G_{k, 1} \oplus \textsf{M}_{\textsf{B}}[b_i] \oplus \textsf{L} _{i, \varLambda _i}) \hspace{5.0pt},\\ \varLambda _k&:= b_k \oplus \hat{b}_k \oplus \varLambda _i b_j \oplus \varLambda _j b_i \oplus \varLambda _i \varLambda _j \\&\qquad \oplus (\textsf{H} '(\textsf{L} _{i, \varLambda _i}, k \Vert 0) \oplus \textsf{H} '( \textsf{L} _{j, \varLambda _j}, k \Vert 1 ) \\&\qquad \oplus G'_{w, 0} \oplus \varLambda _i G'_{w, 1} \oplus \varLambda _j G'_{w, 2}) \cdot \varDelta _{\textsf{B}}^{-1}\hspace{5.0pt}. \end{aligned}$$
3. 3.
  $\mathsf P_{B}$ outputs $\{\textsf{L} _{w, \varLambda _w}, \varLambda _w\}_{w \in \mathcal {W} \cup \mathcal {O}}$.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Cite this article

Cui, H., Wang, X., Yang, K. et al. Actively Secure Half-Gates with Minimum Overhead under Duplex Networks. J Cryptol 38, 19 (2025). https://doi.org/10.1007/s00145-025-09539-4

Download citation

Received: 04 August 2023
Revised: 20 December 2024
Accepted: 29 January 2025
Published: 26 February 2025
DOI: https://doi.org/10.1007/s00145-025-09539-4

Keywords

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Actively Secure Half-Gates with Minimum Overhead under Duplex Networks

Abstract

Similar content being viewed by others

Actively Secure Half-Gates with Minimum Overhead Under Duplex Networks

Efficient Multi-party Computation: From Passive to Active Security via Secure SIMD Circuits

Communication-Efficient (Client-Aided) Secure Two-Party Protocols and Its Application

1 Introduction

1.1 Our Contribution

2 Preliminaries

2.1 Notation

2.2 Hash Functions

Definition 1

Definition 2

2.3 Information-Theoretic Message Authentication Codes

2.3.1 Batch Opening of Authenticated Values

Lemma 1

Proof

2.4 Correlated Oblivious Transfer

2.5 Designated-Verifier Zero-Knowledge Proofs

2.6 \((m,L)\)-Independent Matrix

Definition 3

Lemma 2

3 Technical Overview

3.1 Overview of the State-of-the-Art Solution

3.2 Our Solution for Generating Authenticated AND Triples

3.3 Our Solution for Dual Execution without Leakage

3.4 Optimization Toward Minimal Total Communication

3.5 Adaptive Security Without Random Oracle

4 Preprocessing with Compressed Wire Masks

4.1 Dual-Key Authentication

Definition 4

Claim

Lemma 3

4.2 Global-Key Sampling

Lemma 4

Proof

4.3 Consistency Check Between Values and MAC Tags

Lemma 5

Lemma 6

Lemma 7

4.4 Circuit Dependent Compressed Preprocessing

Theorem 1

5 Authenticated Garbling from COT

5.1 Distributed Garbling

Definition 5

Lemma 8

Lemma 9

Proof

5.2 A Dual-Execution Protocol Without Leakage

5.3 Security Analysis

Lemma 10

Theorem 2

6 Optimization Toward Two-Way Communication

6.1 Security Analysis

Lemma 11

Theorem 3

Notes

Abbreviations

References

Funding

Author information

Authors and Affiliations

Corresponding authors

Additional information

Publisher's Note

Appendices

Security Model and Functionalities

1.1 Security Model

1.2 The Equality-Check Functionality

1.3 The Coin-Tossing Functionality

Proofs of Security

1.1 Proof of Lemma 2

Proof

1.2 Proof of Lemma 6

Proof

1.3 Proof of Theorem 1

Proof

1.4 Proofs of Security Lemmas in Dual Execution

Proof of Lemma 8

Proof of Lemma 10