Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

1.1 Overview

Secure multiparty computation (MPC) is a central research area in cryptography. An MPC protocol allows \(n\ge 2\) parties to compute a function of their inputs without compromising the privacy of the inputs or the correctness of the outputs. This should hold even if some of the parties are corrupted by an adversary. Since its introduction in the 1980s [2, 7, 12, 20], there has been a rich body of work dealing with many aspects of the problem, with a major focus on efficiency.

The difficulty of designing MPC protocols depends largely on the power of the adversary. An important distinction is between MPC protocols that offer security against passive (or semi-honest) adversaries, who follow the protocol’s specification but try to learn information from messages they receive, and security against active (or malicious) adversaries, who are allowed to deviate from the protocol’s specification in arbitrary ways. The security guarantees in the passive case are weaker, but the protocols are simpler and more efficient.

A common paradigm for designing actively secure MPC protocols (namely, ones that are secure against active adversaries) is to start with a passively secure protocol and then convert it into an actively secure protocol. Some relevant techniques include general-purpose “GMW-style” compilers that employ zero-knowledge proofs [6, 12], ad-hoc protocols for verifying the correct execution of subprotocols [2, 7], cut-and-choose techniques [18], or “MPC in the head” [15, 16]. These techniques typically involve a significant overhead.

A different technique, which in some cases provides better results, was recently proposed independently by Genkin et al. [11] and Ikarashi et al. [14]. These works observe that in several known passively secure protocols for evaluating arithmetic circuits, the effect of any active adversary is limited to an additive attack on the circuit wires. That is, everything that an adversary can achieve by attacking the real protocol for evaluating \({\mathsf {C}}\) he could have also achieved by attacking an ideal circuit evaluation process in which he can blindly add a field element of his choice to each wire in \({\mathsf {C}}\). In the following, we refer to such protocols as additively corruptible protocols. To secure such a protocol against active adversaries, it is enough to run it on a so-called AMD circuit \(\overline{{\mathsf {C}}}\) – a randomized circuit which is functionally equivalent to \({\mathsf {C}}\) but additionally offers resistance against additive attacks.Footnote 1 The results of [11, 14] simplify feasibility results in the information-theoretic setting and obtain efficiency improvements, closing some previous asymptotic efficiency gaps between passively secure and actively secure protocols. This applies to the best known protocols that tolerate an optimal number of corrupted parties (i.e., \(t<n/2\) parties using secure point-to-point channels or \(t<n\) parties in a suitable hybrid model).

Our motivating observation is that the best information-theoretic MPC protocols that tolerate a slightly sub-optimal number of corrupted parties (e.g., \(t<0.49n\)) are not additively corruptible. These protocols replace the standard secret sharing used in optimally resilient protocols by a more efficient packed secret sharing technique, and as a result provide better asymptotic efficiency. The ideal attack corresponding to an active adversary attacking these protocols can include a limited form of linear combinations that combine multiple wire values.Footnote 2 As a result, the techniques of [11, 14] do not apply to such protocols. In the following, we refer to such protocols linearly corruptible protocols.

A second disadvantage of the techniques of [11, 14] is that they are tailored to specific protocols. In particular, the part of the analysis that maps general attacks to additive attacks is done in an ad-hoc way per protocol without a unified framework that captures all additively corruptible protocols.

1.2 Our Contribution

In this paper we address both issues outlined above. First, we present a new general framework for proving that a passively secure protocol is additively or linearly corruptible. This framework is used to reprove previous results from [11] in a more unified way, and is also used to prove our new results. Second, we extend the AMD circuit constructions from [11] to offer security against linear attacks. We use these two types of results to close previous efficiency gaps between passively secure and actively secure information-theoretic protocols based on packed secret sharing.

We consider two regimes for such protocols: the single input, single circuit regime and the Franklin and Yung (FY) [10] regime for simultaneously evaluating \(\ell \) copies of the circuit on different inputs. Notice that the latter is a special case of the former that allows for simpler and more efficient solutions. Currently, all actively secure protocols that rely on packed secret sharing (in both regimes) employ verification methods that introduce at least a quadratic overhead in the number of parties n, for each circuit layer. We reduce this overhead to quasi-linear (or linear in the FY regime), as in the best previous passively secure protocols. In the FY regime, by evaluating the circuit on \(\ell =\Omega (n)\) inputs, the amortized per-layer overhead is reduced to constant, leading to the first actively secure protocols whose amortized communication complexity is only \(O(|C|+n)\) even for circuits that are very narrow and deep. See Table 1 for a more detailed account of our results and a comparison with previous results.

In addition, we point out that the concrete efficiency of \(\mathsf {DIK}\)-style protocols [1, 8] (see [17]c entry of Table 1) involves prohibitively large constants when applied with near-optimal security threshold. Indeed, the threshold obtained directly by [8] is \( t < n/4\) which is quite far from the optimal bound of n/2. To improve on this threshold, a general technique due to Bracha [5] is applied for boosting the resilience. The basic idea is that a constant-size committee runs an optimally resilient protocol to emulate the role of each server in the low-threshold protocol. While this technique can be implemented with a constant multiplicative overhead, this constant is very large. Our actively secure protocols natively achieve a near-optimal security threshold with a low overhead, inheriting this feature from the passively secure protocols on which they are based.

Table 1. Comparison of information-theoretic MPC protocols for arithmetic circuits. Below, n is the number of parties, \(\epsilon \) is an arbitrary small positive constant, \({\mathsf {C}}\) is an arithmetic circuit or an \(\mathsf{SIMD} \) circuit, \(d_{\mathsf {C}}\) is the multiplicative depth of \({\mathsf {C}}\), and \({\mathcal {T}}\) is the set of corrupted parties such that \(|{\mathcal {T}}| \le t\). The copies column indicates the number of simultaneously evaluated circuit copies. Passively secure protocols achieve perfect security while actively secure protocols realize \({\mathsf {C}}\) (with abort) with at most \(O(1/|{\mathbb {F}}|)\) simulation error. The communication complexity column counts the total number of field elements exchanged between the parties. For the case of simultaneous evaluation of multiple copies, we count the amortized cost for evaluating a single copy of \({\mathsf {C}}\). The protocols having resilience \(|{\mathcal {T}}| < n\) are constructed on the OT or OLE hybrid model. Note that the \(\widetilde{O}\) notation suppresses logarithmic factors.

A key ingredient in our results is an extension of the additive attacks model considered in [11, 14], which we now explain in more detail. Protocols that utilize packed secret sharing typically operate on SIMD circuits. An SIMD circuit is a generalization of arithmetic circuits, composed by \(\ell \)-gates which get as input two wire bundles of size \(\ell \) output a wire output bundle of size \(\ell \) obtained by performing \(\ell \) point-wise multiplications, additions and subtractions in parallel. Thus, SIMD circuits simultaneously evaluate \(\ell \) copies of the same arithmetic circuit, on different inputs. Next, for protocols based on packed secret sharing, the ideal attack corresponding to deviations made by an active adversary can include a limited form of linear combinations of wire values. Thus, we extend the additive attacks considered in [11] to capture a stronger class of attacks, called linear attacks, applied to SIMD circuits.

A linear attack on an SIMD circuit changes the computation of a multiplication \(\ell \)-gate by adding to the gate’s output bundle a linear function\(f:{\mathbb {F}}^{2\ell } \rightarrow {\mathbb {F}}^\ell \) of all the wires in the gate’s two input bundles. In addition, we also allow a linear attack to specify an \(additive \) attack on all wire bundles inside the SIMD circuit. We note that for the case where \(\ell =1\) linear attacks are equivalent to additive attacks (see Sect. 2.2 for details).

In the sequel, we prove that for natural protocols based on packed secret sharing, any deviation made by an active adversary actually corresponds to a linear attack on the underlying SIMD circuit.

2 Detailed Overview of Results

2.1 Actively Secure MPC Protocols from AMD/SIMD Circuits

Our approach for constructing actively secure MPC protocols is as follows. We present a general framework and prove that any passively secure protocol \(\pi \), satisfying the framework’s requirements is indeed additively or linearly corruptible depending on whether \(\pi \) uses packed secret sharing or not. Next, in order to transform any passively secure protocol for evaluating a circuit \({\mathsf {C}}\), which meets the framework’s requirement, into an actively secure protocol, we apply the same passive protocol on a different circuit \(\overline{{\mathsf {C}}}^\mathsf{AUG}\) which is essentially the secure version of \({\mathsf {C}}\). We thus transfer the responsibility of handling the consequences resulting from an active adversary deviating from the protocol, to \(\overline{{\mathsf {C}}}^\mathsf{AUG}\).

We now describe different applications of our framework for existing MPC protocols. See Table 1 for a concise summary.

Applying our framework to an arithmetic version of the passively secure \(\mathsf{GMW}\) protocol [12, 17], in Theorem 10 we match the results of [11, Theorem 1.5] obtaining an actively secure protocol for computing a circuit \({\mathsf {C}}\), without an honest majority, using \(O(n^2 |C|)\) calls to an OLE-oracle.Footnote 3 In the honest majority setting, applying our framework to the passively secure \(\mathsf {DN}\) protocol [9], we match the results of [11, Theorem 1.4] and [14] obtaining an actively secure protocol with communication complexity of \(O(n|C| + n^2)\) field elements.

Next, in the FY regime, by applying our framework to the passively secure \(\mathsf {DIK}\) protocol ([8]a), we improve the result of [17]b by eliminating the dependence of the additive term on the depth of the circuit.

Theorem 1

Let \(n,t,\ell \) be positive integers such that \(n=2t+2\ell -1\) and let \({\mathsf {C}}\) be an n-party SIMD \(\ell \)-circuit over a finite field \({\mathbb {F}}\). Then, there exists a protocol \(\pi \), in the FY regime, that \(\left( t,\epsilon \right) \)-securely computes \({\mathsf {C}}\) with abort for \(\epsilon = O(\ell \log \ell /|{\mathbb {F}}|)\) and with communication complexity of \(O(n|{\mathsf {C}}|+n^2)\) field elements. Setting \(\ell = \Theta (n)\) yields an amortized communication complexity of \(O(|{\mathsf {C}}|+n)\) field elements.

Finally, applying our framework to the passively secure \(\mathsf {DIK}\) protocol in the single input single circuit regime ([8]b), we improve the actively secure protocol of [8]c by reducing its additive term from \(\widetilde{O}(n^2 \cdot d_{\mathsf {C}})\) to \(\widetilde{O}(n \cdot d_{\mathsf {C}}+ n^2)\).

Theorem 2

Let \(n,t,\ell \) be positive integers such that \(n=2t+2\ell -1\) and let \({{\mathsf {C}}}\) be an n-party circuit over a finite field \({\mathbb {F}}\). Then there exists an n-party protocol \(\pi \), in the single circuit single input regime, that \(\left( t,\epsilon \right) \)-securely computes C with abort for \(\epsilon = O(\ell \log \ell /|{\mathbb {F}}|)\) and with communication complexity \(\widetilde{O}\left( (|{\mathsf {C}}|n +n^2 \cdot d_{\mathsf {C}}) / \ell + n^2 \right) \) field elements. By setting \(\ell = \Theta (n)\) we obtain that the communication complexity of \(\pi \) is \(\widetilde{O}\left( |{\mathsf {C}}| +n \cdot d_{\mathsf {C}}+ n^2 \right) \) field elements.

2.2 Additive and Linear Attack Secure AMD/SIMD Circuits

We now define the notion of linear-attack security. Let \({\mathsf {C}}\) be a circuit to be computed. We say that a randomized SIMD circuit \(\overline{{\mathsf {C}}}\) is an \(\epsilon \)-linear-attack secure implementation of \({\mathsf {C}}\) if \(\overline{{\mathsf {C}}}\) correctly computes \({\mathsf {C}}\), when not attacked, and moreover any linear attack on \(\overline{{\mathsf {C}}}\) has the same effect on the outputs of \(\overline{{\mathsf {C}}}\) (up to \(\epsilon \) statical error) as applying some additive attack on the inputs and outputs of \(\overline{{\mathsf {C}}}\) alone.

Definition 1

(Linear-attack and additive-attack security). A randomized SIMD circuit \(\overline{{\mathsf {C}}}\) is said to be an \(\epsilon \)-linear-attack secure implementation of a (possibly randomized) circuit \({\mathsf {C}}:({\mathbb {F}}^\ell )^n \rightarrow ({\mathbb {F}}^\ell )^k\) if the following holds:

  • Completeness. For all \(\mathbf{x }\in ({\mathbb {F}}^\ell )^n\) it holds that \( \overline{{\mathsf {C}}}(\mathbf{x }) \equiv {\mathsf {C}}(\mathbf{x }). \)

  • Linear-Attack security. For any circuit \(\overline{{\mathsf {C}}}^ \mathbf{L} \) obtained by subjecting \(\overline{{\mathsf {C}}}\) to a linear attack \( \mathbf{L} \), there exists \(\mathbf{a }^{\mathsf {in}}\in ({\mathbb {F}}^\ell )^n\) and a distribution \(\mathbf{{\mathcal {A}} }^{\mathsf {out}}\) over \(({\mathbb {F}}^\ell )^{k}\) such that for any \(\mathbf{x }\in ({\mathbb {F}}^\ell )^n\) it holds that \( SD (\overline{{\mathsf {C}}}^ \mathbf{L} (\mathbf{x }), {\mathsf {C}}(\mathbf{x }+\mathbf{a }^{\mathsf {in}})+\mathbf{{\mathcal {A}} }^{\mathsf {out}}) \le \epsilon \), where SD denotes statistical distance between two distributions.

Finally, we say that \(\overline{{\mathsf {C}}}\) is an additive-attack-secure implementation of \({\mathsf {C}}\) if \(\overline{{\mathsf {C}}}\) has the same completeness property as above as well as the same security property with the linear attack \( \mathbf{L} \) replaced by an additive attack \( \mathbf{A} \).

Notice that restricting Definition 1 for \(\ell =1\) yields exactly the model considered in [11]. This is the case since for non-SIMD circuits, any additive attack can be converted into a linear attack. Conversely, we notice that a linear attack on the output of a multiplication gate can be easily converted to an additive attack on its two inputs. Notice that this equivalence does not hold when \(\ell >1\).

In Sect. 5, we present a construction for securing circuits against additive attacks. While our construction has the same asymptotic efficiency as the construction of [11], it has much better concrete efficiency, as well as an improved soundness error of \(O(1/|{\mathbb {F}}|)\) (compared to \(O(|C|/|{\mathbb {F}}|)\) in [11]).

Theorem 3

(Cf. Theorem 6 .) For any arithmetic circuit \({\mathsf {C}}:{\mathbb {F}}^n \rightarrow {\mathbb {F}}^k\) there exists a randomized circuit \(\overline{{\mathsf {C}}}:{\mathbb {F}}^n \rightarrow {\mathbb {F}}^k\) such that \(\overline{{\mathsf {C}}}\) is an \(\epsilon \)-additive-attack secure implementation of \({\mathsf {C}}\) where \(\epsilon = O(1 / |{\mathbb {F}}|)\) and \(|\overline{{\mathsf {C}}}|=O(|{\mathsf {C}}|)\).

Next, departing from the case of \(\ell =1\), in the full version we present a construction for securing SIMD circuits against linear attacks.

Theorem 4

For any SIMD circuit \({\mathsf {C}}:\left( {\mathbb {F}}^\ell \right) ^n \rightarrow \left( {\mathbb {F}}^\ell \right) ^k\) there exists a randomized SIMD circuit \(\overline{{\mathsf {C}}}\) such that \(\overline{{\mathsf {C}}}\) is an \(\epsilon \)-linear-attack secure implementation of \({\mathsf {C}}\) where \(\epsilon =O \left( \ell \log \ell /{|{\mathbb {F}}|}\right) \) and \(|\overline{{\mathsf {C}}}|= O(|{\mathsf {C}}|+\log \ell )\).

3 Our Techniques

3.1 Constructing Actively Secure MPC Protocols

Our framework for proving that a passively secure protocol \(\pi \) is in fact additively or linearly corruptible, consists of three steps. We point out that while these steps modify the original protocols, are only a thought-experiment used to prove the main claim about the effect of an active adversary on the underlying circuit that parties try to evaluate. The only real modification required to the protocol in order to transform it to an actively secure protocol, is to execute it on an additive-attack or linear-attack secure circuit (see below).

Step 1: Protocol Randomization. In order to convert an active adversary controlling a set of parties \({\mathcal {T}}\) to an additive attack, we first transform a protocol \(\pi \) to another protocol \(\pi ^{\mathcal {T}}\) such that all the messages \(m_{{\overline{{\mathcal {T}}}},{\mathcal {T}}}\) sent by the parties in \({\overline{{\mathcal {T}}}}\) to the parties in \({\mathcal {T}}\) (except during the last communication round) syntactically depend only on the randomness of \(\pi \). In particular, we require that \(m_{{\overline{{\mathcal {T}}}},{\mathcal {T}}}\) does not depend on the inputs \(\mathbf{x }_{\overline{{\mathcal {T}}}}\) of the parties in \({\overline{{\mathcal {T}}}}\) or on the messages that the parties in \({\overline{{\mathcal {T}}}}\) receive during the protocol. In such case we say that \(\pi ^{\mathcal {T}}\) is \({\mathcal {T}}\)-randomized.

We first show that for many natural MPC protocols, for any set of parties \({\mathcal {T}}\), such that \(|{\mathcal {T}}|\) is below the privacy threshold of a protocol, it is possible to construct a \({\mathcal {T}}\)-randomized protocol, \(\pi ^{\mathcal {T}}\), such that any deviation from \(\pi \) made by an active adversary has the same effect as performing the same deviation from \(\pi ^{\mathcal {T}}\). In this case we say that \(\pi ^{\mathcal {T}}\) is \({\mathcal {T}}\)-equivalent to \(\pi \). See Definition 3.

Notice that \({\mathcal {T}}\)-randomization requirement is stronger than privacy. This is since \({\mathcal {T}}\)-randomization requires that the values of \(m_{{\overline{{\mathcal {T}}}},{\mathcal {T}}}\) do not depend on the inputs of the parties in \({\overline{{\mathcal {T}}}}\) or on messages that parties in \({\overline{{\mathcal {T}}}}\) received as opposed to privacy which makes a similar requirement on the distribution of \(m_{{\overline{{\mathcal {T}}}},{\mathcal {T}}}\). See Step 2 for the necessity of the \({\mathcal {T}}\)-randomization requirement.

Step 2: From General Adversaries to Additive Attacks. We now reduce any adversary controlling a set of parties \({\mathcal {T}}\) , attacking a \({\mathcal {T}}\)-randomized protocol \(\pi \), to an additive attack on the protocol circuit \({\mathsf {C}}_\pi \) where \({\mathsf {C}}_\pi \) is a direct implementation of the arithmetic operations performed by \(\pi \). \({\mathsf {C}}_\pi \) gets as input the inputs \(\mathbf{x }\) of the parties in \(\pi \) as well the randomness \(\mathbf{r }\) used in \(\pi \). It then evaluates \(\pi \) on inputs \((\mathbf{x };\mathbf{r })\) and outputs the outputs of all the parties following an execution of \(\pi (\mathbf{x };\mathbf{r })\).

Since \(\pi \) is \({\mathcal {T}}\)-randomized we can simulate from the randomness \(\mathbf{r }\) for \(\pi \) and from the inputs \(\mathbf{x }_{\mathcal {T}}\), the view \(\widetilde{u}_{{\mathcal {T}}}\) (except during the last round) of the parties in \({\mathcal {T}}\). Next, we determine the additive attack on \({\mathsf {C}}_\pi \) corresponding to an adversary \(\mathsf{Adv}\) controlling the parties in \({\mathcal {T}}\) as follows. We first honestly simulate the parties in \({\mathcal {T}}\) on their view \(\widetilde{u}_{T}\) and obtain the messages \({\widetilde{m}}_{{{\mathcal {T}}},{{\overline{{\mathcal {T}}}}}}\) sent by the parties in \({\mathcal {T}}\) to the parties in \({\overline{{\mathcal {T}}}}\) during an honest execution of \(\pi \). Next, we invoke \(\mathsf{Adv}\) on the view \(\widetilde{u}_{{\mathcal {T}}}\) and obtain the messages \(\widetilde{m}^\mathsf{Adv}_{{{\mathcal {T}}},{{\overline{{\mathcal {T}}}}}}\) sent by the parties in \({\mathcal {T}}\) to the parties in \({\overline{{\mathcal {T}}}}\) during a real execution of \(\pi \) in the presence of \(\mathsf{Adv}\). Finally we determine the additive attack \( \mathbf{A} \) on \({\mathsf {C}}_\pi \) by computing \( \mathbf{A} \leftarrow \widetilde{m}^\mathsf{Adv}_{{{\mathcal {T}}},{{\overline{{\mathcal {T}}}}}}-{\widetilde{m}}_{{{\mathcal {T}}},{{\overline{{\mathcal {T}}}}}}\).

Since \(\pi \) is \({\mathcal {T}}\)-randomized, it is the case that inside \({\mathsf {C}}_\pi \) under the additive attack \( \mathbf{A} \) it holds that \( \widetilde{m}^\mathsf{Adv}_{{{\mathcal {T}}},{{\overline{{\mathcal {T}}}}}}= {\widetilde{m}}_{{{\mathcal {T}}},{{\overline{{\mathcal {T}}}}}} + \mathbf{A} \), for any input \(\mathbf{x }_{\overline{{\mathcal {T}}}}\) of the parties in \({\overline{{\mathcal {T}}}}\) as well as for any messages that these parties receive during \(\pi \). We thus correctly simulate, inside \({\mathsf {C}}_\pi \), the effect of \(\mathsf{Adv}\) on \(\pi \). Notice that this is not necessary true in case \(\pi \) is \({\mathcal {T}}\)-private since for any selection of the randomness \(\mathbf{r }\), the specific values of the messages sent by the parties in \({\overline{{\mathcal {T}}}}\) to \(\mathsf{Adv}\) might depend on their inputs \(\mathbf{x }_{\overline{{\mathcal {T}}}}\) to \(\pi \). Since \(\mathbf{x }_{\overline{{\mathcal {T}}}}\) is not known to the simulator, it cannot generate the correct view \(\widetilde{u}_{{\mathcal {T}}}\) required in order to compute \(\widetilde{m}^\mathsf{Adv}_{{{\mathcal {T}}},{{\overline{{\mathcal {T}}}}}}\) and \({\widetilde{m}}_{{{\mathcal {T}}},{{\overline{{\mathcal {T}}}}}}\).

Step 3: Translate Attacks on \({\mathsf {C}}_\pi \) to Attacks on \({\mathsf {C}}\) . We translate additive attacks on \({\mathsf {C}}_\pi \) to equivalent attack on \({\mathsf {C}}\). In Sect. 7, we present the notion of homomorphic circuits and prove that if a circuit \({\mathsf {C}}'\) is homomorphic to a circuit \({\mathsf {C}}\) then for any additive attack \( \mathbf{A} '\) on \({\mathsf {C}}'\) there exists an equivalent additive attack \( \mathbf{A} \) on \({\mathsf {C}}\) such that \({\mathsf {C}}^ \mathbf{A} (\mathbf{x }) = {\mathsf {C}}'^{ \mathbf{A} '}(\mathbf{x })\), for all \(\mathbf{x }\). Next, extending the notion of circuit homomorphism to SIMD circuits, in the full version we define the notion of \(\ell \)-homomorphic circuits and prove that if a circuit \({\mathsf {C}}'\) is \(\ell \)-homomorphic to an SIMD circuit \({\mathsf {C}}\), then for any additive attack \( \mathbf{A} '\) on \({\mathsf {C}}'\) there exists an equivalent linear attack on \({\mathsf {C}}\) such that \({\mathsf {C}}^ \mathbf{L} (\mathbf{x }) = {\mathsf {C}}'^{ \mathbf{A} '}(\mathbf{x })\) for all \(\mathbf{x }\).

Application to Natural MPC Protocols. In Sect. 8 we apply the above transformations on the arithmetic version of the passively secure \(\mathsf{GMW}\) protocol, proving that it is additively corruptible. Next, in the full version we apply the above transformations to the passively secure \(\mathsf {DN}\) and \(\mathsf {DIK}\) protocols, proving that these protocols are additively and linear corruptible, respectively.

MPC Protocols Using Linear or Additive Attack Secure Circuits. The notions of linear and additive-attack security only require that any attack will be equivalent to an additive attack on the inputs and the outputs of the evaluated circuit. Thus, directly executing an additively or linearly corruptible MPC protocol over an additive-attack secure or linear-attack secure circuit \({\mathsf {C}}\) still leaves the inputs and the outputs of \({\mathsf {C}}\) unprotected. Instead, before securing \({\mathsf {C}}\) against additive or linear attacks, we first modify \({\mathsf {C}}\) to \({\mathsf {C}}^\mathsf{AUG}\) which gets as inputs an AMD encoding of \({\mathsf {C}}\)’s inputs and produces an encoding of \({\mathsf {C}}\)’s outputs. We then transform \({\mathsf {C}}^\mathsf{AUG}\) to an additive-attack or linear-attack secure circuit \(\overline{{\mathsf {C}}}^\mathsf{AUG}\) and evaluate \(\overline{{\mathsf {C}}}^\mathsf{AUG}\) using a passively secure protocol, asking each party to locally compute an AMD encoding of the inputs as well as locally decode the outputs.

3.2 Securing Circuits Against Additive and Linear Attacks

We first present our techniques for additive-attack security (see Sect. 5). Given a circuit \({\mathsf {C}}\), in the additive-attack secure version \(\overline{{\mathsf {C}}}\) of \({\mathsf {C}}\), every wire of \({\mathsf {C}}\) is paired with a wire that carries a corresponding MAC tag. Next, each gate in \({\mathsf {C}}\) is replaced by a small gadget computing the gate’s result as well as its corresponding MAC tag. In addition, this gadget also gets as inputs the MAC tags corresponding to the gate’s inputs. Using these tags, the gadget verifies that the gate’s result was computed correctly. Notice that the MAC tag verification itself is also vulnerable to additive (and later linear) attacks. However, we construct the verification circuit in such a way that even in the presence of attacks, it outputs a random value if the MAC computation or MAC verification fails for some gate.

The Basic Additive-Attack Secure Circuit Compiler. Similar to [4, 11] we use a multiplicative MAC in order to additive-attack secure the output of each gate. Concretely, for each input gate \(\mathtt {a}\), its corresponding MAC tag will be \(\mathtt {a'}= \mathtt {a}\cdot \mathtt {v}\) where \(\mathtt {v}\) is a randomly selected field element acting as the MAC key (fixed to be the same value for all gates). Next, for every addition gate \(\mathtt {c}= \mathtt {a}+ \mathtt {b}\) with inputs \(\mathtt {a}\), \(\mathtt {b}\) and associated MAC tags \(\mathtt {a'}\), \(\mathtt {b'}\), we compute the MAC tag \(\mathtt {c'}\) associated with \(\mathtt {c}\) directly by computing \(\mathtt {c'}= \mathtt {a'}+ \mathtt {b'}\).

For every multiplication gate \(\mathtt {c}= \mathtt {a}\cdot \mathtt {b}\) with inputs \(\mathtt {a}\), \(\mathtt {b}\) and associated MAC tags \(\mathtt {a'}\), \(\mathtt {b'}\), we need to ensure the correct computation of \(\mathtt {c}= \mathtt {a}\cdot \mathtt {b}\). Given a MAC tag of the expected result of \(\mathtt {c}\) and the MAC tags of \(\mathtt {a},\mathtt {b}\), we could have verified that under an additive attack indeed \(\mathtt {c}\cdot \mathtt {v}= \mathtt {a}\cdot \mathtt {b}\cdot \mathtt {v}\). Thus, we must somehow combine the (assumed to be correct) MAC tag values \(\mathtt {a'}= \mathtt {a}\cdot \mathtt {v}\) and \(\mathtt {b'}= \mathtt {b}\cdot \mathtt {v}\) in order to generate the tag of the expected result \(\mathtt {a}\cdot \mathtt {b}\cdot \mathtt {v}\). Moreover, this tag generation must be done in such a way that ensures that no combination of attacks on the tag generation circuit and on the multiplication gate’s actual computation, can produce an incorrect result without being detected.

In [11], this was solved by setting the MAC tag \(\mathtt {c'}\) to be \(\mathtt {c'}= \mathtt {a'}\cdot \mathtt {b'}= \mathtt {a}\cdot \mathtt {b}\cdot \mathtt {v}^2\). The construction of  [11] was based on the fact that an additive attack \( \mathbf{A} \) on the computation of \(\mathtt {c'}^ \mathbf{A} = (\mathtt {a'}+ \mathbf{A} _{{\mathtt {a'}},{\mathtt {c'}}})(\mathtt {b'}+ \mathbf{A} _{{\mathtt {b'}},{\mathtt {c'}}})\) introduces additional monomials of the form \( \mathbf{A} _{{\mathtt {b'}},{\mathtt {c'}}} \cdot \mathtt {a'}= \mathbf{A} _{{\mathtt {b'}},{\mathtt {c'}}} \cdot \mathtt {a}\mathtt {v}\) or \( \mathbf{A} _{{\mathtt {a'}},{\mathtt {c'}}} \cdot \mathtt {b'}= \mathbf{A} _{{\mathtt {a'}},{\mathtt {c'}}} \cdot \mathtt {b}\mathtt {v}\) and it cannot introduce additional monomials of the form \(\mathtt {a'}\cdot \mathtt {b'}= \mathtt {a}\cdot \mathtt {b}\cdot \mathtt {v}^2\), where \( \mathbf{A} _{{\mathtt {a}'},{\mathtt {c}'}}\) denotes the attack \( \mathbf{A} \) restricted to the wire connecting the gates \(\mathtt {a}',\mathtt {c}'\) inside \({\mathsf {C}}\). Next, in [11] it was shown that in case these additional monomials are present, they cannot be canceled out by any other combination of additive attacks, thereby making \(\overline{{\mathsf {C}}}\) abort the computation by masking its results with a completely random value.

The main problem with the basic construction of [11] is that even when no attacks are present, the degree of the MAC key \(\mathtt {v}\) inside \(\mathtt {c'}\) increases from \(\mathtt {v}\) to \(\mathtt {v}^2\). This limits the construction of [11] to only low-degree circuits as well as requiring complicated ad-hoc gadgets to support addition and subtraction gates with MAC tags having different degrees of \(\mathtt {v}\). Finally, in order to additive-attack secure arbitrary-degree circuits, [11] employs a degree reduction procedure vastly increasing the concrete overhead of the overall construction.

An Efficient MAC Combination Gadget. In Construction 1, we solve the problem of combining MAC tags in a different way. Let \(\mathtt {a'}= \mathtt {a}\cdot \mathtt {v}\) and \(\mathtt {b'}= \mathtt {b}\cdot \mathtt {v}\). We first compute \(\mathtt {c'}\) as \(\mathtt {c'}= \mathtt {a'}\cdot \mathtt {b}= (\mathtt {a}\cdot \mathtt {v}) \cdot \mathtt {b}\). Moreover, we also compute \(\mathtt {c''}= \mathtt {a}\cdot \mathtt {b'}= \mathtt {a}\cdot (\mathtt {b}\cdot \mathtt {v})\). Therefore, if no additive attack is present, it is always the case that \(\mathtt {c'}- \mathtt {c''}= 0\). However, notice that an additive attack on \(\mathtt {c'}\) can only produce monomials of the form \( \mathbf{A} _{{\mathtt {a'}},{\mathtt {c'}}} \cdot \mathtt {b}\) or of the from \( \mathbf{A} _{{\mathtt {b}},{\mathtt {c'}}} \cdot (\mathtt {a}\cdot \mathtt {v}) \). In contrast, notice that any additive attack on \(\mathtt {c''}\) can only produce monomials of the form \( \mathbf{A} _{{\mathtt {a}},{\mathtt {c'}}} \cdot (\mathtt {b}\cdot \mathtt {v}) \) and \( \mathbf{A} _{{\mathtt {b}},{\mathtt {c'}}} \cdot \mathtt {a}\) which cannot be canceled out by any of the monomials produced by the attack on \(\mathtt {c'}\). Thus, by checking that \(\mathtt {c'}- \mathtt {c''}= 0\), we either obtain that \(\mathtt {c'}- \mathtt {c''}\) is non-zero with high probability (making the entire circuit to abort) or that no attack was mounted on the circuits computing \(\mathtt {c'}\) and \(\mathtt {c''}\). In the latter case, we obtain that \(\mathtt {c'}= \mathtt {a}\cdot \mathtt {b}\cdot \mathtt {v}\), which is the correct MAC tag of the expected result of the multiplication gate \(\mathtt {c}= \mathtt {a}\cdot \mathtt {b}\) under the key \(\mathtt {v}\).

Computing Multiplication Gates. Next, we use the MAC tag \(\mathtt {c'}\) computed previously in order to verify the correct computation of \(\mathtt {c}\). We achieve this by computing the output of \(\mathtt {c}\) and then MAC it by multiplying with the MAC key \(\mathtt {v}\). Next, we check that the above result matches the known-good MAC tag \(\mathtt {c'}\). This last check is implemented by computing \(\mathtt {c}\cdot \mathtt {v}- \mathtt {c'}\) and having \(\overline{{\mathsf {C}}}\) abort in case \(\mathtt {c}\cdot \mathtt {v}- \mathtt {c'}\ne 0\). Notice that any additive attack on \(\mathtt {c}\) can only introduce (after the multiplication by the MAC key) monomials of the from \(\mathtt {a}\cdot \mathtt {v}\) or \(\mathtt {b}\cdot \mathtt {v}\) which cannot be canceled-out by the MAC tag \(\mathtt {a}\cdot \mathtt {b}\cdot \mathtt {v}\). Hence, we conclude that in the presence of an additive attack the gate output check fails, making \(\overline{{\mathsf {C}}}\) abort.

Computing Addition Gates. Notice that in the above described construction, the degree of the used MAC key \(\mathtt {v}\) is always 1 and in particular it does not increase after the computation of multiplication gates. Therefore, given an addition gate \(\mathtt {c}= \mathtt {a}+ \mathtt {b}\), we can compute the MAC tag for \(\mathtt {c}\) by computing \(\mathtt {c'}= \mathtt {a'}+ \mathtt {b'}\). This avoids the ad-hoc gadget of [11] for additive-attack securely computing MAC tags where the inputs of the addition gate are of different degrees. Eliminating this gadget also simplifies the circuit randomization process (see below).

Avoiding Degree-Reduction. Next, since the degree of the key does not increase after the execution of each multiplication, this allows us to directly additive-attack secure arbitrary circuits without the need to reduce the degree (as opposed to the construction of [11]). This, together with a simplified circuit randomization process (described below), induces a big improvement in the concrete overhead of the construction compared to the construction of [11].

Circuit Randomization Process. The above described construction only achieves additive-attack security for the case where the inputs to each multiplication gate are almost random (See Definition 5). Moreover, it is also required that each input of \({\mathsf {C}}\) is also almost random (individually). We force the inputs of a multiplication gate \(\mathtt {c}= \mathtt {a}\cdot \mathtt {b}\) to be almost random as follows. First, we additively secret share \(\mathtt {a}\) and \(\mathtt {b}\) to \((\mathtt {a}-\mathtt r_1,\mathtt r_1)\) and \((\mathtt {b}-\mathtt r_2,\mathtt r_2)\). We then compute the output of \(\mathtt {c}\) by \(\mathtt {c}= (\mathtt {a}-\mathtt r_1)(\mathtt {b}-\mathtt r_2) + (\mathtt {a}-\mathtt r_1) \cdot \mathtt r_2 + \mathtt r_1 \cdot (\mathtt {b}-\mathtt r_2)+ \mathtt r_1 \cdot \mathtt r_2 = \mathtt {a}\cdot \mathtt {b}\). Notice that in this case, the inputs of every multiplication gate are uniformly random. Randomizing the inputs of \({\mathsf {C}}\) is done similarly, see full version for details.

Protecting SIMD Circuits Against Linear Attacks. As described above, a linear attack \( \mathbf{L} \) on a multiplication gate \({\varvec{\mathsf {c}}}\) with input gates \({\varvec{\mathsf {a}}}\) and \({\varvec{\mathsf {b}}}\) specifies a linear function \(f:{\mathbb {F}}^{2\ell } \rightarrow {\mathbb {F}}^\ell \) (in the gate’s input bundles) to be added to the gate’s output bundle. We specify f using two \(\ell \times \ell \) matrices \( \mathbf{L} _{{{\varvec{\mathsf {a}}}},{{\varvec{\mathsf {c}}}}}\) and \( \mathbf{L} _{{{\varvec{\mathsf {b}}}},{{\varvec{\mathsf {c}}}}}\), changing the computation performed by \({\varvec{\mathsf {c}}}\) to be \({\varvec{\mathsf {c}}}= {\varvec{\mathsf {a}}}\odot {\varvec{\mathsf {b}}}+ \mathbf{L} _{{{\varvec{\mathsf {a}}}},{{\varvec{\mathsf {c}}}}} \cdot {\varvec{\mathsf {a}}}+ \mathbf{L} _{{{\varvec{\mathsf {b}}}},{{\varvec{\mathsf {c}}}}} \cdot {\varvec{\mathsf {b}}}\). Notice that \( \mathbf{L} \) only introduces monomials of the form \( \mathbf{L} _{{{\varvec{\mathsf {a}}}},{{\varvec{\mathsf {c}}}}} \cdot {\varvec{\mathsf {a}}}\), \( \mathbf{L} _{{{\varvec{\mathsf {b}}}},{{\varvec{\mathsf {c}}}}} \cdot {\varvec{\mathsf {b}}}\) but not of the form \({\varvec{\mathsf {a}}}\odot {\varvec{\mathsf {b}}}\), where \(\odot \) denotes \(\ell \)-wide point-wise multiplication of two wire bundles. In the full version, we extend the high-level ideas of the above described construction to handle SIMD circuits and linear attacks.

Next, our basic construction for transforming an SIMD circuit \({\mathsf {C}}\) to a functionally-equivalent linear-attack secure SIMD circuit \(\overline{{\mathsf {C}}}\) guarantees that every linear attack on \(\overline{{\mathsf {C}}}\) is either equivalent to an additive attack on the inputs and outputs of \({\mathsf {C}}\), or some wire in a special bundle , which denotes an error flag inside \(\overline{{\mathsf {C}}}\), becomes non-zero. In such a case, we would like another bundle to be almost random. In the full version, we design a special-purpose gadget, called \(\overline{\mathsf{Mix}} \) circuit, which satisfies the above property, even in the presence of linear attacks.

4 Preliminaries

Arithmetic Circuits. Following [11], an arithmetic circuit \({\mathsf {C}}\) is a directed acyclic graph whose vertices are called gates and whose edges are called wires. Every in-degree 0 gate in \({\mathsf {C}}\) is labeled by a variable from a set of variables \(X{ = \{x_1,\cdots ,x_n\}}\) and is referred to as an \(\mathsf {input}\) gate. All other gates have in-degree 2, are labeled by elements from \(\{+,-,\times \}\) and referred to as \(\mathsf{add }, \mathsf{sub}\) and \(\mathsf{mult}\) gates, respectively. Every gate of out-degree 0 is called an \(\mathsf{output }\) gate. We assume that the output gates are ordered. In some cases we also allow in-degree 0 gates labeled by rand referred to as randomness gates. A circuit containing rand gates is called a randomized circuit. For a (possibly randomized) circuit \({\mathsf {C}}\) and for a gate \(\mathsf g\) of \({\mathsf {C}}\) we denote by \(\mathsf {g}_\mathbf{x }\) the distribution of the output value of \(\mathsf {g}\) (defined in a natural way) when \({\mathsf {C}}\) is being evaluated on an input \(\mathbf{x }\).

SIMD Circuits. An \(\mathsf{SIMD} \) circuit with bundle size \(\ell \) is defined similar to arithmetic circuits. We refer to the edges of an SIMD circuit \({\mathsf {C}}\) as wire bundles or bundles and to vertices of an SIMD circuits as \(\ell \) -gates. We write \({\mathsf {C}}:\left( {\mathbb {F}}^\ell \right) ^n \rightarrow \left( {\mathbb {F}}^\ell \right) ^k\) to indicate that \({\mathsf {C}}\) is an SIMD circuit with n input bundles and k output bundles. Each multiplication, addition or subtraction \(\ell \)-gate of an SIMD circuit gets as input two wire bundles of size \(\ell \) and outputs a bundle of size \(\ell \) obtained by performing \(\ell \) point-wise multiplications, additions or subtractions in parallel.Footnote 4

We also allow SIMD circuits to contain an additional type of \(\ell \)-gates with in-degree and out-degree 1, referred to as routing \(\ell \)-gates. Each routing \(\ell \)-gate is labeled by a function \(\rho :[\ell ] \rightarrow [\ell ]\). We shall sometimes refer to these routing \(\ell \)-gates as \(\rho \)-gates. A \(\rho \)-gate on an input bundle \({\varvec{\mathsf {a}}}=(a_1,\cdots ,a_\ell )\) outputs a bundle \({\varvec{\mathsf {b}}}=(b_1,\cdots ,b_\ell )\) such that \(b_i=a_\rho (i)\) for all \(1 \le i \le \ell \).

Additive Attacks. An additive attack \( \mathbf{A} \) changes the computation performed by a circuit \({\mathsf {C}}\) by specifying for every wire in \({\mathsf {C}}\), connecting gates \(\mathtt {a}\) and \(\mathtt {b}\), a value to be added to the output of \(\mathtt {a}\). The derived value is then used for the computation of \(\mathtt {b}\). In addition, \( \mathbf{A} \) specifies values to be added to the outputs of \({\mathsf {C}}\). Note that an additive attack on a circuit \({\mathsf {C}}\) is a fixed vector of field elements which is independent from the inputs and internal values of \({\mathsf {C}}\).

Linear Attacks. A linear attack \( \mathbf{L} \) on an SIMD circuit changes the computation of a multiplication \(\ell \)-gate by adding to each wire in the gate’s output bundle a linear function of all the wires in the gate’s two input bundles. In particular, for any multiplication \(\ell \)-gate \({\varvec{\mathsf {c}}}\) with input bundles \({\varvec{\mathsf {a}}}\) and \({\varvec{\mathsf {b}}}\), a linear attack \( \mathbf{L} \) specifies a linear function \(f:{\mathbb {F}}^{2\ell } \rightarrow {\mathbb {F}}^\ell \) such that the output bundle of \({\varvec{\mathsf {c}}}\) is equal to \({\varvec{\mathsf {c}}}={\varvec{\mathsf {a}}}\odot {\varvec{\mathsf {b}}}+ f({\varvec{\mathsf {a}}},{\varvec{\mathsf {b}}})\), where \(\odot \) denotes point-wise multiplication of two wire bundles. In addition, similar to additive attacks, we allow a linear attack \( \mathbf{L} \) to specify an additive attack \( \mathbf{L} ^\mathsf{out}\) on the outputs of the SIMD circuit \({\mathsf {C}}\).

Attacks on Addition and Subtraction Gates. We do not allow linear attacks on addition and subtraction gates. This is since mounting an attack of the form \(f(\mathtt {a},\mathtt {b}) = -\mathtt {a}-\mathtt {b}\) the adversary is able to fix an output of an addition gate \({\varvec{\mathsf {c}}}= {\varvec{\mathsf {a}}}+{\varvec{\mathsf {b}}}- {\varvec{\mathsf {a}}}-{\varvec{\mathsf {b}}}\) to be always zero. Therefore, allowing for such attacks means that it is possible to override the output of these gates to be an arbitrary value. Such attacks are not supported by our constructions.Footnote 5

Additive Attacks on SIMD Circuits. Note that allowing additive attacks on wire bundles of SIMD circuits (in addition to linear attacks) will not provide the adversary with additional capabilities in modifying the circuit’s computation. This is since for any pair of attacks \(( \mathbf{A} , \mathbf{L} )\) on an SIMD circuit \({\mathsf {C}}\) where \( \mathbf{A} \) is an additive attack and \( \mathbf{L} \) is a linear attack there exists a functionally-equivalent linear attack \( \mathbf{L} '\). The linear attack \( \mathbf{L} '\) can be constructed as follows. First, the additive attacks specified by \( \mathbf{A} \) can be pushed “downstream” through the circuit till the inputs of the multiplication gates and the outputs of the output gates. Next, additive attacks on inputs of a multiplication gate \({\varvec{\mathsf {c}}}\), can be added to the diagonal of the appropriate matrices as specified by \( \mathbf{L} \), yielding \( \mathbf{L} '\).

Additive Attacks in Secure Multi-party Computation. In the following we define the notion of additively corruptible versions of a functionality. Without loss of generality, we only consider functionalities where only \(P_1\) gets an output. That is, functionalities of the form \(f:{\mathbb {F}}^{I_1} \times \cdots \times {\mathbb {F}}^{I_n} \rightarrow {\mathbb {F}}^{O_1}\) where (\(I_1,\cdots ,I_n, O_1\)) are positive integers. Note that we can move to individual outputs using a standard transformation (See [13, Sect. 2.5.2]).

Definition 2

Let \({\mathsf {C}}\) be an n-party circuit. We define the additively corruptible version of \({\mathsf {C}}\) to be an n-party functionality \(f_{{\mathsf {C}}}^ \mathbf{A} \) that takes additional input from the adversary representing an additive attack, \( \mathbf{A} \), on \({\mathsf {C}}\). For an input \(\mathbf{x }\) and additive attack \( \mathbf{A} \), \(f_{{\mathsf {C}}}^ \mathbf{A} \) outputs \({{\mathsf {C}}}^ \mathbf{A} (x)\). The notion of a linearly corruptible circuit is defined similarly, replacing the additive attack \( \mathbf{A} \) with a linear attack \( \mathbf{L} \).

Next, we define the notion of \({\mathcal {T}}\)-equivalent protocols.

Definition 3

Let \(\pi \) and \(\pi '\) be two protocols for computing an n-party circuit \({\mathsf {C}}\) in the f and \(f'\) hybrid models respectively. We say that \(\pi \) is \({\mathcal {T}}\)-equivalent to \(\pi '\) if for any adversary \(\mathsf{Adv}\) controlling a set of parties \({\mathcal {T}}\subseteq {\mathcal {P}}\) and for any input \(\mathbf{x }\) it holds that \(\mathsf{Real }_{\pi ,{\mathcal {T}}}^{\mathsf{Adv},f}(\mathbf{x }) \equiv \mathsf{Real }_{\pi ',{\mathcal {T}}}^{\mathsf{Adv},f'}(\mathbf{x }).\)

5 Additive Security for Arithmetic Circuits

In this section we simplify the construction of [11] improving its additive-attack security from \(O(|{\mathsf {C}}|/|{\mathbb {F}}|)\) to \(O(1/|{\mathbb {F}}|)\), as well as improving its concrete efficiency. Following the approach of [11], we first present a simpler construction whose security holds only when the circuit’s wire values satisfy some local randomness property (Construction 1). In the full version, we show how to eliminate this assumption by applying general transformations to the circuit.

We begin by defining additive-attack security for specific input distributions.

Definition 4

Let \({\mathbb {F}}\) be a finite field, \({\mathsf {C}}:{\mathbb {F}}^n \rightarrow {\mathbb {F}}^k\) an arithmetic circuit, and I a distribution over \({\mathbb {F}}^n\). We say that a circuit \(\overline{{\mathsf {C}}}:{\mathbb {F}}^n \rightarrow {\mathbb {F}}^{k+1}\) is an \(\epsilon \)-additive-attack secure implementation of C with respect to I if the following holds:

  • Completeness. For all \(\mathbf{x }\in {\mathbb {F}}^n\), \(\overline{{\mathsf {C}}}(\mathbf{x }) \equiv {\mathsf {C}}(\mathbf{x }).\)

  • Security with respect to I. For any additive attack \( \mathbf{A} \), there exists \(\mathbf{a }^{\mathsf {in}}\in {\mathbb {F}}^n\) and a distribution \(\mathbf{{\mathcal {A}} }^{\mathsf {out}}\) over \({\mathbb {F}}^{k}\) such that \( SD (\overline{{\mathsf {C}}}^ \mathbf{A} (I), {\mathsf {C}}(I+\mathbf{a }^{\mathsf {in}})+\mathbf{{\mathcal {A}} }^{\mathsf {out}}) \le \epsilon . \)

The construction guarantees security as defined in Definition 1 with \(\epsilon = O\left( 1/|{\mathbb {F}}|\right) \), under the assumption that the inputs of the circuit as well as the inputs of each multiplication gate are sufficiently random. Unlike the basic construction of [11], the construction described in this section does not require the randomization of the inputs of addition and subtraction gates. Thus, below we define a weaker notion of locally random circuits compared to the one used in [11], by not imposing any requirement about the inputs of addition and subtraction gates. This also greatly simplifies the construction of such circuits.

Definition 5

(Locally Random Circuits). Let \({\mathbb {F}}\) be a finite field, \({\mathsf {C}}\) be a randomized arithmetic circuit. We say that \({\mathsf {C}}\) is locally \(\epsilon \)-random with respect to a distribution I if the following two properties hold.

  1. 1.

    Local Randomization of Input Gates. For any \(y \in {\mathbb {F}}\) and for any \(1 \le i \le n\) the probability over selecting \(\mathbf{x }\leftarrow I\) that \(x_i=y\) is at most \(|{\mathbb {F}}|\cdot \epsilon \).

  2. 2.

    Local Randomization of Multiplication Gates. For any \((y,z) \in {\mathbb {F}}^2\) and any pair of gates \((\mathtt {a},\mathtt {b})\), whose outputs are the inputs to some multiplication gate in \({\mathsf {C}}\), it holds that the probability, over the internal randomness of \({\mathsf {C}}\) and the selection \(\mathbf{x }\leftarrow I\), that \((\mathtt {a}_\mathbf{x },\mathtt {b}_\mathbf{x })=(y,z)\) is at most \(\epsilon \).

We now present our basic construction for constructing additive-attack circuits.

Construction 1

Let \({\mathsf {C}}:{\mathbb {F}}^n \rightarrow {\mathbb {F}}^k\) be a circuit. Define a circuit \(\overline{{\mathsf {C}}}\) that on input \(\mathbf{x }\) computes \( \mathbf{z }= {\mathsf {C}}(\mathbf{x })\) and then performs the following:

MAC Generation Circuit:

  1. 1.

    Generate a random elements \(\mathtt r,\mathtt {v}\in {\mathbb {F}}\) and compute \(\mathtt {r'}\leftarrow \mathtt r\cdot \mathtt {v}\).

  2. 2.

    For each input gate \(\mathtt {c}\), compute the value \(\mathtt {c'}\leftarrow \mathtt {c}\cdot \mathtt {v}\).

  3. 3.

    For each non-input gate \(\mathtt {c}\) let \(\mathtt {a}\), \(\mathtt {b}\) be its inputs and let \(\mathtt {a'}\), \(\mathtt {b'}\) be the MAC tags corresponding to \(\mathtt {a}\) and \(\mathtt {b}\). Compute the MAC tag \(\mathtt {c'}\) as follows:

    1. (a)

      If \(\mathtt {c}\) is a multiplication gate, let \(\mathtt {c'}\leftarrow \mathtt {a'}\cdot \mathtt {b}\) and let \(\mathtt {c''}\leftarrow \mathtt {a}\cdot \mathtt {b'}\).

    2. (b)

      If \(\mathtt {c}\) is an addition gate let \(\mathtt {c'}\leftarrow \mathtt {a'}+\mathtt {b'}\). Similarly, if \(\mathtt {c}\) is a subtraction gate let \(\mathtt {c'}\leftarrow \mathtt {a'}-\mathtt {b'}\).

MAC Checking Circuit:

  1. 4.

    For every input gate \(\mathtt {c}\) in \({\mathsf {C}}\), generate a random element \(\mathtt {t}^\mathtt {c}\) and compute \(\mathsf {g}^\mathtt {c}\leftarrow \mathtt {c}+ \mathtt r\), \(\qquad \mathtt {h'}^\mathtt {c}\leftarrow \mathtt {c'}+ \mathtt {r'}\), \(\qquad \mathtt {g'}^\mathtt {c}\leftarrow \mathsf {g}^\mathtt {c}\cdot \mathtt {v}\), \(\qquad \mathtt {f}^\mathtt {c}\leftarrow \mathtt {h'}^\mathtt {c}- \mathtt {g'}^\mathtt {c}\).

  2. 5.

    Compute \(\mathtt {f}_1 \leftarrow \sum _{\mathtt {c}\in \mathsf{inpt}_{\mathsf {C}}} \mathtt {t}^\mathtt {c}\cdot \mathtt {f}^\mathtt {c}\) where \(\mathsf{inpt}_{\mathsf {C}}\) is the set of the input gates of \({\mathsf {C}}\).

  3. 6.

    For every multiplication gate \(\mathtt {c}\), generate two random field elements \(\mathtt {t}^\mathtt {c}, \mathtt {w}^\mathtt {c}\) and compute \(\mathtt {f}^\mathtt {c}\leftarrow \mathtt {c'}- \mathtt {c''}\), \(\qquad \mathsf {g}^\mathtt {c}\leftarrow \mathtt {c}\cdot \mathtt {v}\), \(\qquad \mathsf {h}^\mathtt {c}\leftarrow \mathsf {g}^\mathtt {c}- \mathtt {c'}\).

  4. 7.

    Let \(\mathsf{mul }_{\mathsf {C}}\) be the set of all multiplication gates in \({\mathsf {C}}\), compute \(\mathtt {f}_2 \leftarrow \sum _{\mathtt {c}\in \mathsf{mul }_{\mathsf {C}}} \mathtt {w}^\mathtt {c}\cdot \mathtt {f}^\mathtt {c}\) and \(\mathtt {f}_3\leftarrow \sum _{\mathtt {c}\in \mathsf{mul }_{\mathsf {C}}} \mathtt {t}^\mathtt {c}\cdot \mathsf {h}^{\mathtt {c}}\).

  5. 8.

    Compute \(\mathtt {f}\leftarrow \mathtt {f}_1 \cdot \mathsf {s}_1 + \mathtt {f}_2 \cdot \mathsf {s}_2 + \mathtt {f}_3 \cdot \mathsf {s}_3\) where \(\mathsf {s}_1,\mathsf {s}_2,\mathsf {s}_3\) are random field elements.

Output Generation: Output \(\mathbf{z }+\mathtt {f}\cdot \mathbf{r }\) where \(\mathbf{r }\) is a random vector from \({\mathbb {F}}^k\).

In the full version we prove the following theorems.

Theorem 5

Let \({\mathsf {C}}:{\mathbb {F}}^n \rightarrow {\mathbb {F}}^k\) be a randomized arithmetic circuit which is locally \(\epsilon \)-random with respect to and input distribution I. Then the circuit \(\overline{{\mathsf {C}}}\) obtained by applying Construction 1 to \({\mathsf {C}}\) is a \(\left( |{\mathbb {F}}|\cdot \epsilon +1/|{\mathbb {F}}|\right) \)-additive-attack secure implementation of C with respect to I. Moreover, \(|\overline{{\mathsf {C}}}|= O(|{\mathsf {C}}|)\).

Theorem 6

(Additive-attack Security). For any arithmetic circuit \({\mathsf {C}}:{\mathbb {F}}^n \rightarrow {\mathbb {F}}^k\) there exists a randomized circuit \(\overline{{\mathsf {C}}}:{\mathbb {F}}^n \rightarrow {\mathbb {F}}^k\) such that \(\overline{{\mathsf {C}}}\) is an \(\epsilon \)-additive-attack secure implementation of \({\mathsf {C}}\) where \(\epsilon = O(1 / |{\mathbb {F}}|)\). Moreover, \(|\overline{{\mathsf {C}}}|=O(|{\mathsf {C}}|)\).

Notice that unlike the work of [11], the error parameter of the construction is \(O(1 / |{\mathbb {F}}|)\). This matches the result of [14], but in a stronger attack model.

6 From General Adversaries to Additive Attacks

In this section we reduce any general adversary attacking a randomized protocol \(\pi \) to an additive attack on the protocol circuit \({\mathsf {C}}_\pi \) defined as follows. We compile a protocol \(\pi \) into a circuit, \({\mathsf {C}}_\pi \), by writing all local computations performed by the parties as circuits and whenever a party \(P_i\) sends a message to \(P_j\), we connect the corresponding parts of the circuits representing \(P_i\) and \(P_j\) using wires. Notice that for every input \(\mathbf{x }\) and randomness \(\mathbf{r }\), it holds that \(\pi (\mathbf{x };\mathbf{r })={\mathsf {C}}_\pi (\mathbf{x },\mathbf{r }).\)

We now define the notion of a last-round-private protocol.

Definition 6

Let \({\mathcal {T}}\) be a set of corrupted parties and let \(\pi \) be a \({\mathcal {T}}\)-randomized n-party protocol for computing an n-input circuit \({\mathsf {C}}:{\mathbb {F}}^{I_1} \times \cdots \times {\mathbb {F}}^{I_n} \rightarrow {\mathbb {F}}^{O_1} \). We say that \(\pi \) is \({\mathcal {T}}\)-last-round-private if the following hold.

  1. 1.

    Structure of the Last Round. During the last round, only \(P_1\) computes the output vector \(\mathbf{z }\), in the following way. Let \({\overline{{\mathcal {T}}}}'\subseteq {\overline{{\mathcal {T}}}}\) be the set of parties from \({\overline{{\mathcal {T}}}}\) sending messages to \(P_1\) during the last round. Each output \(\{z_i\}_{1 \le i \le O_1}\) is computed by \(P_1\) evaluating two linear functions \(F_{\mathcal {T}}\) and \(F_{{\overline{{\mathcal {T}}}}'}\) such that \(z_i = F_{\mathcal {T}}(l_{{{\mathcal {T}}},{P_1}}^{i} ) + F_{{\overline{{\mathcal {T}}}}'} (l_{{{\overline{{\mathcal {T}}}}'},{P_1}}^{i} )\) where the messages \(l_{{{\mathcal {T}}},{P_1}}^{i}, l_{{{\overline{{\mathcal {T}}}}'},{P_1}}^{i}\) are the shares corresponding to \(z_i\) received by \(P_1\) from the parties in \({\mathcal {T}}\) and \({\overline{{\mathcal {T}}}}'\), respectively.

  2. 2.

    Privacy of the Last Round. Fix an input \({\mathbf{x }}_{{\mathcal {T}}}\) and randomness \(\mathbf{r }_{\mathcal {T}}\) to the circuit \({\mathsf {C}}_\pi \) for the parties in \({\mathcal {T}}\). In addition, fix an additive attack \( \mathbf{A} \) on \({\mathsf {C}}_\pi \) and fix a view \(\widehat{u}_{{\mathcal {T}}}\) of the parties in \({\mathcal {T}}\) during an execution of \({{\mathsf {C}}}^ \mathbf{A} _\pi \) on \(({\mathbf{x }}_{{\mathcal {T}}},\mathbf{r }_{\mathcal {T}})\). Let \(\mathbf{Z }\) be the distribution of outputs in \({{\mathsf {C}}}^ \mathbf{A} _\pi \) conditioned on \(({\mathbf{x }}_{{\mathcal {T}}},\mathbf{r }_{\mathcal {T}}, \mathbf{A} , \widehat{u}_{{\mathcal {T}}})\) and fix \(\mathbf{z }\) from the support of \(\mathbf{Z }\). Finally, let \( \widehat{l}_{{{\mathcal {T}}},{P_1}}\) be the messages received by \(P_1\) from the parties in \({\mathcal {T}}\) during the last round of \({{\mathsf {C}}}^ \mathbf{A} _\pi \) as uniquely defined by \(({\mathbf{x }}_{{\mathcal {T}}},\mathbf{r }_{\mathcal {T}}, \widehat{u}_{{\mathcal {T}}})\). We require that the distribution of the messages \(\widehat{l}_{{{\overline{{\mathcal {T}}}}'},{P_1}}\), over the unfixed randomness \(\mathbf{r }_{{\overline{{\mathcal {T}}}}}\) is uniform conditioned on \( F_{{\overline{{\mathcal {T}}}}'} (\widehat{l}_{{{\overline{{\mathcal {T}}}}'},{P_1}})=\mathbf{z }- F_T (\widehat{l}_{{{\mathcal {T}}},{P_1}} )\).

In the full version we prove the following theorem.

Theorem 7

Let \(\pi \) be a \({\mathcal {T}}\)-last-round-private and \({\mathcal {T}}\)-randomized protocol. Then for any active adversary \(\mathsf{Adv}\) controlling the parties in \({\mathcal {T}}\) there exists a simulator \(\mathsf{Sim}\) such that for any input \(\mathbf{x }\) it holds that \( \mathsf{Ideal }^{\mathsf{Sim}}_{f_{{\mathsf {C}}_\pi }^ \mathbf{A} ,{\mathcal {T}}}{(}\mathbf{x }) \equiv \mathsf{Real }_{\pi ,{\mathcal {T}}}^\mathsf{Adv}(\mathbf{x }). \)

7 Homomorphism for Standard Circuits

In this section we prove that if two circuits \({\mathsf {C}}\) and \({\mathsf {C}}'\) meet certain properties, then for any additive attack on \({\mathsf {C}}'\) there exists an equivalent additive attack on \({\mathsf {C}}\). Applying this approach to \({\mathsf {C}}_\pi \), we prove that any additive attack on \({\mathsf {C}}_\pi \) corresponds to an additive attack on \({\mathsf {C}}\).

Without loss of generality, we express every multiplication gate as a product of its inputs where each input is an arbitrary fixed linear combination of the preceding addition and subtraction gates up to the depth of the preceding multiplication gate.

Definition 7

Let \({\mathsf {C}}\) be a randomized circuit and let \(\mathtt {c}\) be an in-degree 2 multiplication gate inside \({\mathsf {C}}\).We define two ordered sets \(\mathsf{left}_\mathtt {c}\) and \(\mathsf{right}_\mathtt {c}\), as follows.

$$ \mathsf{left}_\mathtt {c}= \left\{ \begin{array}{ll} \mathtt {a}\in \{\times ,\mathsf {input}\} \\ {} &{} \end{array} : \begin{array}{l} \exists \mathsf{path} \text { from } \mathtt {a}\text { to the first input of } \mathtt {c}\\ \text {which only contains gates from the set } \{+,-\} \end{array} \right\} $$
$$ \mathsf{right}_\mathtt {c}= \left\{ \begin{array}{ll} \mathtt {a}\in \{\times ,\mathsf {input}\} \\ {} &{} \end{array} : \begin{array}{l} \exists \mathsf{path} \text { from } \mathtt {a}\text { to the second input of } \mathtt {c}\\ \text {which only contains gates from the set } \{+,-\} \end{array} \right\} $$

The ordered sets \(\mathsf{left}_\mathtt {c}\) and \(\mathsf{right}_\mathtt {c}\) naturally define two linear functions \(l^\mathtt {c}:{\mathbb {F}}^{|\mathsf{left}_\mathtt {c}|} \rightarrow {\mathbb {F}}\) and \(r^\mathtt {c}:{\mathbb {F}}^{|\mathsf{right}_\mathtt {c}|} \rightarrow {\mathbb {F}}\) representing the output of \(\mathtt {c}\) as a function of the outputs of the preceding \(\mathsf{mult}\) and \(\mathsf {input}\) gates. More specifically, for any input \(\mathbf{x }\) to \({\mathsf {C}}\) it holds that \( {{{\varvec{c}}}}_{\mathbf{x }} = l^\mathtt {c}( {{{\varvec{a}}}}_{\mathbf{x }}) \cdot r^\mathtt {c}( {{{\varvec{b}}}}_{\mathbf{x }})\) where \( {{{\varvec{a}}}}=\mathsf{left}_\mathtt {c}\) and \( {{{\varvec{b}}}}=\mathsf{right}_\mathtt {c}\).

We now express every output gate which is an addition or subtraction gate as a fixed linear combination of the output of the proceeding multiplication gates.

Definition 8

Let \({\mathsf {C}}\) be a deterministic circuit and let \(\mathtt {c}\) be an output gate that is an \(\mathsf{add }\) or \(\mathsf{sub}\) gate. We define the ordered set \(\mathsf{in}_\mathtt {c}\) as follows.

$$ \mathsf{in}_\mathtt {c}= \left\{ \begin{array}{ll} \mathtt {a}\in \{\times ,\mathsf {input}\} \\ {} &{} \end{array} : \begin{array}{l} \exists \mathsf{path} \text { from } \mathtt {a}\text { to either of the two inputs of } \mathtt {c}\\ \text {which only contains gates from the set } \{+,-\} \end{array} \right\} $$

The set \(\mathsf{in}_\mathtt {c}\) naturally defines a linear function \(f^\mathtt {c}:{\mathbb {F}}^{|\mathsf{in}_\mathtt {c}|} \rightarrow {\mathbb {F}}\) representing the output of \(\mathtt {c}\) as a function of the outputs of the preceding \(\mathsf{mult}\) and \(\mathsf {input}\) gates. More specifically, for any input \(\mathbf{x }\) to \({\mathsf {C}}\) it holds that \( {{{\varvec{c}}}}_{\mathbf{x }} = f^\mathtt {c}( {{{\varvec{a}}}}_{\mathbf{x }})\) where \( {{{\varvec{a}}}}=\mathsf{in}_\mathtt {c}\).

We now define the notion of circuit homomorphism. Later, we prove that if a circuit \({\mathsf {C}}'\) is homomorphic to a circuit \({\mathsf {C}}\) then any additive attack on \({\mathsf {C}}'\) can be simulated by an additive attack on \({\mathsf {C}}\). Applying the above on MPC protocols, as long as the circuit \({\mathsf {C}}_\pi \) of a protocol \(\pi \) is homomorphic to \({\mathsf {C}}\), then any additive attack on \({\mathsf {C}}_\pi \) can be simulated by an additive attack on \({\mathsf {C}}\). Combining this with the result of Sect. 6, we obtain that for any protocol \(\pi \) computing a circuit \({\mathsf {C}}\), which is \({\mathcal {T}}\)-randomized, \({\mathcal {T}}\)-last-round-private and homomorphic to \({\mathsf {C}}\), any attack mounted by an active adversary is equivalent to an additive attack on \({\mathsf {C}}\).

Definition 9

(Circuit Homomorphism). Let \({\mathsf {C}}\) be a deterministic circuit. A circuit \({\mathsf {C}}'\) is said to be homomorphic to \({\mathsf {C}}\) if there exists a mapping \({\mathcal {H}}\) from the \(\mathsf {input}\) and \(\mathsf{mult}\) gates of \({\mathsf {C}}\) to the gates of \({\mathsf {C}}'\) such that the following properties hold. Below, for any gate \(\mathtt {c}\) of \({\mathsf {C}}\) we denote the output of \( {\mathcal {H}}(\mathtt {c})\) by \(\mathtt {c}'\).

  1. 1.

    Input. For any \(\mathsf {input}\) gate \(\mathtt {c}\) of \({\mathsf {C}}\) and for any input \(\mathbf{x }\) it holds that \( {\mathtt {c}_\mathbf{x }} ={\mathtt {c}'_\mathbf{x }}. \)

  2. 2.

    Multiplications. For any \(\mathsf{mult}\) gate \(\mathsf c\) we require that there exists constant \(\lambda ^\mathsf{c} \in {\mathbb {F}}\) with the following properties for any input \(\mathbf{x }\):

    1. (a)

      It holds that

    2. (b)

      For every \(\mathsf{mult}\) gate used for the computation of the output of \(\mathtt {c}'\) inside \({\mathsf {C}}'\), the left input is a linear function of and the right input is a linear function of .

  3. 3.

    Outputs. We first require that both \({\mathsf {C}}\) and \({\mathsf {C}}'\) have the same number of \(\mathsf{output }\) gates. Let c be the i-th gate of C, we distinguish two different cases.

    1. (a)

      Let \(\mathsf {o}'\) be the i-th \(\mathsf{output }\) gate of \({\mathsf {C}}'\). If \(\mathtt {c}\) is a \(\mathsf{mult}\) gate, then .Footnote 6

    2. (b)

      If \(\mathtt {c}\) is an \(\mathsf{add }\), or \(\mathsf{sub}\) gate then the i-th output of \({\mathsf {C}}'\), \(\mathsf {o}'_\mathbf{x }\) is equal to for all input \(\mathbf{x }\).

    Moreover, we require that the recovery of the output from the gates \(\varvec{\mathsf {o}}'\) of \(C'\) is performed without computing any \(\mathsf{mult}\) gates.

Remark 1

Given two circuits \({\mathsf {C}}\), \({\mathsf {C}}'\), a mapping \({\mathcal {H}}\), a constant \(\lambda ^\mathtt {c}\) and functions \(l^\mathtt {c}\) and \(r^\mathtt {c}\) for every \(\mathsf{mult}\) gate \(\mathtt {c}\) in \({\mathsf {C}}\), it is possible to decide in polynomial time if \({\mathsf {C}}'\) is homomorphic to \({\mathsf {C}}\). Checking that the requirements of Definition 9 hold can be done symbolically using the gate’s output as variables.

For simplicity of exposition, Definition 9 is tailored to protocols working on additive secret sharing such as the \(\mathsf{GMW}\) protocol. A simple generalization of Definition 9 captures protocols working on any linear secret sharing scheme, such as the \(\mathsf {DN}\) and \(\mathsf {DIK}\). See full version for details.

Lemma 1

Let \({\mathsf {C}}\) be a deterministic circuit and let \({\mathsf {C}}'\) be a circuit homomorphic to \({\mathsf {C}}\). Then for any additive attack \( \mathbf{A} '\) on \({\mathsf {C}}'\) there exists an additive attack \( \mathbf{A} \) on \({\mathsf {C}}\) such that for any input \(\mathbf{x }\) it holds that \({{\mathsf {C}}}^{\prime \mathbf{A} '} (\mathbf{x }) = {{\mathsf {C}}^ \mathbf{A} }(\mathbf{x }).\)

We now extend Lemma 1 to handle n-party circuits computed during an MPC protocol. We begin by defining the notion of \({\mathcal {T}}\)-homomorphic circuits.

Definition 10

Let \(\pi \) be an n-party protocol, \({\mathsf {C}}\) be an n-party circuit and let \({\mathcal {T}}\) be a set of parties. We say that \({\mathsf {C}}_\pi \) is \({\mathcal {T}}\)-homomorphic to \({\mathsf {C}}\) if for any input \(\mathbf{x }_{\mathcal {T}}\) for the parties in \({\mathcal {T}}\) and for every randomness \(\mathbf{r }\), the circuit \({\mathsf {C}}_\pi ((\mathbf{x }_{\mathcal {T}},\cdot ),\mathbf{r })\) obtained by fixing the inputs \(\mathbf{x }_{\mathcal {T}}\) and \(\mathbf{r }\) inside \({\mathsf {C}}_\pi \) is homomorphic to \({\mathsf {C}}(\mathbf{x }_{\mathcal {T}},\cdot )\).

In the full version we prove the following theorem.

Theorem 8

Let \(\pi \) be an n-party protocol for computing a circuit \({\mathsf {C}}:{\mathbb {F}}^{I_1} \times \cdots \times {\mathbb {F}}^{I_n} \rightarrow {\mathbb {F}}^{O_1}\) in the f-hybrid model and let \({\mathcal {T}}\) be a set of parties such that \(\pi \) is \({\mathcal {T}}\)-randomized, \({\mathcal {T}}\)-last-round-private and \({\mathsf {C}}_\pi \) is \({\mathcal {T}}\)-homomorphic to \({\mathsf {C}}\). Then for any active adversary \(\mathsf{Adv}\) controlling the parties in \({\mathcal {T}}\) there exists a simulator \(\mathsf{Sim}\) such that for any input \(\mathbf{x }\) it holds that \(\mathsf{Ideal }^{\mathsf{Sim}}_{{{f}_{{\mathsf {C}}}^ \mathbf{A} },{\mathcal {T}}}{}(\mathbf{x }) \equiv \mathsf{Real }_{\pi ,{\mathcal {T}}}^{\mathsf{Adv},f}(\mathbf{x }).\)

8 The GMW Protocol

In this section we prove that an arithmetic generalization of the passively secure \(\mathsf{GMW}\) protocol [12] is additively corruptible. We first extend the \(\mathsf{GMW}\) protocol to the arithmetic setting [17], where the OT oracle is replaced by oblivious linear function evaluation (OLE) [19].

Definition 11

(The OLE functionality). Let \({\mathbb {F}}\) be a finite field. We define the functionality \(f_\mathsf{OLE}\) that on inputs \((a,b) \in {\mathbb {F}}^2\) from the sender and \(x \in {\mathbb {F}}\) from the receiver outputs \(\bot \) to the sender and \(a\cdot x+b\) to the receiver.

We now proceed describing an arithmetic version of the GMW protocol in the OLE-hybrid model [12, 17]. We begin by describing the \(\mathsf {Input\text {-}Share_\mathsf{GMW}}\) and \(\mathsf {Mult}_\mathsf{GMW}\) protocols used to evaluate input and multiplication gates.

Construction 2

(Subprotocol \(\mathsf {Input\text {-}Share_\mathsf{GMW}}\) ). The subprotocol \(\mathsf {Input\text {-}}\mathsf {Share_\mathsf{GMW}}\) is defined as follows. Each party \(P_i\) on input x computes a random additive sharing of x, denoted by \([ \mathbf{{x}}{}]_\mathsf{add}=(x_1,\ldots ,x_n)\), and deals it among all the parties.

Construction 3

(Subprotocol \(\mathsf {Mult}_\mathsf{GMW}\) ). The subprotocol \(\mathsf {Mult}_\mathsf{GMW}\) gets as input additive sharings \([ \mathbf{{a}}{}]_\mathsf{add}\), \([ \mathbf{{b}}{}]_\mathsf{add}\) and outputs an additive sharing \([ \mathbf{{c}}{}]_\mathsf{add}\) such that \(\mathtt {c}=\mathtt {a}\cdot \mathtt {b}\). The protocol proceeds as follows.

  1. 1.

    Each ordered pair of parties \(P_i,P_j\), such that \(i \ne j\), performs the following.

    1. (a)

      \(P_i\) generates a random value \(r_{i,j}\) and acting as a sender sends \((a_i,r_{i,j})\) to the \(\mathsf OLE\) oracle. \(P_j\) acting as a receiver sends \(b_j\) to the \(\mathsf OLE\) oracle.

    2. (b)

      The \(\mathsf OLE\) oracle responds with \(s_{i,j} = a_i \cdot b_j + r_{i,j}\) to \(P_j\).

  2. 2.

    Each party \(P_i\) computes \(c_i \leftarrow a_i \cdot b_i + \sum _{j=1 \atop j \ne i}^n ( s_{j,i} - r_{i,j})\).

We now proceed in describing the passively secure \(\mathsf{GMW}\) protocol.

Construction 4

(Passively secure \(\mathsf{GMW}\) protocol). Let \({\mathsf {C}}:{\mathbb {F}}^{I_1} \times \cdots \times {\mathbb {F}}^{I_n} \rightarrow {\mathbb {F}}^{O_1}\) be an n-party circuit. The protocol \({\mathsf {GMW}_{\mathsf {C}}}\) for \({\mathsf {C}}\) proceeds as follows:

  1. 1.

    Input sharing phase. For each input gate associated to party \(P_i\), party \(P_i\) executes the protocol \(\mathsf {Input\text {-}Share_\mathsf{GMW}}\) described in Construction 2.

  2. 2.

    Circuit evaluation phase. For each gate \(\mathtt {c}\) in \({\mathsf {C}}\) with input sharings \([ \mathbf{{a}}{}]_\mathsf{add}=(a_1,\ldots ,a_n)\) and \([ \mathbf{{b}}{}]_\mathsf{add}=(b_1,\ldots ,b_n)\) proceed as follows:

    Evaluating addition and subtraction gates. For the case of addition gates, all parties locally compute \([ \mathbf{{c}}{}]_\mathsf{add} \leftarrow [ \mathbf{{a}}{}]_\mathsf{add} + [ \mathbf{{b}}{}]_\mathsf{add}\). Similarly, for subtraction gates, all parties locally compute \([ \mathbf{{c}}{}]_\mathsf{add} \leftarrow [ \mathbf{{a}}{}]_\mathsf{add} - [ \mathbf{{b}}{}]_\mathsf{add}\).

    Evaluating multiplication gates. All the parties execute the \(\mathsf {Mult}_\mathsf{GMW}\) protocol described in Construction 3 on inputs \([ \mathbf{{a}}{}]_\mathsf{add}\) and \([ \mathbf{{b}}{}]_\mathsf{add}\).

  3. 3.

    Output recovery phase. At the end of the computation, for each output gate \(\mathtt {c}\) of \({\mathsf {C}}\) all the parties hold a sharing \([ \mathbf{{c}}{}]_\mathsf{add}\) corresponding to its value. For each output gate \(\mathtt {c}\), the parties generate a random sharing \([ \mathbf{{z}}{}]_\mathsf{add}\) of 0 and compute \([ \mathbf{{c'}}{}]_\mathsf{add} \leftarrow [ \mathbf{{c}}{}]_\mathsf{add}+ [ \mathbf{{z}}{}]_\mathsf{add}\). Parties \(\{P_2,\cdots ,P_{n}\}\) send their shares of \([ \mathbf{{c'}}{}]_\mathsf{add}\) to \(P_1\). Then \(P_1\) recovers the output c by computing \(c \leftarrow \sum _{i=1}^n c'_i\).

The works of [12, 17] analyzed the passively secure \(\mathsf{GMW}\) protocol.

Theorem 9

([12, 17]). For any n-party circuit \({\mathsf {C}}:{\mathbb {F}}^{I_1} \times \cdots \times {\mathbb {F}}^{I_n} \rightarrow {\mathbb {F}}^{O_1}\), the protocol \({\mathsf {GMW}_{\mathsf {C}}}\) in the \(\mathsf OLE\) hybrid model is passively secure against any adversary controlling at most \(n-1\) parties. Moreover, the communication complexity (in field elements) as well as the number of oracle calls of \({\mathsf {GMW}_{\mathsf {C}}}\) is \(O(n^2|C|)\).

8.1 Randomizing the \(\mathsf{GMW}\) Protocol

Note that the protocol \(\mathsf {Input\text {-}Share_\mathsf{GMW}}\) is already randomized. This is since additive secret sharing is done by having the party \(P_i\), holding the input x, send random shares \(r_j\) to all other parties and then compute his share to be \(x-\sum _j r_j\). Therefore, the messages exchanged during the input sharing phase are already input-independent. We now describe how to randomize the evaluation of multiplication gates in \(\mathsf{GMW}\) protocol. In the \(\mathsf {Mult}_\mathsf{GMW}\) protocol, all messages received by the parties are sent by the \(f_\mathsf{OLE}\) oracle. We thus construct the \(f_\mathsf{OLE}^{\mathcal {T}}\) oracle which sends messages to the parties in \({\mathcal {T}}\) which only depend syntacticly on the randomness of the protocol and not on the inputs of the parties in \({\overline{{\mathcal {T}}}}\).

Construction 5

(The \(f_\mathsf{OLE}^{\mathcal {T}}\) Functionality). Let \({\mathcal {T}}\) be a set of parties. We define the functionality \(f_\mathsf{OLE}^{\mathcal {T}}\) that on inputs (ab) from a party \(P_i\) acting as a sender and \(x \in {\mathbb {F}}\) from a party \(P_j\) acting as a receiver performs the following.

  1. 1.

    \(P_j \in {\mathcal {T}}\) and \(P_i \in {\overline{{\mathcal {T}}}}\). Let \(P_h\) be the first party not in \({\mathcal {T}}\). \(f_\mathsf{OLE}^{\mathcal {T}}\) generates a random value e, sends \(\bot \) to \(P_i\) and e to \(P_j\) and \(ax+b-e\) to \(P_h\).

  2. 2.

    Otherwise. In this case \(f_\mathsf{OLE}^{\mathcal {T}}\) sends \(\bot \) to \(P_i\) and \(ax+b\) to \(P_j\).

In the following we describe the \(\mathsf {Mult}^{\mathcal {T}}_\mathsf{GMW}\) protocol in the \(f_\mathsf{OLE}^{\mathcal {T}}\) hybrid model.

Construction 6

(Subprotocol \(\mathsf {Mult}^{\mathcal {T}}_\mathsf{GMW}\) ). Let \({\mathcal {T}}\) be a set of parties and let \(P_h\) be the first party not in \({\mathcal {T}}\). The subprotocol \(\mathsf {Mult}^{\mathcal {T}}_\mathsf{GMW}\), in the \(f_\mathsf{OLE}^{\mathcal {T}}\) hybrid model, gets as input additive sharings of \([ \mathbf{{a}}{}]_\mathsf{add}\), \([ \mathbf{{b}}{}]_\mathsf{add}\) and outputs an additive sharing \([ \mathbf{{c}}{}]_\mathsf{add}\) such that \(\mathtt {c}=\mathtt {a}\cdot \mathtt {b}\). The protocol proceeds as follows.

  1. 1.

    Each ordered pair of parties \(P_i,P_j\), such that \(i \ne j\), performs the following.

    1. (a)

      \(P_i\) generates a random value \(r_{i,j}\) and acting as a sender sends \((a_i,r_{i,j})\) to the \(f_\mathsf{OLE}^{\mathcal {T}}\) oracle. \(P_j\) acting as a receiver sends \(b_j\) to the \(f_\mathsf{OLE}^{\mathcal {T}}\) oracle.

    2. (b)

      The \(f_\mathsf{OLE}^{\mathcal {T}}\) oracle responds with \(s_{i,j}\) to \(P_j\), and with \(s'_{i,j}\) to \(P_h\) in case that \(P_j \in {\mathcal {T}}\) and \(P_i \in {\overline{{\mathcal {T}}}}\).

  2. 2.

    Each party \(P_i \in {\mathcal {T}}\) computes \(c_i \leftarrow a_i \cdot b_i + \sum _{j=1 \atop j \ne i}^n ( s_{j,i} - r_{i,j})\).

  3. 3.

    Each party \(P_i \in {\overline{{\mathcal {T}}}}\), such that \(P_i\ne P_h\), generates his share \(c_i\) of c uniformly at random, computes \(d_i \leftarrow a_i \cdot b_i + \sum _{j=1 \atop j \ne i}^n ( s_{j,i} - r_{i,j})\) and sends \((c_i,d_i)\) to \(P_h\).

  4. 4.

    Party \(P_h\) computes \(c_h \leftarrow a_h \cdot b_h+ \sum _{P_i \in {\overline{{\mathcal {T}}}}\atop P_i \ne P_h} (d_i-c_i) + \sum _{P_i \in {\overline{{\mathcal {T}}}}\atop P_j \in {\mathcal {T}}} s'_{i,j}\).

Next, we describe the \({\mathsf {GMW}_{\mathsf {C}}^{\mathcal {T}}}\) protocol. In the full version we prove that \({\mathsf {GMW}_{\mathsf {C}}^{\mathcal {T}}}\) is \({\mathcal {T}}\)-randomized and \({\mathcal {T}}\)-equivalent to \({\mathsf {GMW}_{\mathsf {C}}}\).

Construction 7

( \({\mathsf {GMW}_{\mathsf {C}}^{\mathcal {T}}}\) Protocol). Let \({\mathsf {C}}:{\mathbb {F}}^{I_1} \times \cdots \times {\mathbb {F}}^{I_n} \rightarrow {\mathbb {F}}^{O_1}\) be an n-party circuit and let \({\mathcal {T}}\) be a set of parties such that \(|{\mathcal {T}}|< n\). The protocol \({\mathsf {GMW}_{\mathsf {C}}^{\mathcal {T}}}\) for \({\mathsf {C}}\) is defined to be the same as the \({\mathsf {GMW}_{\mathsf {C}}}\) protocol form Construction 4 except that the parties execute the \(\mathsf {Mult}^{\mathcal {T}}_\mathsf{GMW}\) protocol instead of \(\mathsf {Mult}_\mathsf{GMW}\).

Lemma 2

Let \({\mathsf {C}}\) be an n-party circuit. For any set of parties \({\mathcal {T}}\) such that \(|{\mathcal {T}}| <n\) the protocol \({\mathsf {GMW}_{\mathsf {C}}^{\mathcal {T}}}\) is \({\mathcal {T}}\)-randomized and is \({\mathcal {T}}\)-equivalent to \({\mathsf {GMW}_{\mathsf {C}}}\).

8.2 The \(\mathsf{GMW}\) Protocol in the Presence of an Active Adversary

In this section we prove that the execution of the passively secure \(\mathsf{GMW}\) protocol is additively corruptible. We begin by stating that \({\mathsf {GMW}_{\mathsf {C}}^{\mathcal {T}}}\) defined in Construction 4 is \({\mathcal {T}}\)-last-round-private as well as \({\mathcal {T}}\)-homomorphic to \({\mathsf {C}}\).

Lemma 3

Let n be positive integer and let \({\mathsf {C}}\) be an n-party circuit. Then for any set of parties \({\mathcal {T}}\) such that \(|{\mathcal {T}}|<n\) it holds that the protocol \({\mathsf {GMW}_{\mathsf {C}}^{\mathcal {T}}}\) for computing \({\mathsf {C}}\) is \({\mathcal {T}}\)-last-round-private as well as \({\mathcal {T}}\)-homomorphic to \({\mathsf {C}}\).

Proof

(sketch). The \({\mathcal {T}}\)-last-round-private property follows from the fact that during the output recovery phase of the \({\mathsf {GMW}_{\mathsf {C}}^{\mathcal {T}}}\), all the parties locally re-randomize their shares with random sharings of 0. We now prove that \({\mathsf {C}}_{\mathsf {GMW}_{\mathsf {C}}^{\mathcal {T}}}\) is indeed \({\mathcal {T}}\)-homomorphic to \({\mathsf {C}}\). Fix randomness \(\mathbf{r }\) for \({\mathsf {C}}_{\mathsf {GMW}_{\mathsf {C}}^{\mathcal {T}}}\). Next, for any input gate \(\mathtt {c}\) of \({\mathsf {C}}\), we set the homomorphism \({\mathcal {H}}\) to map \(\mathtt {c}\) to the corresponding input gate in \({\mathsf {C}}_{\mathsf {GMW}_{\mathsf {C}}^{\mathcal {T}}}\). Finally, for every multiplication gate \(\mathtt {c}\) of \({\mathsf {C}}\), we set \({\mathcal {H}}\) to map \(\mathtt {c}\) to a wire in \({\mathsf {C}}_{\mathsf {GMW}_{\mathsf {C}}^{\mathcal {T}}}\) corresponding to the share \(c_h\), held by the party \(P_h\) in step 4 of the \(\mathsf {Mult}^{\mathcal {T}}_\mathsf{GMW}\) protocol. Finally, we set \(\lambda ^{\mathtt {c}}\) to be the sum of all the shares \(c_i\) generated during steps 2 and 3 of \(\mathsf {Mult}^{\mathcal {T}}_\mathsf{GMW}\). Notice that since \(\mathsf {Mult}^{\mathcal {T}}_\mathsf{GMW}\) is \({\mathcal {T}}\)-randomized, \(\lambda ^{\mathtt {c}}\) can be uniquely determined from \(\mathbf{r }\). It can be easily verified that for every choice of \(\mathbf{r }\) the homomorphism \({\mathcal {H}}\) as well as the constants \(\lambda ^{\mathtt {c}}\), where \(\mathtt {c}\) is a multiplication gate, satisfy all the requirements of Definition 9.    \(\square \)

Combining the results of Lemmas 2 and 3 and Theorem 8 with additive-attack constructions in Sect. 5 we obtain the following theorem.

Theorem 10

(Cf. Theorem 1.5 in [11]). For any n-party circuit \({{\mathsf {C}}}:{\mathbb {F}}^{I_1}\times \cdots \times {\mathbb {F}}^{I_n}\rightarrow {\mathbb {F}}^{O_1}\) there exists a protocol \(\pi \) for \( O(1/|{\mathbb {F}}|)\)-securely computing \({\mathsf {C}}\) with abort in the OLE hybrid model. Moreover \(\pi \) invokes the OLE oracle \(O(n^2|{\mathsf {C}}|)\) times and has a total communication complexity of \(O(n^2|{\mathsf {C}}| )\) field elements.