Fast Two-Output Secure Computation with Optimal Error Probability

Cut-and-choose paradigmmakes Yao's protocol for two-party computation secure in malicious model with an error probability. In CRYPTO 2013, based on multi-phase cut-and-choose, Lindell reduced this probability to the optimal value. However, this work can only compute single-output functions with optimal error probability. We transform multi-phase cut-and-choose for singleoutput case into one that can deal with two-output functions, meanwhile maintaining the optimal error probability. Based on this new paradigm, we propose an efficient two-output secure computation protocol. Besides, by utilizing the specific property of the output garbled keys, we solve the authenticity issue of the generator's output with only symmetric cryptographic operations linear in the output length of the generator, which is the most efficient method so far in standard model without Random oracle (RO).