We also show how to efficiently instantiate the preprocessing phase using our own optimized version of the TinyOT protocol. Our overall protocol outperforms existing work in both the single-execution and amortized settings, with or without preprocessing:
- In the single-execution setting, our protocol evaluates an AES circuit with malicious security in 37~ms total with an online time of just 1~ms. Previous work with the best online time (also 1~ms) requires 124~ms in total; previous work with the best total time requires 62~ms (with 14~ms online time).
- In the amortized setting where the time is amortized over 1024 executions, each AES computation runs in just 6.7~ms overall, with roughly the same online time as above. The best previous work in this setting requires roughly the same total time but does not support preprocessing independent of the function to be evaluated.
Our work shows that the performance penalty for maliciously secure two-party computation (vs.\ semi-honest security) is much smaller than previously believed.
As a by-product of our framework, we also obtain the first constant-round maliciously-secure two-party computation with $O(|C|\kappa)$ bits of communication, by instantiating the preprocessing using the IPS compiler under the $\Phi$-hiding assumption. This protocol achieves a constant communication overhead compared to Yao's semi-honest protocol.Category / Keywords: cryptographic protocols / two-party computation, secure computation Date: received 10 Jan 2017, last revised 16 Mar 2017 Contact author: wangxiao at cs umd edu Available format(s): PDF | BibTeX Citation Note: Fix a small bug in the TinyOT improvement Version: 20170317:003010 (All versions of this report) Short URL: ia.cr/2017/030 Discussion forum: Show discussion | Start new discussion