Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose

Transcription

1 Effcent Secure Two-Party Computaton Usng Symmetrc Cut-and-Choose Yan Huang Jonathan Katz Davd Evans Abstract Begnnng wth the work of Lndell and Pnkas, researchers have proposed several protocols for secure two-party computaton based on the cut-and-choose paradgm. In exstng nstantatons of ths paradgm, one party generates κ garbled crcuts; some fracton of those are checked by the other party, and the remanng fracton are evaluated. We ntroduce here the dea of symmetrc cut-and-choose protocols, n whch both partes generates κ crcuts to be checked by the other party. The man advantage of our technque s that κ can be reduced by a factor of 3 whle attanng the same statstcal securty level as n pror work. Snce the number of garbled crcuts domnates the costs of the protocol, especally as larger crcuts are evaluated, our protocol s expected to run up to 3 tmes faster than exstng schemes. Prelmnary experments valdate ths clam. 1 Introducton Secure two-party computaton was shown to be feasble n the late 1980s [35, 8]. But t s only n the past 10 years that the research communty has devoted sgnfcant efforts toward makng such protocols practcal. Work n ths drecton was spurred by the Farplay paper [25], whch gave an mplementaton of Yao s protocol for two-party computaton wth securty n the sem-honest settng. More recent work [10, 12, 11] has shown that Yao s protocol (sometmes n combnaton wth other technques) can be surprsngly effcent when sem-honest securty s suffcent. More desrable, of course, s to acheve securty aganst malcous adversares. Whle ths s known to be feasble, n prncple, usng generc zero knowledge [8], a generc approach of ths sort does not currently seem lkely to result n effcent protocols even f specalzed zero-knowledge proofs (as suggested n [15]) are used. The frst technque to be explored for makng effcent twoparty computaton protocols secure aganst malcous adversares was the cut-and-choose paradgm. In that approach, roughly speakng, one party generates κ garbled crcuts (where κ s a statstcal securty parameter); some fracton of those are checked by the other party who aborts f any msbehavor s detected and the remanng fracton are evaluated wth the results beng used to derve the fnal output (we return to the exact mechansm for dong so n the next secton). Cutand-choose was used n a relatvely nave way n [25] to gve nverse-polynomal securty. (In fact, the approach taken was later shown to be flawed [26, 16].) A rgorous analyss of the cut-and-choose Dept. of Computer Scence, Unversty of Maryland. Ths work was supported by DARPA and NSF awards # and # Emal: {jkatz,yhuang}@cs.umd.edu Dept. of Computer Scence, Unversty of Vrgna. Ths work was supported by AFOSR and NSF award # Emal: evans@cs.vrgna.edu 1

2 paradgm was frst gven by Lndell and Pnkas [21], and ther work was followed by numerous others explorng varatons of ths technque and ther applcaton to (ever more) effcent secure two-party computaton [34, 24, 30, 32, 23, 33, 18]. In parallel wth the above, other effcent approaches to achevng full malcous securty n the two-party settng have also been explored. Approaches based on the IPS compler [14] appear to have good asymptotc complexty [20], but seem challengng to mplement (ndeed, we are not aware of any mplementatons); other approaches [29, 5, 4] have round complexty proportonal to the depth of the crcut beng evaluated. Another drecton s to explore weaker securty guarantees [1, 26, 13], stll aganst arbtrary malcous behavor. In the remander of ths paper we restrct our attenton to protocols achevng the strongest noton of malcous securty. The crtcal queston regardng the cut-and-choose approach s: how many garbled-crcut copes (namely, κ) are needed to ensure some desred securty level? The value of κ has the greatest mpact on the effcency of cut-and-choose protocols, especally as larger crcuts C are evaluated. The computatonal/communcaton complexty of such protocols s O(κ k C ) + poly(n, k, s), where k s a cryptographc securty parameter and n s the nput length. Snce C k, n (typcal values are k 128 and n < 1000, whle C 10 9 n [18]), the mportance of mnmzng κ s clear. 1.1 Pror Work In prevous applcatons of the cut-and-choose paradgm, one party (say, P 1 ) acts as the garbledcrcut generator and the other (P 2 ) acts as the garbled-crcut evaluator; assume for smplcty that only P 2 gets output. If the oblvous-transfer (OT) protocol used s secure aganst malcous adversares, then the man ssue s to ensure correctness of P 2 s output. (Note, however, that correctness s closely connected wth prvacy, snce P 1 can potentally carry out a selectve falure attack n whch the output of P 2 s correlated wth P 2 s nput, n a way whch would not be possble n an deal evaluaton of the functon.) Toward that end, P 2 checks some number c out of the κ garbled crcuts generated by P 1 to make sure they were constructed correctly. Assumng they were, the remanng κ c garbled crcuts are evaluated by P 2, who then outputs the majorty value of those crcuts results on each output wre. (Ths nformal descrpton omts other checks that must also be performed, snce we wsh to focus on the cut-and-choose aspect of the protocols.) From the above we see that a malcous P 1 can successfully cheat f they generate b bad garbled crcuts and (1) none of those bad garbled crcuts s among the c garbled crcuts checked by P 1, and (2) of the remanng κ c garbled crcuts beng evaluated, half or more are bad. Dong the analyss, pror work [21, 23] culmnatng n the work of Shelat and Shen [33] shows that usng κ garbled crcuts yelds securty level κ. Moreover, ths bound was shown to be the best possble for a certan class of cut-and-choose approaches [33]. 1.2 Our Contrbuton We recast the cut-and-choose approach n a symmetrc settng, where each party generate κ garbled crcuts to be checked by the other party. In dong so, we are motvated by work of Mohassel and Frankln [26] (see also [13]) who show how symmetrc creaton/evaluaton of garbled crcuts (but wthout any cut-and-choose) can be used to acheve securty wth only one bt of dsallowed leakage aganst malcous adversares. Here we show how to extend ther approach to acheve the standard (.e., full ) noton of malcous securty. 2

3 After checkng each other s garbled crcuts, each party n our protocol evaluates the remanng garbled crcuts of the other party, and then the results of both partes evaluatons are securely combned to yeld the fnal output. Informally, a party outputs a value v for some output wre of the crcut f and only f at least one of ther own garbled crcuts, and at least one of the garbled crcuts generated by the other party, evaluate to v on that wre. Snce an honest party always generates correct garbled crcuts, our analyss shows that correctness holds as long as at least one of the evaluated crcuts provded by the other party s correct. (Ths s n contrast to one-sded cut-and-choose, where a majorty of the evaluated crcuts must be correct.) Thus, a malcous party can successfully cheat only f they generate exactly κ c bad garbled crcuts, and none of those s checked by the other party. Settng c = κ/2 (whch mnmzes the cheatng probablty), the probablty of successful cheatng s ( κ κ/2) 1 = 2 κ+o(log κ). We can therefore acheve the same securty level as prevous work whle reducng 1 κ by roughly a factor of 3. As an added advantage, our protocol naturally supports havng both partes receve output (an explct concern of [33]), wth no performance penalty f only one party should learn the output. In concurrent work, Lndell [19] shows a dfferent approach that acheves 2 κ securty usng κ crcuts generated by only one of the partes. 1.3 Outlne of the Paper In Secton 2 we revew the cryptographc buldng blocks used n our protocol. We provde an overvew of the protocol n Secton 3 along wth some ntuton for why t s secure. In Secton 4 we provde a formal descrpton of our protocol, and we prove securty n Secton 5. In Appendx A we gve some prelmnary expermental results showng that we outperform the recent work of [18]. 2 Notaton and Buldng Blocks For smplcty, we descrbe our protocol usng concrete (rather than asymptotc) notaton. Nevertheless, t should be clear that our protocol can be cast n an asymptotc settng wthout dffculty. Let G be a group of prme order q wth generator g. We assume the computatonal Dffe- Hellman (CDH) problem s hard n G. We let H be a hash functon that wll be treated n the analyss as a random oracle. We let Com be a commtment scheme. We use the standard defntons of secure two-party computaton for malcous adversares [7]. 2.1 Naor-Pnkas Oblvous Transfer In our protocol we do not use oblvous transfer as a black box, but nstead rely on specfc detals of the OT protocol used. Although several canddate OT protocols could be used, for concreteness and effcency we use an OT protocol due to Naor and Pnkas [27] whch we now descrbe. Say we have a sender holdng nputs x 0, x 1 {0, 1}, and a recever holdng nput b {0, 1}. In the frst round, the sender chooses random C G and sends C to the other party. The recever pcks k Z q, defnes h 0 = g k and h 1 = C/g k, and sends h = h b to the sender. In turn, the sender chooses r Z q and sends g r, H(h r ) x 0, H((C/h) r ) x 1 to the other party. The recever recovers 1 To be clear: n our protocol each party generates κ garbled crcuts and so the total number of garbled crcuts s 2κ. However, snce ths work s done n parallel by the two partes n addton to whatever parallel processng s avalable on each user s own machne and snce the communcaton s symmetrc, the wall-clock tme of our protocol s expected to mprove on prevous protocols by up to a factor of 3. 3

4 x b by computng (g r ) k and usng the approprate component of the sender s fnal message. We remark that several ndependent OTs can all share the same frst message C. Ths OT protocol s smulatable for a malcous recever under the CDH assumpton n the random oracle model. It acheves prvacy (but s not known to be smulatable) aganst a malcous sender, and ths suffces for our purposes. A varant of ths protocol requres the recever to gve a (standard) perfect wtness-ndstngushable proof of knowledge of log g h or log g (C/h) after sendng h. We use ths varant n our analyss snce t smplfes the proof. 2.2 Garbled Crcuts We use a modfcaton of standard garbled crcuts [35]. Fx a functon f : {0, 1} n {0, 1} n {0, 1} n. We abstract the constructon/evaluaton of a garbled crcut for f va algorthms GenGC, EvalGC wth the followng propertes. GenGC s a randomzed algorthm that takes as nput 2n nputwre labels v1 0, v1 1,..., v0 n, vn 1 G (correspondng to the frst nput of f), 2n nput-wre labels vn+1 0, v1 n+1,..., v0 2n, v1 2n {0, 1}n (correspondng to the second nput of f), and 2n output-wre labels w1 0, w1 1,..., w0 n, wn 1 Z q. It outputs a garbled crcut GC. Determnstc algorthm EvalGC takes as nput GC and 2n nput-wre labels v 1,..., v 2n ; t outputs n values b 1 w 1,..., b n w n, wth b 1,..., b n {0, 1}. Note that EvalGC explctly outputs wre labels n addton to bts. Correctness requres that for any set of nput/output-wre labels, any garbled crcut GC output by GenGC ( {v 0, v1 }2n =1, {w0, w1 =1) }n, and any x, y {0, 1} n wth z = f(x, y), we have EvalGC ( GC, {v x } n =1, {v y ) }2n =n+1 = z1 w z 1 1,..., z n wn zn. Securty requres a smulator SmGC such that for all x, y wth z = f(x, y), any v x 1 1,..., vxn n and v y 1 n+1,..., vyn 2n {0, 1}n, and any w1 0, w1 1,..., w0 n, wn 1 Z q, the dstrbuton v 1 x 1 1,..., vn 1 xn G; v 1 y 1 n+1,..., v1 yn 2n {0, 1} n ; GC GenGC ( {v 0, v1 }2n =1, {w0, ) : ( GC, {v x } n =1, {v y ) n+ }n =1 w1 }n =1 s computatonally ndstngushable from G { ( GC SmGC x, z, {v x } n =1, {v y n+ }n =1, {w z ) ( }n =1 : GC, {v x } n =1, {v y n+ =1)} }n. In partcular, ths means (nformally) that (1) gven GC, {v x } n =1, and {vy n+ } n =1, no nformaton s leaked about {w 1 z } n =1 where z = f(x, y), and (2) ths holds regardless of how the {v x } n =1, {vy n+ }n =1 are chosen (as long as the other nput-wre labels are random). These propertes are not standard, but are easly seen to hold by modfyng the constructon/proof from [22]. Note: We always let nput wres 1,..., n denote the nputs of the party generatng the crcut. Thus, techncally, P 1 generates garbled crcuts for the functon f, and P 2 generates garbled crcuts for the functon f (y, x) def = f(x, y). 2.3 Verfable Secret Sharng We use a noton of (non-nteractve) verfable secret sharng (VSS) that s weaker than the usual one n the lterature. For our purposes, a t-out-of-κ VSS scheme comprses three algorthms Share, Vrfy, Rec wth the followng functonalty: 4

5 Share takes nput s Z q and outputs κ shares w 1,..., w κ Z q and addtonal nformaton pub. Vrfy takes as nput the nformaton pub, an ndex, and a canddate share w Z q. It outputs a bt, wth 1 denotng valdty. Rec takes as nput pub and t ndces/shares {( j, w j )} t j=1. It outputs a value s Z q. We requre that for any s Z q, any w 1,..., w κ, pub output by Share(s), and any 1,..., t [κ], we have (1) Vrfy(pub,, w ) = 1 and (2) Rec(pub, {( j, w j )} t j=1 ) = s. We defne a secrecy requrement for an honest dealer, and a verfablty requrement for honest recevers. Secrecy requres hardness of recoverng a random secret s gven pub and at most t 1 shares. Formally, the followng should be small for all effcent algorthms A and any 1,..., t 1 : Pr[s Z q ; (pub, w 1,..., w κ ) Share(s) : A(pub, w 1,..., w t 1 ) = s]. Verfablty requres that the dealer cannot generate pub and two dfferent sets of vald shares that reconstruct to dfferent secrets. Formally, the followng s small for all effcent algorthms A: Pr ( pub, {( j, w j )} t j=1, {( j, w j)} t ) j : Vrfy(pub, j, w j ) = 1 j=1 A : j : Vrfy(pub, j, w j ) = 1. Rec(pub, {(j, w j )} t j=1 ) Rec(pub, {( j, w j )}t j=1 ) Feldman VSS [6] satsfes the above propertes under the dscrete-logarthm assumpton. 3 Hgh-Level Descrpton of the Protocol At a hgh level, the protocol proceeds n the followng stages: 1. Generate garbled crcuts: Each party generates κ garbled crcuts along wth ther correspondng nput-wre labels. 2. Oblvous transfer: Each party uses the Naor-Pnkas OT protocol (cf. Secton 2.1) to obtan ts nput-wre labels for the garbled crcuts constructed by the other party. Ths s done n such a way that a party must use the same effectve nput across all crcuts. 3. Cut-and-choose : Each party sends the garbled crcuts they constructed to the other party. Usng con tossng, partes choose half of each of ther crcuts for checkng. Then: (a) For each of ts check crcuts, each party (1) sends all the nput-wre labels for that crcut (to prove that the check crcut was constructed correctly) and (2) reveals all the values t used as the OT sender n step 2 (to prove that t used the correct nput-wre labels n the OT executon correspondng to the check crcut). (b) For each of ts remanng crcuts (the evaluaton crcuts), each party sends the nputwre labels correspondng to ts own nput. 4. Output determnaton: Each party evaluates the garbled crcuts they receved from the other party, usng the nput-wre labels obtaned n steps 2 and 3(b). For each output wre of the crcut, each party decdes on output z {0, 1} ff at least one of the crcuts they evaluated (that the other party constructed) gave output z and at least one of the crcuts the other party evaluated (that they constructed) gave output z. 5

6 We defer the detals of step 4, and for now just assume t can be done. We also assume that f a party successfully passes the cut-and-choose step, then for at least one of that party s evaluaton crcuts (1) the evaluaton crcut s constructed correctly and (2) the correct nput-wre labels were used n the correspondng OT; ths assumpton holds except wth probablty at most ( κ 1. κ/2) The man ssue to address s to ensure that a malcous party uses the same (effectve) nput n step 2 (when t obtans nput-wre labels for ts own nput from the other party usng OT) and for all the nput-wre labels t sends n step 3(b) (for the garbled crcuts that t generated). We acheve ths by notng that when an honest recever obtans the nput-wre labels for ts th nput wre durng the OT step, t sends a message h for whch (1) t knows log g h when ts effectve nput (on the th wre) s 0, and (2) t knows log g (C/h ) when ts effectve nput (on the th wre) s 1. We requre the partes to use ths same template for the nput-wre labels correspondng to ther own nput n the garbled crcuts they prepare. That s, for each garbled crcut and each nput wre correspondng to an nput of the crcut generator, the nput-wre label v 0 correspondng to 0 s chosen such that log g v 0 s known, and the nput-wre label v1 correspondng to 1 s chosen such that log g (C/v 1 ) s known. Moreover, ths property s verfed to hold (for the check crcuts) durng the cut-and-choose step. When sendng ts th nput-wre label v n step 3(b), each party must then also prove 2 that t knows log g (v /h ). Ths s remnscent of a smlar technque used by Shelat and Shen [33] to enforce nput consstency among nput-wre labels sent by the crcut generator; here, we extend t to enforce consstency also to the nput-wre labels receved as a crcut evaluator. Gven ths and stll assumng step 4 can be carred out one can nformally verfy that the protocol s secure. Assume for concreteness that P 2 s honest. Prvacy of P 2 s nput s easy to see. As for correctness, P 2 constructed all ts garbled crcuts correctly and sent nput-wre labels for ts own nput y n all ts evaluaton crcuts. In step 2, P 1 obtaned nput-wre labels for ts own (effectve) nput x n all of P 2 s evaluaton crcuts. So all of P 2 s garbled crcuts that were evaluated by P 1 yeld output z def = f(x, y). In the other drecton, wth hgh probablty at least one of P 1 s evaluaton crcuts GC was constructed correctly, and moreover the correct nput-wre labels (for P 2 s nput) were used n the correspondng OT; thus, P 2 obtaned the correct nput-wre labels for ts nput y n GC. Furthermore, from the prevous paragraph we know that the nput-wre labels for P 1 s nput n GC correspond to the same nput x t used before. Thus, evaluaton of GC by P 2 also yelds z = f(x, y), and thus z wll be the fnal output of P 2 n the protocol. The mssng pece s to show how to mplement step 4, and ths s the most nvolved part of our protocol. The basc dea here s for each party to choose a secret value s b for each output wre of the crcut and each possble value b {0, 1} that wre can take. Each such secret s then splt nto κ shares w1, b,..., wb κ, usng a (κ/2 + 1)-out-of-κ secret-sharng scheme. Share wb j, s then used as the label correspondng to b on the th output wre of the jth garbled crcut. The net result s that for each output wre and bt b, the other party can reconstruct s b f and only f t learns κ/2 + 1 of the shares correspondng to that wre and bt. Note that κ/2 shares of every wre and bt wll be revealed as part of the cut-and-choose phase. Assumng agan that P 2 s honest, we thus have the followng: As noted earler, all of the garbled crcuts that P 2 constructed wll evaluate to the same value z = f(x, y). Ths means that P 1 only learns shares correspondng to the secrets s z 1 1,..., szn n, and learns nothng about the remanng secrets s 1 z 1 1,..., s 1 zn n. Ths gves P 2 a way to test whether the crcuts t constructed (that were evaluated by P 1 ) resulted n output z 2 Actually, as n [33], the party can smply reveal log g (v /h ). 6

7 by checkng whch of each par of secrets P 1 knows (e.g., usng a secure equalty test). In the opposte drecton, as long as one of the garbled crcuts constructed by P 1 (and evaluated by P 2 ) yelds z, ths wll gve P 2 one addtonal share of each of s z 1 1,..., szn n (where we use s here to denote that these secrets are chosen by P 1 ) and hence P 2 wll be able to reconstruct each of those secrets. Note that t does not matter whch garbled crcut evaluates to z, as any correctly constructed crcut that evaluates to z reveals the requste share. One pont omtted from the above dscusson s that now t must be possble to check durng the cut-and-choose phase that correct shares were used when constructng the garbled crcuts. For ths reason, we use verfable secret sharng (see Secton 2.3). We defer to the next secton addtonal techncal detals of the protocol needed for the proof of securty. 4 Formal Specfcaton of the Protocol Fx a functon f : {0, 1} n {0, 1} n {0, 1} n that partes P 1 and P 2 wsh to compute over ther respectve nputs x, y {0, 1} n. We assume both partes learn the output, but t s easy to modfy the protocol so that only one party learns the output. The protocol proceeds as follows. 1. P 1 chooses C G and sends t to P 2. Symmetrcally, P 2 chooses C G and sends t to P P 1 generates 4n nput-wre labels for each of κ garbled crcuts n the followng way. For j = 1,..., κ, t chooses a 0 j,1, a1 j,1,..., a0 j,n, a1 j,n Z q and sets the frst 2n nput-wre labels of crcut j to be of the form {vj, 0 = j,} ga0 n =1 and {v1 j, = C/g a1 j,} n =1. It chooses the next 2n nput-wre labels of crcut j unformly as vj,n+1 0, v1 j,n+1,..., v0 j,2n, v1 j,2n {0, 1}n. Symmetrcally, 3 P 2 generates 4n nput-wre labels ṽj,1 0, ṽ1 j,1,..., ṽ0 j,2n, ṽ1 j,2n for j = 1,..., κ. Each party then uses the Naor-Pnkas OT protocol to obtan the nput-wre labels correspondng to ts own nput n the crcuts generated by the other party. I.e., for = 1,..., n party P 1 chooses k Z q, generates (h 0, h1 ) = (gk, C/g k def ), and sends h = h x to P 2. Then P 2 generates κ ndependent responses as n the Naor-Pnkas protocol, usng nputs (ṽj,n+ 0, ṽ1 j,n+ ) n the jth such nstance where, recall, ṽj,n+ b denotes the label correspondng to bt b on the (n + )th nput wre n the jth garbled crcut. P 1 recovers ṽ x 1,n+,..., ṽx κ,n+. P 2 acts symmetrcally to obtan v y 1,n+,..., vy κ,n+ for = 1,..., n. 3. For {1,..., n} and b {0, 1}, party P 1 chooses s b Z q and generates a (κ/2 + 1)-outof-κ secret sharng (pub b, w1, b,..., wb κ, ) Share(sb ). It uses wb j, as the label for bt b on the th output( wre n the jth crcut,.e., ) for j = 1,..., κ t computes the garbled crcut GC j = GenGC {vj, 0, v1 j, }2n =1, {w0 j,, w1 j, }n =1. It sends {GC j } κ j=1 and {pub0, pub 1 } n =1 to P 2. P 2 acts symmetrcally to obtan s b and ( pub b, w b 1,,..., wb κ, ) and to generate GC j ; t sends { GC j } κ j=1 and { pub 0, pub 1 } n =1 to P For j = 1,..., κ and = 1,..., n, party P 1 commts to the nput-wre labels v 0 j, and v1 j, correspondng to ts own nput, n random permuted order. Let ComSet j, denote the resultng par of commtments. P 2 acts symmetrcally. 3 Recall that the frst n nput wres always denote the nputs of the party generatng the crcut. 7

8 5. The partes run secure con-tossng protocols to generate strngs J, J {0, 1} κ that are each unform among strngs contanng exactly κ/2 ones. 4 These are nterpreted n the natural way as subsets of {1,..., κ} of sze κ/2. J s used to check the garbled crcuts constructed by P 1. Specfcally, for j = 1,..., κ: (a) If j J the jth crcut s a check crcut. Here, P 1 sends {a 0 j,, a1 j, }n =1, {v0 j,, v1 j, }2n =n+1, {w 0 j,, w1 j, }n =1, and the randomness t used to generate GC j. It also reveals the senderrandomness t used n all the OTs correspondng to the jth crcut, and opens both commtments n ComSet j, for = 1,..., n. P 2 sets vj, 0 = ga0 j, and vj, 1 = C/g a1 j, for = 1,..., n. It re-generates the jth garbled crcut and verfes that t matches GC j. It verfes that {vj, 0, v1 j, }2n =n+1 were used n the OTs for the jth crcut, and that the commtments n ComSet j, open to {vj, 0, v1 j, } n some order. Fnally, t checks that Vrfy(pub b, j, wj, b ) = 1 for = 1,..., n and b {0, 1}. It aborts f any of these fal. (b) If j J the jth crcut s an evaluaton crcut. In ths case, P 1 sends (v j,1,..., v j,n ) def = (v x 1 j,1,..., vxn j,n ) (.e., the wre labels correspondng to P 1 s nput n the jth crcut) to P 2. It also opens the commtment n ComSet j, that corresponds to v j,. Fnally, t sends log g (v j,1 /h 1 ),..., log g (v j,n /h n ). (Recall that h 1,..., h n are the values used by P 1 when actng as recever n the Naor-Pnkas OT protocol.) P 2 checks that one of the commtments n ComSet j, opens to v j,, and verfes the dscrete logarthms sent by P 1. It aborts f any nconsstences are found. Symmetrcally, the partes use J to check the garbled crcuts constructed by P For each evaluaton crcut j of P 2, party P 1 evaluates GC j usng the nput-wre labels t obtaned n steps 2 and 5. By dong so, t learns n values b j,1 w j,1,..., b j,n w j,n. For = 1,..., n and b {0, 1}, party P 1 tres to recover 5 s b. To do so, t fnds an evaluaton crcut j for whch b j, = b and w j, s a vald share of s b (.e., Vrfy( pub b j,, j, w j, ) = 1). If no such j exsts, t chooses t b Z q. Otherwse, t computes t b by runnng Rec usng pub b j,, the κ/2 shares {(k, w b j, k, )} k J t learned n step 5, and the addtonal share (j, w j, ). P 2 acts symmetrcally to compute t 0, t 1 for = 1,..., n. 7. For = 1,..., n, the partes do the followng: Run a secure equalty test, wth P 1 usng nput s 0 t0 and P 2 usng nput t 0 s0. If the result s 1, each party sets z = 0 and goes to the next. Otherwse, the partes run a second equalty test wth P 1 usng nput s 1 t1 and P 2 usng nput t 1 s1. If the result s 1, each party sets z = 1 and goes to the next. If nether equalty test succeeds for some then cheatng s detected and the partes abort. Assumng no abort has occurred, each party then outputs z = z 1 z n. 4 Ths can be mplemented easly by usng a standard con-tossng protocol to generate polynomally many unform bts, and then usng those bts as the random cons for applyng a Knuth shuffle to the strng 0 κ/2 1 κ/2. 5 In an honest executon, only one of s 0 or s 1 wll be recovered. 8

9 4.1 Optmzatons For smplcty n our proof of securty n the followng secton, we analyze the protocol as presented above. However, we observe that the followng optmzatons can be appled to the protocol (and the reader can verfy that the proof can be sutably modfed for each of these). Naor-Pnkas OT. We assume a varant of Naor-Pnkas OT s used n whch the recever gves a wtness-ndstngushable (WI) proof of knowledge that ts message was computed correctly (see Secton 2.1). Ths s used n our proof to extract the recever s nput. In fact, as shown n [27], such WI proofs are not necessary and extracton can be done usng the random-oracle queres of the recever. The same s true n our settng, though t complcates the presentaton of the proof. Secure con tossng. In the (programmable) random-oracle model, very effcent con tossng s possble snce t s trval to construct an equvocal and extractable commtment scheme. Secure equalty testng. In our proof, we assume a hybrd world n whch the partes have access to an deal functonalty for equalty testng; equvalently (relyng on standard composton theorems [3]), we assume that the equalty test s done usng a fully secure protocols for ths task. In fact, usng a fully secure equalty test s overkll for our purposes. Instead, we can use a dfferent approach that s very effcent n the random-oracle model. Frst, assume the VSS scheme has the stronger property of ndstngushablty,.e., gven pub and t 1 shares of a unform secret s {0, 1} n, t s hard to dstngush s from an ndependent unform value s {0, 1} n. (Any VSS scheme satsfyng the unpredctablty requrement from Secton 2.3 can be modfed to acheve ths stronger noton n the random-oracle model by smply hashng the secret.) Then, rather than performng an equalty test usng values s 0 t0 and t 0 s0 (resp., s 1 t1 and t 1 s1 ) as before, the partes now carry out an equalty test on values s 0 t0 and t 0 s0 (resp., s1 t1 and t 1 s1 ). At ths pont, we observe that a full-fledged equalty test s not needed snce (1) the honest party s nput to the equalty test s ether known to the malcous party or s (ndstngushable from) unform, and (2) n ether case, t s ok f the honest party s nput to the equalty test s leaked to the other party after equalty s checked. Thus, t suffces to use a cheap equalty test n whch P 1 (resp., P 2 ) commts to, e.g., s 0 t0 (resp., to t 0 s0 ) usng an extractable and equvocal commtment scheme (whch s easly constructed n the random-oracle model), and then each party decommts and checks equalty of the decommtted results n the clear. Savng bandwdth. Followng an observaton n [9], we can modfy the way we do cut-andchoose as follows: Partes construct ther jth garbled crcut by choosng a random seed seed j and usng that seed to generate certan (pseudo)random choces they need for constructng that crcut. (In our case, ths would mean usng seed j to generate {a 0 j,, a1 j, }n =1, {v0 j,, v1 j, }2n =n+1, and the randomness used to generate GC j.) Then, n step 3, the partes send the hash hgc j = H(GC j ) n place of GC j. If j s a check crcut then seed j s sent; the other party re-generates GC j and verfes that H(GC j ) = hgc j. If j s an evaluaton crcut then GC j s sent and the other party checks that H(GC j ) = hgc j. Snce seed j + hgc j GC j, ths has the effect of reducng the bandwdth n steps 3 and 5 (whch domnate the bandwdth of the entre protocol) by roughly half. Batch verfcaton. We can use batch verfcaton [2] when smultaneously verfyng valdty of shares n step 5(a) (assumng Feldman VSS s used) and the dscrete logarthms n step 5(b). Effcent garbled crcuts. Our protocol s fully compatble wth exstng optmzatons for garbled crcuts such as garbled-row reducton [28] and the free-xor technque [17]. 6 6 We cannot apply the free-xor optmzaton at frst-level gates because of the way the crcut generator chooses 9

10 5 Proof of Securty Theorem 1 Under the assumptons outlned n Secton 2, and modelng H as a random oracle, the protocol n the prevous secton securely computes f n the presence of malcous adversares. Snce we are not n an asymptotc settng, techncally speakng secure s not well-defned. In the proof below, all steps ntroduce a computatonal securty factor (whch can be set as small as desred by settng the cryptographc securty parameter large enough) except for one step whch ntroduces a statstcal securty factor of ( κ 1 κ/2) = 2 κ+o(log κ). All our assumptons are standard, and can be based on the CDH assumpton n G. We remark that the only place the random oracle s used s for the Naor-Pnkas OT. It would be possble to remove the random oracle by swtchng, e.g., to the OT protocol of [31] (and modfyng the rest of the protocol accordngly). Although ths would mpact the effcency, the effect would be proportonal to the nput length and not the sze of the crcut beng computed. Proof We analyze the protocol n a hybrd world n whch the partes have access to deal functonaltes for con tossng and equalty testng. Usng standard composton theorems [3], ths mples securty when those sub-routnes are nstantated usng secure protocols for those tasks. See Secton 4.1 for further dscusson. Snce the protocol s symmetrc, we assume wthout loss of generalty that P 1 s malcous. Let y denote the nput of P 2. We defne a sequence of experments, begnnng wth the real executon of the protocol between P 1 and P 2 (n the hybrd world dscussed above) and endng wth an deal executon nvolvng a smulator S playng the role of the frst party and nteractng wth a trusted party computng f. We show that each experment s ndstngushable from the one before t, takng nto account both the vew/output of the malcous party and the output of P 2. Experment 0. Ths s the real executon of the protocol (n the hybrd world dscussed above) between P 1 and the honest P 2 holdng nput y. Experment 1. Here we change the way P 2 behaves when actng as OT sender n step 2 and when sendng commtments n step 4. Frst of all, we now pck J at the outset of the experment. Ths defnes the check crcuts and evaluaton crcuts for P 2. Next, n each nstance n whch P 1 acts as OT recever n step 2 and sends message h, we extract (usng the WI proof of knowledge) ether log g h or log g ( C/h ). In the former case we set x = 0 and n the latter case we set x = 1. Then, when computng the κ responses for the th OT, n each response that corresponds to an evaluaton crcut j of P 2 we contnue to use ṽ x j,n+ but we replace ṽ1 x j,n+ wth the all-0 strng. (Responses that correspond to check crcuts of P 2 are treated exactly as before.) In addton, for each evaluaton crcut j of P 2 and = 1,..., n, we now set ComSet j, = {Com(ṽ y j, ), Com(g)}, n random permuted order. Indstngushablty of Experments 0 and 1 follows easly from the securty of Naor-Pnkas OT (based on the CDH assumpton n the random-oracle model) and computatonal hdng of Com. Experment 2. Now we generate all the evaluaton crcuts of P 2 usng the garbled-crcut smulator SmGC. In more detal: after extractng P 1 s effectve nput x as n the prevous experment, we compute z = f(x, y). In step 3, once the { w j, b } have been determned we compute for every evaluthe nput-wre labels. However, the free-xor method can be used at all lower levels of the crcut. 10

11 ( ) aton crcut j the smulated garbled crcut 7 GCj SmGC x, z, {ṽ y j, }n =1, {ṽx j,n+ }n =1, { wz j, }n =1. The remander of the experment s exactly as n Experment 1. Indstngushablty of Experments 1 and 2 follows from securty of the garbled-crcut smulaton algorthm as defned n Secton 2.2. Note that n Experment 2, we no longer use {ṽ 1 y j, } n =1, {ṽ1 x j,n+ }n =1, or { w1 z j, } n =1 for any evaluaton crcut j of P 2. Experment 3. Ths s the same as the prevous experment, except that now when performng the th par of equalty tests we proceed as follows: f z = 1, we return 0 to both partes n the frst equalty test; f z = 0, we return 0 to both partes n the second equalty test (f run). Indstngushablty of ths experment from Experment 2 follows from secrecy of VSS. Specfcally, for = 1,..., n only pub 1 z and κ/2 shares of the secret s 1 z are used throughout the entre experment before the equalty tests. Thus, the probablty (n Experment 2) that P 1 can make any of the equalty tests correspondng to 1 z return 1 s neglgble. Experment 4. If P 1 successfully responds to the challenge J chosen durng the cut-and-choose step, we repeatedly rewnd P 1 n an attempt to fnd a J J for whch P 1 also responds correctly. 8 If no such J s found, output fal. Otherwse, re-send the orgnal challenge J and contnue as n the prevous experment. The only dfference between ths experment and the prevous one occurs n case P 1 responds correctly to only a sngle challenge J and that challenge happens to be the one chosen durng the experment. Ths can occur wth probablty at most 1/ ( κ κ/2). Experment 5. We now change how we compute t z for all. (Recall that t z represents P 2 s guess for P 1 s secret s z.) Assumng P 1 answers two dfferent challenges J, J correctly, there s some j {1,..., κ} such that j s an evaluaton crcut wth respect to J but a check crcut wth respect to J. For any such j, we reconstruct s z usng the share w z j, sent by P 1 when answerng challenge J, along wth the κ/2 other shares of s z that were sent by P 1 when answerng challenge J. We then set t z = s z and use that value n the relevant equalty test later. We clam that ths experment s ndstngushable from the prevous one; ths s the crux of the proof. To prove ths, we show that the shares {w z j, }n =1 computed n Experment 5 are, except wth neglgble probablty, the same shares that P 2 obtans by evaluatng crcut GC j n Experment 4. Verfablty of the secret-sharng scheme then mples that, except wth neglgble probablty, the same values { t z }n =1 are computed n both experments (namely, even f n Experment 4 a vald share from an evaluaton crcut other than j s used by P 2 to reconstruct some s z ). Fx. To see that the same share w z j, s computed n each experment, observe that n Experment 4 the share w z j, s computed by evaluatng garbled crcut GC j usng nput-wre labels for P 2 s nput that P 2 obtans from the OTs correspondng to crcut j, and nput-wre labels for P 1 s nput that were sent by P 1 n step 5. Because P 1 responds correctly to challenge J, n whch j s a check crcut, we know that: (1) GC j s correctly constructed; (2) the nput-wre labels that P 2 obtaned from the OTs are correct labels for GC j that correspond to P 2 s nput y; 7 Recall that the frst n nput wres always denote the nputs of the party generatng the crcut, so n ths case correspond to nput y. 8 We use standard technques n order to ensure that the experment runs n expected polynomal tme. Specfcally, n parallel wth rewndng P 1 and sendng a random challenge J J we also enumerate over all possble J ; we output fal f after completng ths enumeraton we fnd that J s the only challenge to whch P 1 responds correctly. 11

12 (3) the nput-wre labels for ts own nput that P 1 sends must be correct labels for GC j (ths follows from bndng of the commtments n {ComSet j,} n =1 ) and moreover must correspond to the same effectve nput x defned by P 1 s executon as OT recever (otherwse we obtan a dscrete logarthm of the random group element C). Snce GC j, when evaluated on nput-wre labels correspondng to x and y, yelds the share w z j, on the th output wre, we are done. We remark that n Experment 5 none of P 1 s evaluaton crcuts need to be evaluated by P 2. Moreover, P 2 no longer needs to compute ts output n any of the OTs n whch t acts as recever. Experment 6. In the prevous experment, when P 2 acts as OT recever t sends h wth ether log g h or log g (C/ h ) known (dependng on y ). The nput-wre labels {ṽ y j, }n =1 (when j s an evaluaton crcut) are chosen n a smlar way. In ths experment, for = 1,..., n we choose h unform wth log g h known so that we are smply runnng the OT executon honestly usng nput 0. Smlarly, choose ṽ y j, unform wth log g ṽ y j, known for every evaluaton crcut j. (Note that ths allows P 2 to reveal log g (ṽ j, / h ) n step 5 for every evaluaton crcut j.) Ths experment s dstrbuted dentcally to the prevous experment, snce g k and C/g k (where k s unform n each case) have the same dstrbuton. (P 2 also gves a WI proof of knowledge of ether log g h or log g (C/ h ), but we assume a perfect WI proof s used.) To conclude, we observe that Experment 6 can equvalently be descrbed n terms of an dealworld executon n whch the honest P 2 and a smulator S (playng the role of the frst party, and runnng P 1 as a subroutne) nteract wth a trusted party computng f. Namely, S works as follows: 1. Choose J n advance; ths defnes the check crcuts and the evaluaton crcuts for the smulated P 2. Choose C G and send t to P 1. Receve n return C G. 2. For each check crcut j, generate nput-wre labels exactly as n the real protocol. For each evaluaton crcut j, choose ã j,1,..., ã j,n Z q and set ṽ j, = gãj, for = 1,..., n. Also choose ṽ j,n+ {0, 1} n for = 1,..., n. When P 2 acts as OT recever, run the OT protocol honestly usng nput bt 0. In each nstance n whch P 2 acts as OT sender, extract from P 1 (by rewndng the WI proof of knowledge) ether log g h or log g ( C/h ). In the former case set x = 0 and n the latter case set x = 1. Then, for check crcuts send the fnal OT message exactly as n the real protocol, and for any evaluaton crcut j send the fnal OT message usng ṽ j,n+ as the x -nput, and the 0-strng as the (1 x )-nput. 3. Send x to the trusted party, and receve n return an output z. Generate { pub b, w j, b } as n the real protocol. Then for each evaluaton crcut j, compute ( ) GC j SmGC x, z, {ṽ j, } 2n =1, { wz j, }n =1 ; for each check crcut j, compute GC j as n the real protocol. Send { GC j } κ j=1 and { pub 0, pub 1 } n =1 to P 1. Receve n return {GC j } κ j=1 and {pub0, pub 1 } n =1 from P For each check crcut j, compute { ComSet j, } n =1 as n the real protocol. For each evaluaton crcut j, set ComSet j, = {Com(ṽ j, ), Com(g)} n random permuted order. Send all these pars of commtments to P 1, and receve n return all the pars of commtments from P 1. 12

13 5. Gve P 1 the value J as the output of the approprate con-tossng protocol. Respond for all check crcuts as n the real protocol. For each evaluaton crcut j, send {ṽ j, } n =1, open the approprate commtment from { ComSet j, } n =1, and send {log g(ṽ j, / h )} n =1, where h s the message sent by P 2 n the th OT when P 2 s recever. Choose J at random as n the real protocol, and gve t to P 1. If P 1 responds correctly, then repeatedly rewnd to fnd J J for whch P 1 responds correctly. (If none s found, S aborts wth output fal.) Rewnd agan and contnue the nteracton usng J. 6. Let j be a crcut whch s an evaluaton crcut n J, but a check crcut n J. For = 1,..., n, use the κ/2 shares of s z from P 1 s check crcuts (wth respect to J ) plus the addtonal share of s z from crcut j (that was a check crcut wth respect to J ) to reconstruct s z. Set t z = s z. 7. For = 1,..., n, do the followng. If z = 0, obtan P 1 s nput s 0 t0 to the frst equalty test. If s 0 t0 = t 0 s0, return 1; else return 0. Return 0 to the second equalty test (f run). If z = 1, return 0 to the frst equalty test. Then obtan P 1 s nput s 1 t1 to the second equalty test. If s 1 t1 = t 1 s1, return 1; else return 0. If for some both equalty tests return 0, abort. trusted party; otherwse, send contnue. If an abort occurred, send abort to the Ths completes the proof. Acknowledgments Yan Huang would lke to thank Ivan Damgård and Jesper Nelsen for ther helpful comments on ths work. References [1] Y. Aumann and Y. Lndell. Securty aganst covert adversares: Effcent protocols for realstc adversares. Journal of Cryptology, 23(2): , [2] M. Bellare, J. A. Garay, and T. Rabn. Fast batch verfcaton for modular exponentaton and dgtal sgnatures. In Advances n Cryptology Eurocrypt 98, volume 1403 of LNCS, pages Sprnger, [3] R. Canett. Securty and composton of multparty cryptographc protocols. Journal of Cryptology, 13(1): , [4] I. Damgård, M. Keller, E. Larraa, C. Mles, and N. P. Smart. Implementng AES va an actvely/covertly secure dshonest-majorty MPC protocol. In 8th Intl. Conf. on Securty and Cryptography for Networks (SCN), volume 7485 of LNCS, pages Sprnger,

14 [5] I. Damgård, V. Pastro, N. P. Smart, and S. Zakaras. Multparty computaton from somewhat homomorphc encrypton. In Advances n Cryptology Crypto 2012, volume 7417 of LNCS, pages Sprnger, [6] P. Feldman. A practcal scheme for non-nteractve verfable secret sharng. In 28th Annual Symposum on Foundatons of Computer Scence (FOCS), pages IEEE, [7] O. Goldrech. Foundatons of Cryptography, vol. 2: Basc Applcatons. Cambrdge Unversty Press, Cambrdge, UK, [8] O. Goldrech, S. Mcal, and A. Wgderson. How to play any mental game, or a completeness theorem for protocols wth honest majorty. In 19th Annual ACM Symposum on Theory of Computng (STOC), pages ACM Press, [9] V. Goyal, P. Mohassel, and A. Smth. Effcent two party and mult party computaton aganst covert adversares. In Advances n Cryptology Eurocrypt 2008, volume 4965 of LNCS, pages Sprnger, [10] W. Henecka, S. Kögl, A.-R. Sadegh, T. Schneder, and I. Wehrenberg. TASTY: tool for automatng secure two-party computatons. In 17th ACM Conf. on Computer and Communcatons Securty (CCS), pages ACM Press, [11] Y. Huang, D. Evans, and J. Katz. Prvate set ntersecton: Are garbled crcuts better than custom protocols? In Network and Dstrbuted System Securty Symposum (NDSS). The Internet Socety, [12] Y. Huang, D. Evans, J. Katz, and L. Malka. Faster secure two-party computaton usng garbled crcuts. In 20th USENIX Securty Symposum. USENIX Assocaton, [13] Y. Huang, J. Katz, and D. Evans. Qud pro quo-tocols: Strengthenng sem-honest protocols wth dual executon. In IEEE Symposum on Securty & Prvacy, pages IEEE, [14] Y. Isha, M. Prabhakaran, and A. Saha. Foundng cryptography on oblvous transfer effcently. In Advances n Cryptology Crypto 2008, volume 5157 of LNCS, pages Sprnger, [15] S. Jareck and V. Shmatkov. Effcent two-party secure computaton on commtted nputs. In Advances n Cryptology Eurocrypt 2007, volume 4515 of LNCS, pages Sprnger, [16] M. Kraz and B. Schoenmakers. A protocol ssue for the malcous case of yao s garbled-crcut constructon. In Proc. 27th Symp. on Informaton Theory n the Benelux, pages , [17] V. Kolesnkov and T. Schneder. Improved garbled crcut: Free XOR gates and applcatons. In 35th Intl. Colloquum on Automata, Languages, and Programmng (ICALP), Part II, volume 5126 of LNCS, pages Sprnger, [18] B. Kreuter, A. Shelat, and C. Shen. Bllon-gate secure computaton wth malcous adversares. In 21st USENIX Securty Symposum. USENIX Assocaton,

15 [19] Y. Lndell. Fast cut-and-choose based protocols for malcous and covert adversares. Crypto 2013, to appear. [20] Y. Lndell, E. Oxman, and B. Pnkas. The IPS compler: Optmzatons, varants and concrete effcency. In Advances n Cryptology Crypto 2011, volume 6841 of LNCS, pages Sprnger, [21] Y. Lndell and B. Pnkas. An effcent protocol for secure two-party computaton n the presence of malcous adversares. In Advances n Cryptology Eurocrypt 2007, volume 4515 of LNCS, pages Sprnger, [22] Y. Lndell and B. Pnkas. A proof of securty of Yao s protocol for two-party computaton. Journal of Cryptology, 22(2): , [23] Y. Lndell and B. Pnkas. Secure two-party computaton va cut-and-choose oblvous transfer. Journal of Cryptology, 25(4): , [24] Y. Lndell, B. Pnkas, and N. Smart. Implementng two-party computaton effcently wth securty aganst malcous adversares. In 6th Intl. Conf. on Securty and Cryptography for Networks (SCN), volume 5229 of LNCS, pages Sprnger, [25] D. Malkh, N. Nsan, B. Pnkas, and Y. Sella. Farplay a secure two-party computaton system. In Proc. 13th USENIX Securty Symposum, pages USENIX Assocaton, [26] P. Mohassel and M. Frankln. Effcency tradeoffs for malcous two-party computaton. In 9th Intl. Conference on Theory and Practce of Publc Key Cryptography (PKC), volume 3958 of LNCS, pages Sprnger, [27] M. Naor and B. Pnkas. Effcent oblvous transfer protocols. In 12th Annual ACM-SIAM Symposum on Dscrete Algorthms (SODA), pages ACM-SIAM, [28] M. Naor, B. Pnkas, and R. Sumner. Prvacy preservng auctons and mechansm desgn. In Proc. 1st ACM Conf. on Electronc Commerce, pages ACM, [29] J. B. Nelsen, P. S. Nordholt, C. Orland, and S. S. Burra. A new approach to practcal actvesecure two-party computaton. In Advances n Cryptology Crypto 2012, volume 7417 of LNCS, pages Sprnger, [30] J. B. Nelsen and C. Orland. LEGO for two-party secure computaton. In 6th Theory of Cryptography Conference TCC 2009, volume 5444 of LNCS, pages Sprnger, [31] C. Pekert, V. Vakuntanathan, and B. Waters. A framework for effcent and composable oblvous transfer. In Advances n Cryptology Crypto 2008, volume 5157 of LNCS, pages Sprnger, [32] B. Pnkas, T. Schneder, N. Smart, and S. Wllams. Secure two-party computaton s practcal. In Advances n Cryptology Asacrypt 2009, volume 5912 of LNCS, pages Sprnger,

16 [33] A. Shelat and C.-H. Shen. Two-output secure computaton wth malcous adversares. In Advances n Cryptology Eurocrypt 2011, volume 6632 of LNCS, pages Sprnger, [34] D. P. Woodruff. Revstng the effcency of malcous two-party computaton. In Advances n Cryptology Eurocrypt 2007, volume 4515 of LNCS, pages Sprnger, [35] A. C.-C. Yao. How to generate and exchange secrets. In 27th Annual Symposum on Foundatons of Computer Scence (FOCS), pages IEEE, A Expermental Results We descrbe some prelmnary expermental results ndcatng that our protocol sgnfcantly outperforms the recent work of [18]. We mplemented our protocol n Java usng all the optmzatons of Secton 4.1. We evaluated the protocol at the 80-bt securty level, whch means n partcular that (1) each party generates 84 garbled crcuts, 42 of whch are checked; (2) the length of all wre labels s 80 bts; and (3) we use an order-q subgroup of Z p where p = 1024, q = 160. We ran experments over a LAN usng two laptops wth Intel Core 7 2.4GHz processors. Note that 80-bt securty was also used n the experments of [18]. In typcal settngs where the number of gates n the underlyng crcut s much larger than the number of nputs/outputs, the domnant overall cost of the protocol s the generaton, sendng, and checkng of the garbled crcuts. When each sde uses only a sngle core, our protocol evaluates crcuts at the rate of 1.4 ms/gate. By comparson, the mplementaton of Kreuter et al. [18] evaluates crcuts at the rate of about 8 ms/gate when a sngle thread s used. When each sde utlzes two cores, our protocol evaluates crcuts at the rate of 0.8 ms/gate; by comparson, the two-threaded executon n [18] acheved a rate of roughly 4 ms/gate. We do not gan a factor of 2 n performance by leveragng a second core n part because the partes are sometmes dle, and n part because of nter-thread nterference (e.g., due to cache contenton and dependence on shared hardware and I/O). Our measured performance gans relatve to [18] exceed the expected factor of 3. Ths may be due to dfferences n hardware or mplementaton, or the complexty of managng multple threads n the mplementaton of [18] regardless of how many cores are beng used. The number of publc-key operatons used n our protocol scales lnearly wth the lengths of the nputs and outputs, though we stress agan that n typcal scenaros the number of gates s much larger than the number of nputs/outputs and so the overall performance mpact of these publckey operatons s small. Nevertheless, we measured performance of ths aspect of our protocol as well. When each sde uses a sngle core, our protocol processes nputs at the rate of 0.7 s/bt (our experments assume the lengths of the partes nputs are the same). Output s computed at the rate of 0.1 s/bt. 16