- Computer verification of SMPC protocols by any means necessary
- OWL: Compositional Verification of Security Protocols via an Information-Flow Type System; 2023
- Fuzzy Message Detection; 2021
- PL Theory for SMPC Implementations
- Metadata-privacy preserving Instant Messaging
- Experiment Selection for Causal Discovery; 2013
- Casual security suggestions for friends
- Field Study of Smartphone (Un) Locking Behavior and Risk Perception
- Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis
- Iconography for key-fingerprint comparison

author | David Heath, Vladimir Kolesnikov, and Stanislav Peceny |

title | MOTIF: (Almost) Free Branching in GMW via Vector-Scalar Multiplication |

howpublished | IACR-ASIACRYPT-2020 |

year | 2020 |

month | September |

where | Georgia Institute of Technology, Atlanta, GA, USA |

Even given precomputed oblivious transfer, GMW still requires three bits sent from each party for every AND gate in the circuit.
The AND gates also consume the precomputed OT material.
The advancement of this paper is that it lets parties evaluate, for *basically* the cost of a single AND gate, one gate in each of however many mutually exclusive branches.
The has obvious parallels with the earlier Stacked Garbling process, but the technique is totally different.

The central idea is the introduction of a “vector-scalar” gate, in which a whole set of values are multiplied (AND’d) with another single value. Such a gate can be evaluated with only one round of OT.

The way to leverage VS gates is by applying the “AND FALSE” part of the branching at the beginning. Then, with a little extra (cheap) finagling, the true value of all wires in branches not taken will be 0. For each of the parallel AND gates, pick one of the wires as “x”, and the other as “y”. It’s safe to XOR all the x’s together because only one of them can be non-zero. AND’ing that with each of the y’s is a VS operation, and will yield 0 on all the output wires in the inactive branches (as required) and the correct result in the active branch.

I need to spend more time on this paper, in particular to figure out if any part of it can help out with the BGW scheme.

The Related works section of this paper also needs a closer reading.