Rate-Limited Secure Function Evaluation: Definitions and Constructions

  • Özgür Dagdelen
  • Payman Mohassel
  • Daniele Venturi
Conference paper

DOI: 10.1007/978-3-642-36362-7_28

Part of the Lecture Notes in Computer Science book series (LNCS, volume 7778)
Cite this paper as:
Dagdelen Ö., Mohassel P., Venturi D. (2013) Rate-Limited Secure Function Evaluation: Definitions and Constructions. In: Kurosawa K., Hanaoka G. (eds) Public-Key Cryptography – PKC 2013. Lecture Notes in Computer Science, vol 7778. Springer, Berlin, Heidelberg


We introduce the notion of rate-limited secure function evaluation (RL-SFE). Loosely speaking, in an RL-SFE protocol participants can monitor and limit the number of distinct inputs (i.e., rate) used by their counterparts in multiple executions of an SFE, in a private and verifiable manner. The need for RL-SFE naturally arises in a variety of scenarios: e.g., it enables service providers to “meter” their customers’ usage without compromising their privacy, or can be used to prevent oracle attacks against SFE constructions.

We consider three variants of RL-SFE providing different levels of security. As a stepping stone, we also formalize the notion of commit-first SFE (cf-SFE) wherein parties are committed to their inputs before each SFE execution. We provide compilers for transforming any cf-SFE protocol into each of the three RL-SFE variants. Our compilers are accompanied with simulation-based proofs of security in the standard model and show a clear tradeoff between the level of security offered and the overhead required. Moreover, motivated by the fact that in many client-server applications clients do not keep state, we also describe a general approach for transforming the resulting RL-SFE protocols into stateless ones.

As a case study, we take a closer look at the oblivious polynomial evaluation (OPE) protocol of Hazay and Lindell, show that it is commitfirst and instantiate efficient rate-limited variants of it.


secure function evaluation foundations secure metering oracle attacks oblivious polynomial evaluation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Özgür Dagdelen
    • 1
  • Payman Mohassel
    • 2
  • Daniele Venturi
    • 3
  1. 1.Technische Universität DarmstadtGermany
  2. 2.University of CalgaryCanada
  3. 3.Aarhus UniversityDenmark

Personalised recommendations