Performing all bit authentications required for authenticated wire shares and authenticated random AND triples upfront is computationally less expensive than calling the bit authentication subprotocol on demand since it amortizes the cost for active security checks (and it's a requirement for implementing the actively secure two-party bit authentication in a straightforward way anyway).
Performing all bit authentications required for authenticated wire shares and authenticated random AND triples upfront is computationally less expensive than calling the bit authentication subprotocol on demand since it amortizes the cost for active security checks (and it's a requirement for implementing the actively secure two-party bit authentication in a straightforward way anyway).