The function to be computed. The SPDZ protocol involves n players
P1, . . . , Pn; each playerPiholds some inputsx(1), . . . , x(r), where eachx(j)lies
in a finite field Fq andrdepends on the playerPi.
The function to be evaluated at the input values is described in terms of an
arithmetic circuit C over Fq. An arithmetic circuit is a type of graph that
describes the behaviour of a function in a step-by-step manner, and it is given by a finite, directed, acyclic and connected multigraph. The number of input
gates (i.e., of vertices with in-degree 0) of the graph is equal to the total number of input values held by players; each of these gates is uniquely labeled with the identifier of an input value. We assume for simplicity that there exists a single
output gate (with out-degree 0), and that its in-degree is equal to 1. Finally, all other gates have in-degree either 1 (which are labeled with an element fromFq
or 2 (which can be sum ormultiplication gates).
By simply following the topology of the circuit, we obtain a polynomial func- tion of the inputs held by players: the starting point is given by the input gates. Subsequently, sum and multiplication gates can be “evaluated” by adding or multiplying the two inbound values, and sending the result via the outbound edge to the following gate; multiplication-by-constant gates simply multiply the inbound value with the given constant in Fq, and send the result to the
following gate.
Eventually, the output gate will yield the result of a computation, which is the value of a polynomial function overFq evaluated at the inputs held by players.
As hinted in Section 5.1, the goal of SPDZ is to allow players to evaluate the circuitC on their inputs while keeping privacy: more precisely, any coalition of up to n−1 dishonest players should learn nothing about the input value of the remaining player aside from what can be deduced from the outcome of the computation; and no honest player should accept an incorrect output. We speak of privacy andcorrectness; notice that we cannot achieve fairness,i.e. we cannot guarantee that honest players will learn the correct output of the computation.
We will further discuss security in Section 5.2.5; we now focus on further detailing the SPDZ protocol.
The communication model. A critical point for our discussion is how the communication between players is realized. More precisely, we assume that players can communicate with each other via secure point-to-point channels and via broadcast.
(Secure) point-to-point channels allow each player Pi to communicate with
any other player Pj with perfect reliability and privacy, meaning thatPj will
always correctly receive any message sent by Pi, while any other player will
have no information on these messages.
Broadcast,on the other hand, allows each playerPito communicate a message
to all other players with perfect privacy and with consistency, meaning that all players will receive the same message. A player that broadcasts a value is modeled by an interactive algorithm Algwith the property that its output is the same for all players. The key point, of course, is that dishonest players are bound as well by the consistency property of broadcast: namely, we model dishonest players by replacing Algwith an arbitrary algorithm Alg0, subject nevertheless to the property that the output ofAlg0 is the same for all players. From a practical point of view, constructing a broadcast protocol from point-
to-point channels is expensive. For this reason, when computing the complex- ity of our protocol we keep a separate counter for point-to-point communication and for broadcasts, assuming that the latter will be more expensive. Notice anyway that providing a concrete instantiation of a broadcast protocol would be beyond the scope of this dissertation.
The commitment scheme. This technique is used to solve the following problem: assume that at a given point of the protocol, each player Pi has to
reveal a value zi that he holds; if this is simply done in turns, a malicious
player could then “adjust” zi depending on the previously revealed values.
This may happen, for instance, when players want to reconstruct a shared value [z]: a malicious player could announce a suitably chosen false share so that the players will reconstruct a value ˜z of his choice.
A commitment scheme is an interactive protocol that allows players to solve this problem; we give here an informal definition of the variant we are in- terested in. Such a scheme allows each player Pi to produce a commitment
Commit(zi) to a valuezithat he holds; later on, he can be asked to publiclyopen
this commitment. Thebinding property of the scheme means thatCommit(z) can never open to z0 for z0 6= z, while the hiding property means that it is computationally unfeasible to obtain any information onz fromCommit(z). Thus in a situation when each playerPihas to reveal a valuezi, we can ask for
each player in turn to broadcast a commitmentCommit(zi), and then require
all players to open their commitments. Thus players cannot adjust their value ofzi depending on the previously announced values.
We will see in Section 5.2.3 how the original SPDZ protocol is endowed with a commitment scheme.
The main ingredient: additive sharings. Following a standard paradigm for MPC over arithmetic circuits [5], SPDZ requires players to share their input values; each gate is then processed on the shares, and finally the shares of the output are reconstructed at the end of the circuit. We start by detailing the formulation of this sharing, before describing in more details how SPDZ works.
• A [·]-sharing of a valuez∈Fq is an additive sharing ofz, meaning that
each playerPi holds a randomshare zi∈Fq subject toPizi=z. This
is denoted by [z] = (z1,· · ·, zn).
Furthermore, to ensure correctness, every shared value is accompanied by a sharing of an authentication tag for the shared value; this is formalized as follows:
• For an arbitrary but fixed α ∈ Fq, a h·iα-sharing of z consists of [·]-
sharings ofzand ofα·z, i.e.,hziα= [z],[α·z]. The elementαis called theglobal key, andαzis called thetag ofzand usually denoted byγ(z). Ifαis clear from the context, we may writeh·iinstead ofh·iα.
We say that a sharing [z] or a sharinghziα = [z],[γ(z)] isprivately opened
to a player Pi if each player Pj sends his sharezj to Pi via a point-to-point
channel andPicomputesz:=Pjzj. We say that a sharing ispubliclyopened
if it is privately opened to a designated “king player” Pk, and then Pk sends
the reconstructed valuez to all the players via point-to-point channels.4
Note that (for a fixed global key α) ah·iα-sharing is linear, in the sense that
linear combinations can be computed on the shares:
hz+wi=hzi+hwi:= [zi+wi]i=1,···,n,[γ(z)i+γ(w)i]i=1,···,n hλzi=λ· hzi:= [λzi]i=1,···,n,[λγ(z)i]i=1,···,n.
Furthermore, ifαis [·]-shared then the same holds for addition with a constant:
hλ+zi= λ+hzi := [λ+z1, z2,· · ·, zn],[λα1+γ(z)1,· · ·, λαn+γ(z)n]
.
Finally, a triple haiα,hbiα,hciα
is called a multiplication triple if it consists of three h·iα-shared random valuesa, b, csubject toab=c.
SPDZ is divided into aoffline (orpre-processing) phase, and anonline phase. The idea is to push most of the (somewhat) expensive cryptographic tech- niques into the offline phase (which can be executed beforethe inputs to the computation – or even the actual computation – are known), and rely mainly on very efficient information-theoretic techniques in the online phase. We de- scribe these two phases in the following sections.