Cut-and-choose Yao-based secure computation in the online/offline and batch settings

Yehuda Lindell, Ben Riva

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

51 Scopus citations


Protocols for secure two-party computation enable a pair of mistrusting parties to compute a joint function of their private inputs without revealing anything but the output. One of the fundamental techniques for obtaining secure computation is that of Yao's garbled circuits. In the setting of malicious adversaries, where the corrupted party can follow any arbitrary (polynomial-time) strategy in an attempt to breach security, the cut-and-choose technique is used to ensure that the garbled circuit is constructed correctly. The cost of this technique is the construction and transmission of multiple circuits; specifically, s garbled circuits are used in order to obtain a maximum cheating probability of 2-s. In this paper, we show how to reduce the amortized cost of cut-and-choose based secure two-party computation in the batch and online/offline settings to O(s/log N) garbled circuits when N secure computations are run. Although O(s/log N) may seem to be a mild efficiency improvement asymptotically, it is a dramatic improvement for concrete parameters since s is a statistical security parameter and so is typically small. Specifically, instead of 40 circuits to obtain an error of 2-40, when running 210 executions we need only 7.06 circuits on average per secure computation, and when running 220 executions this is reduces to an average of just 4.08. In addition, in the online/offline setting, the online phase per secure computation consists of evaluating only 6 garbled circuits for 210 executions and 4 garbled circuits for 220 executions (plus some small additional overhead). In practice, when using fast implementations (like the JustGarble framework of Bellare et al.), the resulting protocol is remarkably fast. We present a number of variants of our protocols with different assumptions and efficiency levels. Our basic protocols rely on the DDH assumption alone, while our most efficient variants are proven secure in the random-oracle model. Interestingly, the variant in the random-oracle model of our protocol for the online/offline setting has online communication that is independent of the size of the circuit in use. None of the previous protocols in the online/offline setting achieves this property, which is very significant since communication is usually a dominant cost in practice.

Original languageEnglish
Title of host publicationAdvances in Cryptology, CRYPTO 2014 - 34th Annual Cryptology Conference, Proceedings
PublisherSpringer Verlag
Number of pages19
EditionPART 2
ISBN (Print)9783662443804
StatePublished - 2014
Event34rd Annual International Cryptology Conference, CRYPTO 2014 - Santa Barbara, CA, United States
Duration: 17 Aug 201421 Aug 2014

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
NumberPART 2
Volume8617 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference34rd Annual International Cryptology Conference, CRYPTO 2014
Country/TerritoryUnited States
CitySanta Barbara, CA

Bibliographical note

Funding Information:
This work was funded by the European Research Council under the European Union’s Seventh Framework Programme (FP/2007-2013) / ERC Grant Agreement n. 239868 (LAST), and under the European Union’s Seventh Framework Program (FP7/2007-2013) under grant agreement n. 609611 (PRACTICE). A full version of this work appears in the Cryptology ePrint Archive, 2014.


Dive into the research topics of 'Cut-and-choose Yao-based secure computation in the online/offline and batch settings'. Together they form a unique fingerprint.

Cite this