Paper 2013/051

Garbled Circuits Checking Garbled Circuits: More Efficient and Secure Two-Party Computation

Payman Mohassel and Ben Riva


Applying cut-and-choose techniques to Yao's garbled circuit protocol has been a promising approach for designing efficient Two-Party Computation (2PC) with malicious and covert security, as is evident from various optimizations and software implementations in the recent years. We revisit the security and efficiency properties of this popular approach and propose alternative constructions and a new definition that are more suitable for use in practice. * We design an efficient fully-secure 2PC protocol for two-output functions that only requires $O(t|C|)$ symmetric-key operations (with small constant factors, and ignoring factors that are independent of the circuit in use) in the Random Oracle Model, where $|C|$ is the circuit size and $t$ is a statistical security parameter. This is essentially the {\em optimal} complexity for protocols based on cut-and-choose, resolving a main question left open by the previous work on the subject. Our protocol utilizes novel techniques for enforcing \emph{garbler's input consistency} and handling \emph{two-output functions} that are more efficient than all prior solutions. * Motivated by the goal of eliminating the \emph{all-or-nothing} nature of 2PC with covert security (that privacy and correctness are fully compromised if the adversary is not caught in the challenge phase), we propose a new security definition for 2PC that strengthens the guarantees provided by the standard covert model, and offers a smoother security vs. efficiency tradeoff to protocol designers in choosing the \emph{right deterrence factor}. In our new notion, correctness is always guaranteed, privacy is fully guaranteed with probability ($1-\epsilon$), and with probability $\epsilon$ (i.e. the event of undetected cheating), privacy is only ``partially compromised" with at most a {\em single bit} of information leaked, in \emph{case of an abort}. We present two efficient 2PC constructions achieving our new notion. Both protocols are competitive with the previous covert 2PC protocols based on cut-and-choose. A distinct feature of the techniques we use in all our constructions is to check consistency of inputs and outputs using new gadgets that are themselves \emph{garbled circuits}, and to verify validity of these gadgets using \emph{multi-stage} cut-and-choose openings.

Available format(s)
Publication info
Published elsewhere. An extended abstract will appear at Crypto 2013. This is the full version
Secure Two-Party ComputationCut-and-choose 2PC
Contact author(s)
benriva @ post tau ac il
2013-06-20: revised
2013-02-06: received
See all versions
Short URL
Creative Commons Attribution


      author = {Payman Mohassel and Ben Riva},
      title = {Garbled Circuits Checking Garbled Circuits: More Efficient and Secure Two-Party Computation},
      howpublished = {Cryptology ePrint Archive, Paper 2013/051},
      year = {2013},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.