The codebase uses what appears to be a nonstandard AES-based iterative hash function to commit to garbling tables for cut-and-choose operations.
This hash function takes the form H(i) = AES(H(i-1) ^ ciphertext(i)), and as such is not collision resistant in general. I think this admits a practical attack that breaks malicious security in the cut-and-choose context whereby the garbler uses malicious ciphertexts to produce table collisions that are not detectable by the evaluator until evaluation time, at which point it is too late.
There exist secure variants of AES-based iterative hash functions that are not susceptible to collisions in this manner.
The codebase uses what appears to be a nonstandard AES-based iterative hash function to commit to garbling tables for cut-and-choose operations.
This hash function takes the form
H(i) = AES(H(i-1) ^ ciphertext(i)), and as such is not collision resistant in general. I think this admits a practical attack that breaks malicious security in the cut-and-choose context whereby the garbler uses malicious ciphertexts to produce table collisions that are not detectable by the evaluator until evaluation time, at which point it is too late.There exist secure variants of AES-based iterative hash functions that are not susceptible to collisions in this manner.