I've been looking for real-world protocols for private function evaluation in the case of a reactive functionality. Please refer to section 2.5.3 of the book Efficient Secure Two-Party Protocols by Hazay and Lindell for a full definition. In a P.F.E. setting, one party, namely $A$, holds a string $x$, and the other party, namely $B$, holds a circuit $C$, such that $C$ takes $x$ as well as $s_t$ as input and outputs $(y, s_{t+1})$.
In the ideal world and when both parties are honest, the trusted third party sends random shares of $s_{t+1}$ to the parties, and reconstructs $s_{t+1}$ for the next round. To make a real-world protocol, $A$ can choose her random share $r_{t+1}$ for the next round, and $B$ obtains $s_{t+1} \oplus r_{t+1}$ from the PFE. Note that $B$ should now send $\widetilde{C}$ (instead of $C$) such that $$ \widetilde{C}(x, r_t, s_t \oplus r_t, r_{t+1}) = (y, s_{t+1} \oplus r_{t+1})$$ For malicious adversaries, the ideal-world solution in the book requires the trusted third party to compute message authentication tags as well and send them to the parties in a zig-zag manner. When I tried to make a real-world version of it, I noticed that I should also include the Boolean circuit of a message authentication scheme in $\widetilde{C}$. From what I've realised so far, MAC circuits are not small, and the circuits in my use-case (i.e., $C$) would need far fewer gates than that of a single MAC instance.
So, there are two questions:
- Is there a MAC scheme with a small circuit?
- If there isn't any known MAC with a small circuit, can I circumvent encoding (multiple instances of) a MAC in $\widetilde{C}$?
