Garbling Scheme for Formulas with Constant Size of Garbled Gates
 4 Citations
 1.4k Downloads
Abstract
We provide a garbling scheme which creates garbled circuits of a very small constant size (four bits per gate) for circuits with fanout one (formulas). For arbitrary fanout, we additionally need only two ciphertexts per additional connection of each gate output wire. We make use of a trapdoor permutation for which we define a generalized notion of correlation robustness. We show that our notion is implied by PRIVsecurity, a notion for deterministic (searchable) encryption. We prove our scheme secure in the programmable random oracle model.
Keywords
Garbled circuits Constant size of garbled gates Correlation robustness PRIVsecurity1 Introduction
Yao’s garbled circuit technique [33] is one of the most important techniques on secure computation. Very roughly speaking, this technique allows a party (the garbler) to create an encrypted form of a circuit—a “garbled” circuit—and an encoding of input with which the other party (the evaluator) can evaluate the circuit on the input but cannot compute anything other than the output. Compared with other techniques on secure computation (e.g., the technique by Goldreich et al. [12]), the garbled circuit technique has a big advantage on efficiency since we can construct constantround protocols by using it.
Traditionally, the garbled circuit technique was considered to be a theoretical feasibility result; however, recently many works have demonstrated that the garbled circuit technique can also be used to construct twoparty computation protocols with practical efficiency. The first implementation of the garbled circuit technique was shown by Malkhi et al. [28]. Since then, significant efforts have been devoted toward making the technique more practical.
A major line of research on the garbled circuit technique is the reduction of the size of garbled circuits. Since the main efficiency bottleneck of garbledcircuitbased twoparty computation protocols is usually network bandwidth, reducing the size of garbled circuits typically leads to a big improvement of efficiency in practice.^{1}
Reduction of Garbled Circuit Size. Originally, the garbled circuit technique uses four ciphertexts for each gate to create “garbled truth tables”, and thus, the size of a garbled circuit is \(O(k)\) bits per gate (where \(k\) is the security parameter). In [22], Kolesnikov and Schneider proposed a technique, called freeXOR technique, with which we can construct a garbled circuit that contains no ciphertexts for XOR gates. In [29], Naor et al. proposed a technique that reduces the number of ciphertexts from four to three for each gate. In [30], Pinkas et al. proposed a technique that reduces the number of ciphertexts to two for each gate. Recently, Kolesnikov et al. [21] introduced the fleXOR technique, which requires zero, one, or two ciphertexts to garble an XOR gate—thus, garbling XOR gates is not “free” in general—but is compatible with the garbled rowreduction technique of [30]. Very recently, Zahur et al. [34] introduced a technique that is compatible with the freeXOR technique and can garble each AND gate by using only two ciphertexts; thus, this technique requires two ciphertexts for each AND gate and no ciphertexts for each XOR gate. We remark that although all of these techniques do not achieve an asymptotic reduction of the size of garbled circuits—it remains to be \(O(k)\) bits per gates—they offer a significant reduction of communication cost in practice.
A different approach for reducing the size of garbled circuits is the technique of Kolesnikov [19], which is an informationtheoretic variant of Yao’s garbled circuit technique. In this technique, a circuit is garbled by using secret sharing (instead of encryption), and a garbled circuit is evaluated by recovering a share assigned to the output wire of each gate from shares assigned to the input wires of that gate. The size of the garbled circuit is zero (since there is no garbled truth table) and the size of the encoded input grows with the depth of the circuit; specifically, the size of the shares is quadratic in the depth of the gate for formulas, and exponential for circuits. For shallow circuits, the technique of Kolesnikov [19] is more efficient than other techniques.
Our Contribution. In this paper, we propose a garbling technique for formulas (i.e., circuits with fanout 1) such that the size of the garbled circuit is four bits per gate. Unlike the optimization techniques of [21, 22, 29, 34], our technique achieves asymptotic reduction of the size of the garbled circuits. Also, unlike the informationtheoretic garbled circuit technique of [19], our technique encodes input in such a way that the size of the encoded input is independent of the depth of the circuit. (For detailed comparisons, see Sect. 3.3.)
In our technique, ciphertexts include trapdoor permutations (instead of hash functions as in most of the previous techniques). To prove the security, we extend the definition of correlation robustness (which is originally defined for hash functions [11]) to the case of trapdoor permutations, and assume that the underlying trapdoor permutation is correlation robust. We also show that our notion of correlation robustness is implied by PRIVsecurity as defined in [7].
One caveat of our backwards garbling technique is that the input keys for each gate are uniquely determined given the output keys and the ciphertexts assigned to this gate. Thus, we have no freedom in choosing any keys but the circuit output keys. Therefore, our garbling scheme only allows fanout one, i. e., formulas. Moreover, to communicate wire choice bits, we cannot use the usual technique of defining the least significant bit of the keys as choice bit, since we have no freedom in choosing the input keys or their LSBs. Therefore, we use a hash function \(H'\) with one bit output, and publish \(H'(K_a,K_b)\oplus l_i\) for input keys \(K_a,K_b\) and corresponding choice bit \(l_i\) of the output key, giving a garbled circuit with \(l\) gates an overall size of \(4l\) bits, plus the number of bits needed to communicate the key of a keyed hash function and the index of a trapdoor oneway permutation.
Somewhat surprisingly, we can use the freeXOR technique to garble XOR gates at no additional cost, by using a “local” difference per XORsubtree rather than a global difference. In the case of formulas, this will only safe us the 4 bit per gate for the choice bits. However in the case of general circuits, the freedom an XORgate gives us in choosing input keys can safe us additional ciphertexts needed for dealing with arbitrary fanout in some cases.
Since our basic construction only allows fanout one, a problem occurs when we garble circuits which use the same input variable multiple times, such as \((a\wedge b) \vee (a \wedge c)\). In such cases, we can duplicate the input wire for this variable, and assign a different input key pair to each occurrence of the variable. In the semihonest setting, this does not affect security. In the malicious case, additional care needs to be taken to ensure that the garbler provides the same input for each occurrence of a variable. We discuss this in Sect. 5.3.
Related Works. The garbled circuit technique was introduced in the seminal paper of Yao [33]. A formal analysis of the garbled circuit technique (or, more precisely, the twoparty computation protocol based on it) was presented by Lindell and Pinkas [25]. Bellare et al. [8] introduced an abstraction of the garbled circuit technique, which they call garbling schemes.
There are a lot of works that studied the size of garbled circuits. Other than the works we mentioned above [21, 22, 29, 30, 34], Choi et al. [11] and Applebaum [2] studied what assumptions are needed by the freeXOR technique. Choi et al. showed that a circular security assumption on the underlying hash function is sufficient. Applebaum showed that the LPN assumption is sufficient. Also, Boneh et al. [9] showed that an asymptotic reduction of garbled circuit size is possible under the learningwitherrors (LWE) assumption.
Other than the technique of [19], there are several informationtheoretic variants of the garbled circuit technique, e.g., [17, 18, 20, 32].
The correlation security of trapdoor permutations has also been studied by previous work in other contexts. For example, Rosen and Segev [31] introduced correlated product security of trapdoor permutations and used it to construct a CCAsecure encryption scheme. Also, Hemenway et al. [13] studied the relation between the decisional variant of correlated product security and the security of deterministic encryption schemes. We remark however that these notions of correlation security are different from the one we consider in this work. Roughly speaking, in correlated product security [31], correlated inputs are applied to k functions \(f_1, \ldots , f_k\) that are independently chosen from a family of functions, whereas in our notion of correlation robustness, correlated inputs are applied to a single function f.
The size of inputs of garbled circuits has been studied in the context of randomized encoding [3, 4, 16]. Applebaum et al. [5] proposed a garbling scheme with constant online rate, i.e., they improve the online communication complexity for input keys from nk to \(n+k\), where n is the number of inputs and k is security parameter. In contrast, our proposed scheme improves, only for formulas, communication complexity for garbled circuits from lk to \(l+k\) and has communication complexity nk for input keys, where l is the number of gates, n is the number of inputs, and k a security parameter. We can combine the scheme of [5] and our proposed scheme to realize a randomized encoding for formulas with online communication complexity \(n+k\) for input keys and communication complexity \(l+k\) for garbled circuit.
Outline of This Work. The rest of this paper is organized as follows. We explain preliminaries and notation in Sect. 2, where we also recap the formal definition of garbling schemes, and introduce our notion of correlation robustness. We describe our basic garbling scheme for formulas in the semihonest setting in Sect. 3, and prove its security in Sect. 4. In Sect. 5, we discuss possible extensions like arbitrary fanout, incorporation of the freeXOR technique as well as extending our construction to the case of active adversaries. We discuss the instantiation of our correlation robust trapdoor oneway permutation with a PRIVsecure deterministic encryption scheme in Sect. 6.
2 Preliminaries
2.1 Notation
We use the following notations. By \(x \mathop {\leftarrow }\limits ^{\;U}X\), we denote that x is randomly selected from set X according to the uniform distribution. By \(x \leftarrow \mathsf{Algo}\), we denote that probabilistic algorithm \(\mathsf{Algo}\) outputs x. By \(A := B\), we denote that A is defined by B. By \([S]_x\), we denote the xth bit of bitstring S.
2.2 Garbling Scheme
In this section, we recall the definition of a garbling scheme and the notion of simulationbased privacy of Bellare et al. [8].
A circuit is described as \(f=(n,m,l,A,B,G)\). Here, \(n \ge 2\) is the number of circuit input wires, \(m \ge 1\) is the number of circuit output wires, and \(l\ge 1\) is the number of gates (and their output wires). Let \(W=\{1,...,n+l\}\) be the set of all wires, \(W_{input}=\{1,...,n\}\) the set of circuit input wires, \(W_{output}=\{n+lm+1,...,n+l\}\) the set of circuit output wires, and \(W_{gate}=\{n+1,...,n+l\}\) the set of gates (and their output wires). \(A : W_{gate} \rightarrow W \setminus W_{output}\) is a function to specify the first input wire A(i) of each gate i. \(B : W_{gate} \rightarrow W \setminus W_{output}\) is a function to specify the second input wire B(i) of each gate i. We require \(A(i) < B(i) < i\) for all \(i \in W_{gate}\). \(G : W_{gate} \times \{0,1\}^2 \rightarrow \{0,1\}\) is a function to specify the gate function \(G(i,\cdot ,\cdot )\) of each gate i. We will later in our garbling scheme assign to each wire i two keys \(K_{i,0}\) and \(K_{i,1}\), representing the truth values 0 and 1 on this wire. To each wire i, we assign a permute bit \(\lambda _i\), and to each key \(K_{i,a}\) representing truth value \(a\in \{0,1\}\), we assign a choice bit \(l_i^a = \lambda _i \oplus a\).
We define the notion of garbling schemes as follows.
Definition 1
(Garbling Scheme). A garbling scheme for a family of circuits \(\mathcal{F}=\{\mathcal{F}_n \}_{n \in \mathbb {N}}\), where n is a polynomial in a security parameter \(k\), consists of probabilistic polynomialtime algorithms \(\mathsf{GC}=(\mathsf{Garble},\mathsf{Encode},\mathsf{Eval},\mathsf{Decode})\) defined as follows.

\(\mathsf{Garble}\) takes as input security parameter \(1^k\) and circuit \(f \in \mathcal{F}_n\), and outputs garbled circuit F, encoding information e, and decoding information d, i.e., \((F,e,d) \leftarrow \mathsf{Garble}(1^{k},f)\).

\(\mathsf{Encode}\) takes as input encoding information e and circuit input \(x \in \{0,1\}^n\), and outputs garbled input X, i.e., \(X \leftarrow \mathsf{Encode}(e,x)\).

\(\mathsf{Eval}\) takes as input garbled circuit F and garbled input X, and outputs garbled output Y, i.e., \(Y \leftarrow \mathsf{Eval}(F,X)\)

\(\mathsf{Decode}\) takes as input decoding information d and garbled output Y, and outputs circuit output y, i.e., \(y \leftarrow \mathsf{Decode}(d,Y)\).
A garbling scheme should have the following correctness property: for all security parameters \(k\), circuits \(f \in \mathcal{F}_n\), and input values \(x \in \{0,1\}^n\), \((F,e,d) \leftarrow \mathsf{Garble}(1^{k},f)\), \(X \leftarrow \mathsf{Encode}(e,x)\), \(Y \leftarrow \mathsf{Eval}(F,X)\), \(y \leftarrow \mathsf{Decode}(d,Y)\), it holds that \(y=f(x)\).
We then define the security notion of garbling schemes called simulationbased privacy as follows. We adapt the notion of Bellare et al. [8] slightly to allow the adversary access to a random oracle H. We denote by \(\Phi (f)\) the information about circuit f that is allowed to be leaked by the garbling scheme, e.g., size \(\Phi _{size}(f)=(n,m,l)\), topology \(\Phi _{topo}(f)=(n,m,l,A,B)\), or the entire information \(\Phi _{circ}(f)=(n,m,l,A,B,G)\) of circuit \(f=(n,m,l,A,B,G)\).
Definition 2
2.3 Generalized Correlation Robustness
We define a generalized notion of correlation robustness for trapdoor oneway permutations, in which we extend correlation robustness as defined by Choi et al. [11]. Choi et al. considered ciphertexts of the form \(H(K\oplus a\varDelta L\oplus b\varDelta i)\oplus m\), where i is a gateID, H is a hash function, K and L are input keys, \(a,b\in \{0,1\}\) and \(\varDelta \) is a global difference as needed for the freeXOR technique, meaning \(K_{i,1} = K_{i,0}\oplus \varDelta \) for each wire i. Given four such ciphertexts and two input keys \(K_{A,\alpha }=K \oplus \alpha \varDelta \) and \(K_{B,\beta } = L \oplus \beta \varDelta \) for \(\alpha ,\beta \in \{0,1\}\), the evaluator should only be able to decrypt one of them. Our ciphertexts have a similar form. However, we need to extend the definition of Choi et al. in two aspects. We do not have a global difference \(\varDelta \). Instead, our definition considers general correlations defined by arbitrary functions of input keys, rather than correlations given by a global difference. Since we garble gates backwards, the garbler needs to be able to invert H. Therefore, instead of a hash function, we use a trapdoor oneway permutation \(E_{\iota }\). Thus, our notion of correlation robustness allows for a trapdoor \(\iota \).
Before we define correlation robustness, we recall the syntax of trapdoor oneway permutations.
Definition 3

\(\mathsf {Gen}_{E}(1^{k})\) is a probabilistic algorithm that outputs a pair \((\iota , t_{\iota })\) of index \(\iota \in I\) and trapdoor \(t_{\iota }\).

\(\mathsf {Samp}_E(1^{k}, \iota )\) is a probabilistic algorithm that outputs a uniformly random element \(x \in D_{\iota }\).

\(\mathsf {Eval}_E(1^{k}, \iota , x)\) is a deterministic algorithm that outputs \(y = E_{\iota }(x)\) (assuming that \(\iota \) is output by \(\mathsf {Gen}_{E}\) and it holds that \(x \in D_{\iota }\)).

\(\mathsf {Inv}_E(\iota , t_{\iota }, y)\) is a deterministic algorithm that outputs an element \(x \in D_{\iota }\) such that \(y = E_{\iota }(x)\) (assuming that \((\iota , t_{\iota })\) is output by \(\mathsf {Gen}_{E}\) and it holds that \(y \in D_{\iota }\)).
In abuse of notation, we write \(x \mathop {\leftarrow }\limits ^{\;U}D_{\iota }\) to denote \(x \leftarrow \mathsf {Samp}_E(1^{k}, \iota )\), \(y = E_{\iota }(x)\) to denote \(y = \mathsf {Eval}_E(1^{k}, \iota , x)\), and \(x = E_{\iota }^{1}(t_{\iota }, y)\) to denote \(x = \mathsf {Inv}_E(\iota , t_{\iota }, y)\).
We define generalized correlation robustness of trapdoor oneway permutations as follows.
Definition 4
3 Garbling Scheme for Formulas
We describe our basic garbling scheme for circuits with fanout one. An extension to general circuits is given in Sect. 5.1. Our garbling scheme is designed for the semihonest case, but can be extended to the malicious case using standard techniques. A brief discussion about this can be found in Sect. 5.3. As mentioned in the introduction, we can use each input wire only once. Multiple occurrences of a variable are handled by duplicating the corresponding input wire and assigning a new key pair for each occurrence of the variable, i. e. we treat multiple occurrences of the same input variable as different variables. This only affects security in the malicious case (see Sect. 5.3).
3.1 Garbling
During the garbling process, we assign a permute bit \(\lambda _i\) to each wire i, a key \(K_{i,0}\) with choice bit \(l_{i,0} = \lambda _i\), and a key \(K_{i,1}\) with choice bit \(l_{i,1} = 1\lambda _i\). \(K_{i,0}\) corresponds to truth value 0, and \(K_{i,1}\) to truth value 1 on this wire. To garble a circuit, the garbler first chooses a key R for the hash function H uniformly at random, and includes it in the garbled circuit. Then, he chooses a pair of output keys \(K_{l+ n,0}\) and \(K_{l+ n,1}\) for the circuit output wire \(l+ n\) uniformly at random. He assigns to the circuit output wire the permute bit \(\lambda _{l+ n}:=0\), and sets the output key choice bits \(l_{l+ n,0} := 0\) and \(l_{l+ n,1}:= 1\). Then, starting from gate \(l+ n\), the garbler iteratively computes the remaining keys by computing the input keys of each gate i depending on its output key pair. Since for the input wires A(i) and B(i) of gate i we have \(A(i)<B(i)<i\) for all i, we can simply iterate over i backwards and be sure that output keys are defined before their corresponding input keys. Before the input keys of a gate i are computed, a uniformly random permute bit \(\lambda _{A(i)}\) and, respectively, \(\lambda _{B(i)}\) is chosen for its two input wires, which defines the input key choice bits \(l_{A(i)}^0 = \lambda _{A(i)}\) and \(l_{A(i)}^1 = 1\lambda _{A(i)}\) for wire A(i), and analog for B(i). To compute the input keys for each gate, the garbler computes four ciphertexts \(c_0,c_1,c_2,c_3\) by computing \(c_x:= H(R,ix)\) for \(x=0,1,2,3\). The choice bits of the (yet undefined) input keys map each possible input combination \((a,b)\in \{0,1\}^2\) to a ciphertext \(c_{2l_{A(i)}^a + l_{B(i)}^b}\). This way, the evaluator can infer which ciphertext to use when processing gate i, without knowing the actual truth values on the input wires.
3.2 Evaluation
Evaluation (see Fig. 3) is then straightforward: after obtaining the garbled circuit F and the input keys \(K_1,\ldots ,K_{n}\), the evaluator processes the circuit forward. For each gate i, he computes the ciphertext \(c_{2l_A+l_B}:= H(R,i2l_A+l_B)\). Then he computes \(K_i:= E_\iota (K_A + 2K_B) \oplus c_{2l_A+l_B}\), if \(2l_A+l_B = 0\), and \(K_i:= E_\iota (K_A + K_B) \oplus c_{2l_A+l_B}\), otherwise.
3.3 Efficiency Comparison with Previous Schemes
Comparison with the HalfGates Construction. We compare our garbling scheme with the best known result (the halfgate construction) proposed by Zahur et al. [34] on efficiency. It is difficult to compare them directly, since ours uses a publickey primitive, while the halfgate construction uses a symmetrickey one. Therefore, we evaluate the cost in an abstract way and later discuss the concrete efficiency in the circuit size.
Comparison with the halfgates scheme [34].
Communication cost  Computation cost  

Circuit  Input  Garbling  Evaluation  
Ours  \(4l+ \left{R}\right + L_{\text {I}}\)  \(n \cdot L_{\text {E}}\)  \(4 T_{\text {Inv}} \cdot l\)  \(T_{\text {Eval}} \cdot l\) 
[34]  \(L_{\text {H}} \cdot l_{\text {AND}}\)  \(n \cdot L_{\text {H}}\)  \(2 T_{\text {H}} \cdot l_{\text {AND}}\)  \(T_{\text {H}} \cdot l_{\text {AND}}\) 
Regarding communication cost, the size of the garbled circuit is a constant multiple of \(l\) in our garbling scheme. Therefore, communication cost is asymptotically small when a formula is large. Regarding computation cost, our garbling scheme requires executions of \(\mathsf {Eval}_{E}\) and \(\mathsf {Inv}_{E}\), which are computationally expensive compared to the computation of a hash function.
We additionally evaluate the circuit size for concrete example parameters. We assume that the trapdoor oneway permutation is instantiated by an RSAbased primitive such as RSADOAEP [6], the correlation robust hash function is instantiated by fixedkey AES, and \(l_{\text {AND}} = 0.14l\), since this is the case of the most significant difference among the examples in [34]. AES is regarded with 128bit security, so we set \(L_{\text {E}} = 4096\), \(L_{\text {I}} = 8192\), \(\left{R}\right = 128\) and \(L_{\text {H}} = 128\). In this case, the circuit size in our garbling scheme is smaller than the one of the halfgates scheme if \(l\ge 709\).
Regarding total communication cost, however, our scheme cannot beat the halfgate construction in its current state. We consider our scheme a proof of concept of a new way of circuit construction. Finding more efficient instantiations for the trapdoor permutation or getting rid of the public key primitive altogether are interesting open problems.
Comparison with InformationTheoretic Garbing Scheme of [19]. We compare the efficiency of our scheme with that of the informationtheoretic garbling scheme of [19], which garbles formulas more efficiently than other techniques. For simplicity, we consider the case of garbling a “balanced” formula such that all the gates connecting to the input wires have the same depth.
Regarding the computation cost, we note that since the scheme of [19] requires no cryptographic primitive whereas ours uses a publickey primitive, the computation cost of our scheme is likely to be much bigger than that of the scheme of [19].
4 Security of the Proposed Scheme
The proposed garbling scheme is simulationbased private in the (programmable) random oracle model if the trapdoor permutation E is correlation robust.
Theorem 1
Proof

Game \({\varvec{{H_{real}:}}}\) This game is identical to the real experiment of Definition 2. The garbled circuit (F, e, d) is generated by the garbling algorithm \(\mathsf{Garble}(1^{k},f)\) of the real garbling scheme, as given in Fig. 1, and garbled input X is generated by the encoding algorithm \(\mathsf{Encode}(e,x)\) (Fig. 2) of the real scheme.

Game \({\varvec{{H_{0}:}}}\) In this game, the garbled circuit is generated forward, from input gates to output gate, which is in contrast to the real scheme. The garbled circuit is generated by algorithm \(\mathsf{Sim_0}(1^{k},f)\) as described in Fig. 4, and garbled input X is generated by encoding algorithm \(\mathsf{Encode}(e,x)\) (Fig. 2) of the real scheme. We note that in step 2(c), we need to program the random oracle H to keep consistency.

Game \({\varvec{{H_{s}:}}}\) With the Games \(H_{s}\), we move from Game \(H_{0}\) to the full simulation with a gatewise replacement. We incrementally replace variables not touched in an evaluation with input x with random values gate by gate, such that finally, in the full simulation, the “unused” variables of each gate are replaced by randomness. For \(s=1,...,l\), in each Game \(H_{s}\), the garbled circuit is generated by algorithm \(\mathsf{Sim_s}(1^{k},x,f)\), given in Fig. 5, and garbled input X is generated by the encoding algorithm \(\mathsf{Encode}(e,x)\) (Fig. 2) of the real scheme. We say that key \(K_{i,\beta }\) is active if and only if the bit obtained on wire i is \(\beta \) when circuit f is evaluated with input x. Only in these intermediate games \(H_{s}\), we give the simulator knowledge of input x and circuit f, so he can label each key \(K_{i,\beta }\) as active or inactive. We say that value \(E_{\iota }(K_{A,a}+K_{B,b})\) is active if and only if both \(K_{A,a}\) and \(K_{B,b}\) are active. We replace inactive values with random values in step 2(c) of algorithm \(\mathsf{Sim_s}(1^{k},x,f)\) for gates \(i=n+1,...,n+s\); gates \(i=n+s+1,...,n+l\) are generated as in game \(H_{0}\). We also replace the inactive output key by the active output key in this step.

Game \({\varvec{{H_{sim}:}}}\) This game is identical to the simulated experiment in Definition 2. The garbled circuit and garbled input (F, X, d) are generated by algorithm \(\mathsf{Sim}(1^{k},\) \(f(x),\Phi _{topo}(f))\), given in Fig. 6, without knowledge of x.
The advantage of adversary \(\mathcal{A}\) in distinguishing \(H_{s}\) and \(H_{s+1}\) for \(s=0,...,l1\) is bound by the advantage \(Adv^\mathrm{corr}_{E, f_0, f_1, f_2, f_3, \mathcal{B}}(k)\) of the following adversary \(\mathcal{B}\) of the correlation robustness game as follows. Let A and B denote the input wires of gate \(n+s+1\). For simplicity, we assume that \(K_{A,0}\) and \(K_{B,1}\) are the active input keys of gate \(n+s+1\); the three other cases are analogous. Remember that gates are labeled after their output wires; since the first n wires are circuit input wires, in Game \(H_{s+1}\), Gate \(n+s+1\) is the next to be replaced by a “simulated” gate. At the beginning of the correlation robustness game, the adversary \(\mathcal{B}\) selects \(K_{A,0}\) and \(K_{B,1}\) uniformly at random, and outputs \(K:=K_{A,0}\) and \(L:=K_{B,1}\) as the target keys of the correlation robustness experiment. Then, \(\mathcal{B}\) receives index \(\iota \) of E and challenge \(Z_1,Z_2,Z_3\) of the correlation robustness experiment.
To provide adversary \(\mathcal{A}\) with a “challenge circuit”, adversary \(\mathcal{B}\) simulates gates \(n+1\) to \(n+s\) as in Step 2 of algorithm \(\mathsf{Sim_s}(1^{k},x,f)\), while setting the active keys of wire A and B to \(K_{A,0}\) and \(K_{B,1}\), respectively. Since they were chosen uniformly at random, this does not contradict the construction in Game \(H_s\) or \(H_{s+1}\).
 1.
Compute active value \(Y_{2l_A^0 + l_B^1} := E_\iota (f_{2l_A^0 + l_B^1}(K,L))\), and set the inactive values to the random values from the challenge as follows: \(Y_{2l_A^0 + (1l_B^1)} := Z_1\), \(Y_{2(1l_A^0) + l_B^1} := Z_2\) and \(Y_{2(1l_A^0) + (1l_B^1)} := Z_3\).
 2.
Choose \(K_{n+s+1,0}\) and \(K_{n+s+1,1}\) uniformly at random. Program random oracle such that \(c_{2l_A^a + l_B^b} := K_{n+s+1,G(a,b)} \oplus Y_{2l_A^a + l_B^b}\) for all \((a,b) \in \{0,1\}^2\).
All remaining gates (Gate \(n+s+2\) to Gate \(n+l\)), if there are any, are created as in algorithm \(\mathsf{Sim_s}(1^{k},x,f)\). Adversary \(\mathcal{B}\) gives the created garbled circuit to \(\mathcal{A}\), and outputs whatever \(\mathcal{A}\) outputs.
If \(Z_1\), \(Z_2\) and \(Z_3\) are correctly formed, i.e., \(Z_1=E_\iota (f_{2l_A^0 + (1l_B^1)}(K_{A,0},K_{B,1}))\), \(Z_2=E_\iota (f_{2(1l_A^0) + l_B^1}(K_{A,1}, K_{B,0}))\), and \(Z_3=E_\iota (f_{2(1l_A^0) + (1l_B^1)}(K_{A,1}, K_{B,1}))\), the simulated garbled circuit is generated as in \(H_{s}\). If \(Z_1\), \(Z_2\) and \(Z_3\) are uniformly random, \(c_{2l_A^0 + l_B^1}\) is \(K_{n+s+1,G(a,b)} \oplus E_\iota (f_{2l_A^0 + l_B^1}(K,L))\), and \(c_{2l_A^0 + (1l_B^1)}\), \(c_{2(1l_A^0) + l_B^1}\) and \(c_{2(1l_A^0) + (1l_B^1)}\) are uniformly random; thus, they are distributed identically to those in \(H_{s+1}\). Thus, Adversary \(\mathcal{B}\) is successful in the correlation robustness game whenever Adversary \(\mathcal{A}\) is successful in distinguishing \(H_{s}\) and \(H_{s+1}\). Therefore, the advantage of adversary \(\mathcal A\) in distinguishing \(H_{s}\) and \(H_{s+1}\) is bound by advantage \(Adv^\mathrm{corr}_{E, f_0, f_1, f_2, f_3, \mathcal{B}}(k)\) of the correlation robustness experiment.
The distributions of the simulated garbled circuits in \(H_{l}\) and \(H_{sim}\) are indistinguishable as follows. In \(H_{sim}\), the simulator “loses knowledge” of input x, i.e., he does not know which values are active, and therefore, which inputs should result in the active key. He does not need this knowledge anymore, since the inactive output keys have been replaced by the active ones in the previous games. The bits \(b_x\) for \(x=0,1,2,3\) in \(H_{sim}\) are chosen uniformly at random. Since \(H'\) is a random oracle, this is indistinguishable from setting \(b_{2l_A^a + l_B^b}:=H'(K_{A,a}K_{B,b}) \oplus l_i^{G_i(a,b)}\).
Thus, by summing up the differences between the games, we have \(Adv^\mathrm{prv.sim}_{\mathsf{GC},\mathsf{Sim},\Phi ,\mathcal{A}}(k)\) \(\le l \cdot Adv^\mathrm{corr}_{E, f_0, f_1, f_2, f_3, \mathcal{A}}(k) + q_H\cdot 2^{k}\). \(\square \)
5 Extensions
In this section, we generalize our garbling scheme to allow circuits with arbitrary fanout. Then we show how to combine our garbling scheme with the freeXOR technique to further reduce communication cost. We also discuss the malicious case.
5.1 Arbitrary FanOut
In the case that a gate has two conflicting input wires, this gate might need four ciphertexts, making our scheme seemingly inefficient. However, depending on the number of circuit input and circuit output wires, we still have an average of considerably less than four ciphertexts per gate. Consider a circuit with k gates. According to the model we use, each gate has two input wires and one output wire. So altogether we have 2k input wires, of which n are circuit input wires (i.e., cannot origin from other gates), and k output wires, of which m are circuit output wires (i.e., those m wires cannot induce a conflict). So we have \(km\) wires which need to “go somewhere”, and \(2kn\) places where they can go. Since the two ciphertexts are only needed for each additional connection of an output wire, each wire can connect to one input slot “for free”. So in the worst case, we end up with \((2kn)  (km) = k+mn\) conflicts, meaning \(2(kn+m)\) ciphertexts. In the case of \(m\le n\), we have at most two ciphertexts per gate in the worst case. If \(m>n\), we might have more than two ciphertexts per gate in the case of an unfortunate layout, but still less than four since \(m<k\). So in the case of arbitrary fanout, whether or not our scheme provides an efficiency gain compared to other optimizations like the halfgate or fleXOR constructions, strongly depends on the circuit layout. As we can see in the following section, our basic scheme is compatible to the freeXOR technique. This compatibility translates to the case of arbitrary fanout with similar conflict issues arising from conflicting wire offsets as well as conflicting keys. However, in some cases where XOR gates are involved in a conflict, only one ciphertext is needed to solve it. This is elaborated in more detail in Sect. 5.2.
5.2 Incorporating FreeXOR
Going back to the world of formulas, our garbling scheme is compatible with a slightly adapted version of the freeXOR technique introduced in [22]. The freeXOR technique allows us to garble XOR gates “for free”, by choosing each key pair with a constant offset \(\varDelta \), such that output keys can be obtained by XORing corresponding input keys. To be compatible with our garbling scheme, XOR gates, too, have to be garbled backwards, but induce no communication cost.
For each gate i, let \(K_{i,0}\) and \(K_{i,1}\) be the already given output keys for gate i. (If i is a circuit output wire, choose the two keys at random.) If i is a nonXOR gate, the garbler does exactly what he does in our basic scheme. If i is an XOR gate, the garbler sets \(\varDelta := K_{i,0}\oplus K_{i,1}\). Then for the input wires A(i) and B(i), the garbler chooses random keys \(K_{A(i),0}\) and \(K_{B(i),0}\) such that \(K_{A(i),0}\oplus K_{B(i),0} = K_{i,0}\) and sets \(K_{A(i),1} := K_{A(i),0} \oplus \varDelta \) and \(K_{B(i),1} := K_{B(i),0} \oplus \varDelta \). The permute bits \(\lambda _{A(i)}\) and \(\lambda _{B(i)}\) of the input wires are set such that \(\lambda _{A(i)}\oplus \lambda _{B(i)} = \lambda _i\). This way, the evaluator can obtain the choice bit of the output key by applying the XOR function to the choice bits of the input keys. Using this technique, our XOR gates are free: they induce no communication cost. This works as long as the circuit is cyclefree, which is required by the property \(A(i)<B(i)<i\) for each gate.
When incorporating freeXOR, we need our trapdoor permutation \(E_{\iota }\) to additionally achieve a circular security property similar to the one introduced by Choi et al. [11]. Our incorporation of freeXOR seems similar to the combination of the fleXOR technique with tworowreduction in [21]. However, we have different dependencies: In the fleXOR technique, the offset \(\varDelta \) is determined by the input keys of a gate, such that if there is a subtree in the circuit consisting only of XOR gates, there might be different offsets \(\varDelta _i\) within this subtree. In our scheme, \(\varDelta \) is determined by the output key, so there is only one \(\varDelta \) within each subtree. Since input keys depend on output keys, we can define the input keys of an XOR subtree to have the same offset \(\varDelta \).

Case 1: The keys of the input wires of both gates i and j cannot be chosen freely:
This occurs for example when one of the gates has more than one conflicting input wire, or when both i and j are nonXOR gates. In this case, we solve the conflict exactly as described in Sect. 5.1, by encrypting the keys determined by garbling gate j with those determined for gate i. Solving this conflict induces a communication cost of two ciphertexts, as before.

Case 2: i and j are both XOR gates with no additional conflict:
The problem here is that for the input wires of i and j we might have to use different values \(\varDelta _i\) and \(\varDelta _j\). In this case, let \(\lambda _B\) be the permute bit of wire B(i) (i.e., \(K_{B(i),\lambda _B}\) is the key with choice bit zero) and choose \(K_{B(i),\lambda _B} = K_{A(j),\lambda _B}\) at random (the other input wires of i and j then have to be chosen accordingly such that the correct output key is obtained). Then set \(K_{B(i),1\lambda _B} := K_{B(i),\lambda _B} \oplus \varDelta _i\) and \(K_{A(j),1\lambda _B} := K_{A(j),\lambda _B} \oplus \varDelta _j\), and include the ciphertext \(Enc_{K_{B(i),1\lambda _B}}(K_{A(j),1\lambda _B})\) in the garbled circuit. No additional ciphertext is needed, so this conflict can be solved with only one ciphertext.

Case 3: i is an nonXOR gate or an XOR gate with additional conflicts, and j is an XOR gate with no additional conflict:
This can be solved similar to Case 2: let \(\lambda _B\) be the permute bit of wire B(i). Set \(K_{A(j),\lambda _B} := K_{B(i),\lambda _B}\). Set \(K_{A(j),1\lambda _B} := K_{A(j),\lambda _B} \oplus \varDelta _j\) and include the ciphertext \(Enc_{K_{B(i),1\lambda _B}}(K_{A(j),1\lambda _B})\) in the garbled circuit. Like Case 2, this conflict can be solved with only one ciphertext.
As we can see, if an XOR gate is involved in the conflict, and this is the only conflict of this XOR gate, we need to include only one ciphertext for the conflicting wire.
5.3 Security Against Malicious Adversaries
Our scheme extents to the malicious case by using the cutandchoosebased techniques described by Lindell and Pinkas [24].
One additional issue we need to address is that our scheme requires us to duplicate input wires if the same input variable is used multiple times. In the malicious case, we need to prove that consistent input keys are sent for each wire representing the same variable.
The case of a malicious evaluator is simply handled by sending all input keys for one variable in a single OT. The case of a malicious garbler can be solved by adapting the consistency check of the garbler’s input used by Lindell and Pinkas (see Fig. 2 in [24]) in a straightforward manner, by grouping the input wires representing the same variable.
6 Instantiation with PRIVsecure Deterministic Encryption
In this section, we show that we can instantiate our trapdoor oneway permutation \(E_{\iota }\) with a deterministic encryption function which achieves the notion of PRIVsecurity, introduced by Bellare et al. in [6]. Though not limited to deterministic encryption, PRIVsecurity has been introduced as the strongest security notion one can achieve for deterministic encryption. It was proven equivalent to various other notions of deterministic encryption by Bellare et al. in [7].
In this section, we show that PRIVsecurity implies correlation robustness with respect to addition, as needed in our garbling scheme. At the end of this section, we discuss a concrete instantiation.
Definition 5
 1.
\({{\varvec{x}}}_0 = {{\varvec{x}}}_1\)
 2.
\({{\varvec{x}}}_0[i] = {{\varvec{x}}}_0[j]\) iff \({{\varvec{x}}}_1[i] = {{\varvec{x}}}_1[j]\)
 3.
High minentropy: \(Pr[{{\varvec{x}}}_{\beta }[i] = x: {{\varvec{x}}}\leftarrow A_m(1^k,\tilde{b},st)]\) is negligible in \(k\) for all \(\beta \in \{0,1\}\), all \(1\le i \le {{\varvec{x}}}\), all \(x\in Dom(E)\), and all \(st\in \{0,1\}^*\).
 4.
st is the empty string.
The first requirement prevents the adversary from trivially distinguishing the two ciphertexts by their length, while the second requirement addresses the fact that a deterministic encryption maps equal plaintexts to equal ciphertexts, and prevents the adversary from distinguishing ciphertexts using their equality pattern.
PRIVsecurity is sufficient to achieve our notion of correlation robustness with respect to the linear function we use in our garbling scheme. Therefore, we can instantiate our trapdoor permutation with a PRIVsecure deterministic encryption function. We prove this with the following theorem:
Theorem 2
(PRIVsecurity implies generalized correlation robustness). Let E be a PRIVsecure deterministic encryption function with key space \(\mathcal {K} = \mathcal {PK}\times \mathcal {SK}\), plaintext space \(\mathcal {P}\) and ciphertext space \(\mathcal {C}\). Let \(f=(f_0,f_1,f_2,f_3)\) be an invertible linear function, consisting of the four functions \(f_0,f_1,f_2,f_3: Dom(E) \rightarrow Dom(E)\).
Then the trapdoor permutation \(E_{\iota }: \mathcal {P} \rightarrow \mathcal {C};\) \(m\mapsto E(\iota ,m)\) is correlation robust with respect to \((f_0,f_1,f_2,f_3)\) for all \(\iota \in \mathcal {PK}\).
Proof
We show that for each \(A^{corr}\) who breaks correlation robustness with nonnegligible advantage p, there exists a PRIVAdversary \(\mathcal {A}\) who breaks PRIVsecurity with advantage \(\frac{1}{2} p\).
We first construct an adversary with nonempty state st. Let us consider an adversary \(A^{corr}\), who can break correlation robustness of \(E_{\iota }\) with nonnegligible advantage p. The adversary \(\mathcal {A}=(A_t,A_m,A_g)\) uses \(A^{corr}\) to break PRIVsecurity as follows: First, adversary \(A_t\) asks \(A^{corr}\) to output a tuple (K, L), and sets \(st:= (K,L)\). Then, \(A_m\) chooses \(K'\), \(L'\), \(R_1\), \(R_2\) and \(R_3\) uniformly at random. In the correlation robustness experiment, there are four ways for the challenger to pick a, b, c out of \(\{0,1,2,3\}\) with \(a<b<c\). Adversary \(A_m\) chooses such (a, b, c) uniformly at random, and sets \(x_0:= (f_a(K,L'), f_b(K',L), f_c(K',L'))\). He sets \(x_1 := (R_1,R_2,R_3)\). Since \(K'\) and \(L'\) are chosen uniformly at random, the plaintexts chosen by \(A_m\) all have negligible probability of occurring, and therefore the desired minentropy. The plaintext vector elements \(K + L'\), \(K' + L\) and \(K' + L'\) of \({{\varvec{x}}}_0\) are all mutually different with overwhelming probability, so \({{\varvec{x}}}_0\) and \({{\varvec{x}}}_1\) have the same equality pattern.
\(A_g\) then obtains a public key pk and a ciphertext \(c = (c_1,c_2,c_3)\).
If \(\tilde{b}=0\), c has the form of a challenge in \(Exp^{corr}_{E,f_0,f_1 ,f_2 ,f_3 ,\mathcal{A}}(k)\) if \(\beta =0\) in this experiment, while in the case \(\tilde{b}=1\), c has the form of a challenge for \(\beta = 1\). Therefore, \(A_g\) can feed the adversary \(A^{corr}\) with an appropriate challenge by handing him (pk, c). Adversary \(A_g\) then outputs whatever \(A^{corr}\) outputs.
Now we need to modify \(\mathcal {A}\) such that st is the empty string. Without loss of generality, we can divide the random coins of \(A^{corr}\) into \((r_1,r_2)\), such that \(r_1\) is the randomness used to choose (K, L). Then for each choice of \(r_1\), there is an adversary \(A^{corr}_{r_1}\) which has \(r_1\) hardwired and always chooses a specific \((K_{r_1},L_{r_1})\). From an average argument, if \(A^{corr}\) breaks correlationrobustness with advantage p, then there is random coin \(r_{p}\) for which the adversary \(A^{corr}_{r_{p}}\) with hardwired \(r_{p}\) breaks correlationrobustness with advantage p.
Consider the PRIVAdversary \(\mathcal {A}^{r_{p}} = (A^{r_{p}}_t, A^{r_{p}}_m,A^{r_{p}}_g)\) which has his random coins hardwired, such that (1) \(A_t\) always chooses st to be the empty string, (2) \(A_m\) always chooses \(K =K_{r_{p}}\) and \(L = L_{r_{p}}\), randomly chooses \(a,b,c\in \{1,2,3,4\}\) with \(a<b<c\), and sets \(x_0:= (f_a(K,L'),f_b(K',L),f_c(K',L'))\), and (3) Adversary \(A^{r_{p}}_g\) internally executes \(A^{corr}_{r_{p}}\) and outputs whatever \(A^{corr}_{r_{p}}\) outputs. Since \(A^{r_{p}}_m\) has K and L hard wired, \(A^{r_{p}}_g\) is the only adversary who communicates with \(A^{corr}_{r_{p}}\).
If \(A^{corr}_{r_{p}}\) breaks correlation robustness with advantage p, then \(\mathcal {A}^{r_{p}}\) breaks PRIVsecurity with advantage at least \(\frac{1}{4} p\). \(\square \)
We can instantiate our correlation robust trapdoor permutation \(E: \{0,1\}^{k} \rightarrow \{0,1\}^{k}\) with a PRIVsecure deterministic encryption scheme. In [6], Bellare et al. introduce a PRIVsecure lengthpreserving scheme RSADOAEP, which works on bitstrings. This scheme can be used to instantiate our correlation robust trapdoor permutation.
Footnotes
Notes
Acknowledgements
We thank the anonymous reviewers for helpful comments.
References
 1.Shelat, A., Shen, C.: Twooutput secure computation with malicious adversaries. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 386–405. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 2.Applebaum, B.: Garbling XOR gates “for free” in the standard model. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 162–181. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 3.Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC\({^0}\). FOCS 2004, 166–175 (2004)zbMATHGoogle Scholar
 4.Applebaum, B., Ishai, Y., Kushilevitz, E.: Computationally private randomizing polynomials and their applications. Comput. Complex. 15(2), 115–162 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
 5.Applebaum, B., Ishai, Y., Kushilevitz, E., Waters, B.: Encoding functions with constant online rate or how to compress garbled circuits keys. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 166–184. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 6.Bellare, M., Boldyreva, A., O’Neill, A.: Deterministic and efficiently searchable encryption. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 535–552. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 7.Bellare, M., Fischlin, M. O’Neill, A., Ristenpart, T.: Deterministic encryption: definitional equivalences and constructions without random oracles. Cryptology ePrint Archive, Report 2008/267 (2008). http://eprint.iacr.org/
 8.Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. Cryptology ePrint Archive, Report 2012/265 (2012). http://eprint.iacr.org/
 9.Boneh, D., Gentry, C., Gorbunov, S., Halevi, S., Nikolaenko, V., Segev, G., Vaikuntanathan, V., Vinayagamurthy, D.: Fully keyhomomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 10.Brandão, L.T.A.N.: Secure twoparty computation with reusable bitcommitments, via a cutandchoose with forgeandlose technique. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 441–463. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 11.Choi, S.G., Katz, J., Kumaresan, R., Zhou, H.S.: On the security of the “FreeXOR” technique. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 39–53. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 12.Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC, pp. 218–229 (1987)Google Scholar
 13.Hemenway, B., Lu, S., Ostrovsky, R.: Correlated product security from any oneway function. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 558–575. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 14.Huang, Y., Katz, J., Evans, D.: Efficient secure twoparty computation using symmetric cutandchoose. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 18–35. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 15.Huang, Y., Katz, J., Kolesnikov, V., Kumaresan, R., Malozemoff, A.J.: Amortizing garbled circuits. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 458–475. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 16.Ishai, Y., Kushilevitz, E.: Randomizing polynomials: a new representation with applications to roundefficient secure computation. In: FOCS, pp. 294–304 (2000)Google Scholar
 17.Ishai, Y., Kushilevitz, E.: Perfect constantround secure computation via perfect randomizing polynomials. In: Widmayer, P., Triguero, F., Morales, R., Hennessy, M., Eidenbenz, S., Conejo, R. (eds.) ICALP 2002. LNCS, vol. 2380, p. 244. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 18.Kilian, J.: Founding cryptography on oblivious transfer. In: STOC, pp. 20–31 (1988)Google Scholar
 19.Kolesnikov, V.: Gate evaluation secret sharing and secure oneround twoparty computation. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 136–155. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 20.Kolesnikov, V., Kumaresan, R.: Improved secure twoparty computation via informationtheoretic garbled circuits. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 205–221. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 21.Kolesnikov, V., Mohassel, P., Rosulek, M.: FleXOR: flexible garbling for XOR gates that beats freeXOR. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 440–457. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 22.Kolesnikov, V., Schneider, T.: Improved garbled circuit: free XOR gates and applications. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 23.Lindell, Y.: Fast cutandchoose based protocols for malicious and covert adversaries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 1–17. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 24.Lindell, Y., Pinkas, B.: An efficient protocol for secure twoparty computation in the presence of malicious adversaries. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 52–78. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 25.Lindell, Y., Pinkas, B.: A proof of security of Yao’s protocol for twoparty computation. J. Cryptology 22(2), 161–188 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
 26.Lindell, Y., Pinkas, B.: Secure twoparty computation via cutandchoose oblivious transfer. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 329–346. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 27.Lindell, Y., Riva, B.: Cutandchoose Yaobased secure computation in the online/offline and batch settings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 476–494. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 28.Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplay  secure twoparty computation system. In: USENIX Security Symposium, pp. 287–302 (2004)Google Scholar
 29.Naor, M., Pinkas, B., Sumner, R.: Privacy preserving auctions and mechanism design. In: EC, pp. 129–139 (1999)Google Scholar
 30.Pinkas, B., Schneider, T., Smart, N.P., Williams, S.C.: Secure twoparty computation is practical. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 250–267. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 31.Rosen, A., Segev, G.: Chosenciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 419–436. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 32.Sander, T., Young, A.L., Yung, M.: Noninteractive cryptocomputing for NC\({^1}\). In: FOCS, pp. 554–567 (1999)Google Scholar
 33.Yao, A.C.C.: How to generate and exchange secrets (extended abstract). In: FOCS, pp. 162–167 (1986)Google Scholar
 34.Zahur, S., Rosulek, M., Evans, D.: Two halves make a whole. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 220–250. Springer, Heidelberg (2015) Google Scholar