MPC Study Group: Authenticated Garbling

In this week’s zoom meetup we looked at “Authenticated garbling and efficient maliciously secure two-party computation” by Wang et al. (2017) [WRK17].

These are my personal study notes, so please refer to the references to verify any information in this post. The content of this post is mostly based on [WRK17].

Garbled Circuits

We covered garbled circuits in our first session of the MPC study group. The version that we presented was secure against semi-honest adversaries, but not against malicious adversaries. One example to show this, the circuit generator $P_1$ may encode the wire-labels in the garbled gates arbitrarily, thus $P_1$ can control the output of the gates. The circuit evaluator $P_2$ can return arbitrary output to $P_1$, this would not be detected by $P_1$.

In order to deal with malicious adversaries we look at authenticated garbling [WRK17]. The idea is to use authenticated secret sharing that is additively homomorphic. Using this the parties cooperate to generate the garbled circuit. The preprocessing phase does a lot of the heavy lifting, generating beaver triples and more that are used for the circuit generation. Admittedly, I found this to be a tricky paper to read, and I am still working on understanding it fully. It was very helpful to read [NNOB12] which this paper derives from. For this overview I will instead present the more abstract form from [EKR17].

Distributed Garbling

The garbled table of an AND gate will have the form (we’ll explain what the elements mean in a moment):

  • $e_{0,0} = H(k_a^0 || k_b^0) \oplus k_c^{p_c \oplus p_a * p_b}$
  • $e_{0,1} = H(k_a^0 || k_b^1) \oplus k_c^{p_c \oplus p_a * \overline{p_b}}$
  • $e_{1,0} = H(k_a^1 || k_b^0) \oplus k_c^{p_c \oplus \overline{p_a} * p_b}$
  • $e_{1,1} = H(k_a^1 || k_b^1) \oplus k_c^{p_c \oplus \overline{p_a} * \overline{p_b}}$

How are the elements generated and what do they mean?

  • Wire labels $k_i^0$, $k_i^1$:
    • $P_1$ chooses random wire labels of length $\kappa$.
  • $p_a$, $p_b$, $p_c$:
    • Input pointer bits representing the value false (and $\overline{p_a}$ represents true).
    • The pointer bits are generated randomly, such that neither party knows the pointer bits.
    • The pointer bits are authenticated.
      • $[p_a]$ is the authenticated $p_a$.
      • $P_1$ (the generator) holds a uniform global key $\Delta _1$, and $P_2$ holds $\Delta _2$.
      • $P_1$ holds for an authenticated bit (the bit is not known to either $P_1$ or $P_2$): $[p_a]_1 = $
        • $<$
        • $p_{a, 1},$
        • $K_1[p_a],$ // uniform random key
        • $T = K_2[p_a] \oplus p_a \Delta _2,$ // MAC tag
        • $>$
      • Whereas, $P_2$ holds: $[p_a]_2 = $
        • $<$
        • $p_{a, 2},$
        • $K_2[p_a],$
        • $T = K_1[p_a] \oplus p_a \Delta _1,$
        • $>$
      • Such that $p_{a, 1} \oplus p_{a, 2} = p_a$ // $p_{a, i}$ is a secret-share.
      • Note that the shares are additive.
  • $H$:
    • Random oracle hash function.

The above garbled table can be expanded and rewritten as:

  • $e_{0,0} = H(k_a^0 || k_b^0) \oplus k_c^0 \oplus (p_c \oplus p_a * p_b) \Delta $
  • $e_{0,1} = H(k_a^0 || k_b^1) \oplus k_c^0 \oplus (p_c \oplus p_a * \overline{p_b}) \Delta $
  • $e_{1,0} = H(k_a^1 || k_b^0) \oplus k_c^0 \oplus (p_c \oplus \overline{p_a} * p_b) \Delta $
  • $e_{1,1} = H(k_a^1 || k_b^1) \oplus k_c^0 \oplus (p_c \oplus \overline{p_a} * \overline{p_b}) \Delta $

The observation to be made is that $P_1$ knows the left side of $e_{\alpha, \beta}$:

  • $H(k_a^\alpha || k_b^\beta) \oplus k_c^0$

Whereas the parties hold additive shares of the right side:

  • $(p_c \oplus p_a * p_b) \Delta$

Hence the garbled table is shared between the two parties.

We didn’t cover the form of XOR gates, and how the garbled circuit is generated, and later evaluated.


This paper put a lot of effort towards improving the performance. For the function independent and function dependent pre-processing the communication and computation complexity is:

  • $O(|C|)$

For the online phase:

  • Communication complexity: $O(|I| + |O|)$
  • Computation complexity: $O(|C|)$


  • [WRK17] Wang X, Ranellucci S, Katz J. Authenticated garbling and efficient maliciously secure two-party computation. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security 2017 Oct 30 (pp. 21-37). URL
  • [NNOB12] Nielsen JB, Nordholt PS, Orlandi C, Burra SS. A new approach to practical active-secure two-party computation. In Annual Cryptology Conference 2012 Aug 19 (pp. 681-700). Springer, Berlin, Heidelberg.
  • [EKR17] Evans D, Kolesnikov V, Rosulek M. A pragmatic introduction to secure multi-party computation. Foundations and Trends® in Privacy and Security. 2017 Jan;2(2-3).
MPC Study Group: Authenticated Garbling by Jonas Spenger, 31 Mar 2021, last updated on 31 Mar 2021.
Tags: Authenticated, Garbling, Secure, Multi-Party, Computation, Malicious, Zoom.
There are likely some errors I have missed, please contact me if you find any.
Check out more posts in the blog archive.