From Yao's Millionaires to Privacy-Preserving ML —
Protocols, Secret Sharing & Real-World Deployment
Secret Sharing Garbled Circuits Oblivious Transfer Malicious Security
Andrew Yao, 1982: Two millionaires want to know who is richer without revealing their actual wealth to each other. This deceptively simple problem launched the field of secure computation.
n parties P1, ..., Pn each hold private input xi. They wish to jointly compute y = f(x1, ..., xn) such that each party learns only y (and nothing else about others' inputs).
Security is defined by comparison to an ideal world where a trusted third party (TTP) collects all inputs, computes f, and distributes outputs. A protocol is secure if no adversary can distinguish the real execution from the ideal one.
IDEAL WORLD: REAL WORLD:
P1 --x1--> [TTP] --y--> P1 P1 <----protocol----> P2
P2 --x2--> [TTP] --y--> P2 (no trusted party)
... ...
Pn --xn--> [TTP] --y--> Pn Pn <----protocol----> P1No party learns anything beyond its prescribed output. Formally: the view of each party can be simulated from its input and output alone.
The output is guaranteed to be the correct evaluation of f, even if some parties deviate from the protocol.
Corrupt parties must choose their inputs independently of honest parties' inputs (no adaptive input selection).
The strength of an MPC protocol depends on what adversary it resists. Two orthogonal axes: adversary behavior and corruption threshold.
Corrupted parties follow the protocol faithfully but try to extract extra information from their transcript (messages received + internal state).
Assumption: Parties are "honest but curious"
Advantage: Simpler, faster protocols
Use: Trusted corporate environments
Efficient Weaker guarantee
Corrupted parties can arbitrarily deviate from the protocol: send wrong messages, abort early, use inconsistent inputs.
Assumption: Worst-case adversary
Cost: 10-1000x overhead vs. semi-honest
Use: Adversarial / regulatory settings
Robust Expensive
Assumes more than half the parties are honest. Enables information-theoretic security (no computational assumptions) and efficient protocols over arithmetic circuits.
IT-secure Efficient
Up to n-1 parties may be corrupt. Requires computational assumptions (OT, public-key crypto). Security with abort is achievable; guaranteed output delivery is not.
Strongest threat Comp. assumptions
Splitting secrets so no single party learns anything
Adi Shamir (1979): A (t, n)-threshold scheme where any t+1 shares reconstruct the secret, but t or fewer shares reveal nothing. Based on polynomial interpolation over a finite field.
Share(s, t, n):
1. Choose random a₁, a₂, ..., aₜ ∈ F_p
2. Define polynomial: f(x) = s + a₁x + a₂x² + ... + aₜxᵗ
3. Give party Pᵢ the share: (i, f(i))
Reconstruct(shares):
Given t+1 points (xᵢ, yᵢ), use Lagrange interpolation:
s = f(0) = Σᵢ yᵢ · Πⱼ≠ᵢ (xⱼ / (xⱼ - xᵢ)) mod pThe simplest form of secret sharing: split a value into n random shares that sum (or XOR) to the secret. Every party must participate in reconstruction — a (n, n)-threshold scheme.
Share(s):
r₁, ..., rₙ₋₁ ← random bits
rₙ = s ⊕ r₁ ⊕ ... ⊕ rₙ₋₁
Reconstruct:
s = r₁ ⊕ r₂ ⊕ ... ⊕ rₙNatural for Boolean circuits. XOR is free in garbled circuits. Each share is uniformly random.
Boolean circuits
Share(s):
r₁, ..., rₙ₋₁ ← random in F_p
rₙ = s - r₁ - ... - rₙ₋₁ mod p
Reconstruct:
s = r₁ + r₂ + ... + rₙ mod pNatural for arithmetic circuits. Addition of shared values is local — no communication needed.
Arithmetic circuits
Donald Beaver (1991): Precompute random multiplication triples (a, b, c) where c = a·b in an offline phase. Use them to multiply shared values in the online phase with only 2 rounds of communication.
Given: shares [x], [y], and precomputed triple ([a], [b], [c]) where c = a·b
1. Each party computes and opens:
[d] = [x] - [a] → reveal d = x - a
[e] = [y] - [b] → reveal e = y - b
2. Each party locally computes:
[x·y] = d·e + d·[b] + e·[a] + [c]
Correctness: d·e + d·b + e·a + c
= (x-a)(y-b) + (x-a)b + (y-b)a + ab
= xy - ay - xb + ab + xb - ab + ay - ab + ab = xy ✓Open d and e simultaneously
then compute locally
Each party broadcasts
two field elements
Expensive part done
before inputs are known
Garbled circuits · Oblivious transfer · Gate-by-gate evaluation
Goldreich, Micali, Wigderson (1987): Evaluate a Boolean circuit gate-by-gate using XOR secret shares. XOR gates are free; AND gates require oblivious transfer.
Each wire w carries a secret-shared bit: w = wA ⊕ wB (Alice holds wA, Bob holds wB).
XOR gate (z = x ⊕ y):
Alice: z_A = x_A ⊕ y_A (local computation — FREE)
Bob: z_B = x_B ⊕ y_B
AND gate (z = x ∧ y):
z = (x_A ⊕ x_B) ∧ (y_A ⊕ y_B)
= x_A·y_A ⊕ x_A·y_B ⊕ x_B·y_A ⊕ x_B·y_B
Alice knows x_A·y_A, Bob knows x_B·y_B
Cross-terms x_A·y_B and x_B·y_A require 1-out-of-4 OTThe fundamental primitive of two-party computation. In 1-out-of-2 OT, a sender holds two messages (m0, m1). The receiver with choice bit b learns mb and nothing about m1-b. The sender learns nothing about b.
Uses public-key crypto (RSA, ECC, or lattice-based). Costly: ~milliseconds per OT. Naor-Pinkas protocol is standard.
Expensive ~128 base OTs
IKNP (2003): Use ~128 base OTs to generate millions of OTs using only symmetric crypto (hash + XOR). Amortized cost: microseconds per OT.
Efficient Key technique
Yao's garbled circuit protocol (1986): The garbler encrypts a Boolean circuit gate-by-gate. The evaluator decrypts exactly one output per gate without learning intermediate wire values.
Decades of research have reduced the cost of garbled circuits from 4 ciphertexts per gate to as low as 1.5.
| Optimization | Ciphertexts/Gate | Key Idea | Year |
|---|---|---|---|
| Naive | 4 | Encrypt all 4 truth table rows | 1986 |
| Point-and-Permute | 4 | Append permute bit to labels; evaluator decrypts only 1 row | 1990 |
| Row Reduction (GRR3) | 3 | Set one output label so one ciphertext is all-zeros | 1999 |
| Free XOR | 0 (XOR) | Global offset R: k1w = k0w ⊕ R for all wires | 2008 |
| Half-Gates | 2 (AND) | Split AND into garbler-half + evaluator-half | 2015 |
| Three Halves | 1.5 (AND) | Slicing technique, amortized across gates | 2021 |
Key insight: decompose AND(a, b) into two "half-gates" — one where the garbler knows one input, one where the evaluator knows one input. Each half-gate costs 1 ciphertext, totaling 2 ciphertexts per AND gate. Combined with Free XOR, this is optimal for a class of linear garbling schemes.
Beaver, Micali, Rogaway (1990): Extends garbled circuits to n parties while maintaining constant rounds. All parties jointly generate one garbled circuit, then evaluate it non-interactively.
SPDZ · Shamir-based MPC · MAC verification
Damgard, Pastro, Smart, Zakarias (2012): Achieves malicious security with dishonest majority using information-theoretic MACs on all shared values. Name pronounced "Speedz."
Each shared value x has MAC: [x] = (x₁,...,xₙ) with [α·x] = MAC shares
Global MAC key α is itself secret-shared: α = α₁ + ... + αₙ
OFFLINE PHASE (expensive):
Generate Beaver triples with MACs using Somewhat HE or OT
All triples: ([a], [b], [c]) with [α·a], [α·b], [α·c]
ONLINE PHASE (fast):
Addition: [x+y] = [x] + [y], MACs add locally
Multiplication: Beaver's protocol using precomputed triples
Output: Open value, then MAC-check to detect cheating
MAC CHECK: Verify α·x = Σᵢ m_i where m_i are MAC shares
→ Any deviation by malicious party detected with prob 1 - 2⁻ˢInformation-theoretic MAC
cannot be forged
Tolerates up to n-1
malicious parties
Online phase is only
~2x slower than passive
When t < n/2 parties are corrupt, Shamir secret sharing enables highly efficient MPC over arithmetic circuits with information-theoretic security. The BGW protocol (1988) is the foundation.
Share inputs: Each Pᵢ shares xᵢ with degree-t Shamir sharing
Addition gate: [x+y]ᵢ = [x]ᵢ + [y]ᵢ (local, free)
Constant mult: [c·x]ᵢ = c · [x]ᵢ (local, free)
Multiplication gate (the hard part):
1. Local multiply: hᵢ = [x]ᵢ · [y]ᵢ (degree 2t polynomial!)
2. Degree reduction: Reshare hᵢ with degree t
→ Each party sends shares to all others (O(n²) communication)
→ Recombine using Lagrange on degree-2t points
3. Result: degree-t sharing of x·yPrivate set intersection · ML · Auctions · Key management
Two parties hold sets X and Y. They want to learn X ∩ Y without revealing elements not in the intersection. A flagship MPC application with major real-world deployments.
Modern OT-based PSI handles 228 elements (268M) in under 100 seconds. Communication: ~1 byte per element with cuckoo hashing.
PSI-Cardinality: learn only |X ∩ Y|
PSI-Sum: learn sum of associated values
Labeled PSI: retrieve payloads for matched items
Google: Private ad measurement
Apple: CSAM detection (NeuralHash + PSI)
Meta: Private ad attribution
MPC enables training and inference on joint datasets without revealing raw data. Critical for healthcare, finance, and cross-organizational collaboration.
Server holds model weights, client holds data. Evaluate neural network using mixed protocols:
Linear layers: Arithmetic SS (Beaver triples)
ReLU/comparisons: Garbled circuits or OT
Softmax: Approximation via polynomials
CrypTFlow2: ResNet-50 inference in 4.1 seconds (LAN)
Multiple parties hold different training data partitions. Run SGD with secret-shared gradients:
Forward pass: Arithmetic + Boolean SS
Backprop: Fixed-point arithmetic in SS
Gradient update: Local after aggregation
SecureML: Training logistic regression on MNIST in ~40 minutes (2PC, WAN)
Sealed-bid auctions where bids remain private. Compute the winning bid and winner without revealing losing bids.
Danish sugar beet auction (2008): First large-scale MPC deployment. 1,229 farmers submitted bids through a 3-server MPC system. Computed market-clearing price in ~30 minutes.
Deployed
Voters submit encrypted ballots. MPC tallies votes without revealing individual choices. Enables universal verifiability.
Helios & Estonia: Threshold decryption of homomorphic ballots. ADDER: Secret-shared tallying protocol. Protects ballot secrecy even if some servers are compromised.
Critical
Threshold signatures: t-of-n parties must collaborate to sign. No single point of compromise for private keys.
Fireblocks: MPC-based custody for $6T+ in digital assets. Threshold ECDSA: GG18/GG20 protocols for Bitcoin/Ethereum. Eliminates single key storage risk.
Production
Fully Homomorphic Encryption and MPC are complementary. FHE enables non-interactive computation on encrypted data; MPC distributes trust. Combining them yields powerful hybrid protocols.
SPDZ originally used Somewhat HE (Brakerski-Fan-Vercauteren) to generate Beaver triples. Each party encrypts random values under FHE, then jointly compute c = a·b homomorphically.
Advantage: fewer rounds than OT-based triple generation. Modern SPDZ variants (Overdrive, MASCOT) offer OT-based alternatives.
Threshold FHE: distribute the FHE secret key among n parties. Decryption requires MPC (threshold decryption). Bootstrapping can be distributed to avoid any single party seeing plaintext.
Application: cloud computation where the cloud runs FHE, and multiple clients collaboratively decrypt results.
| Approach | Interaction | Trust Model | Best For |
|---|---|---|---|
| Pure MPC | High (rounds per gate) | Distributed | Low-latency LAN settings |
| Pure FHE | None (non-interactive) | Key holder | Outsourced computation |
| MPC + FHE | Minimal | Distributed | WAN / high-latency settings |
| MPC + FHE + ZK | Moderate | Distributed + verifiable | Regulatory compliance |
Communication is the dominant bottleneck in MPC. Understanding the cost structure is essential for choosing the right protocol.
| Protocol | Setting | Rounds | Comm. per AND gate | Corruption |
|---|---|---|---|---|
| Yao's GC | 2PC | O(1) | 2κ bits (half-gates) | Semi-honest |
| GMW | 2PC/nPC | O(depth) | O(n2κ) bits | Semi-honest |
| BMR | nPC | O(1) | O(nκ) bits per gate | Semi-honest |
| BGW | nPC | O(depth) | O(n2) field elements | t < n/2 |
| SPDZ | nPC | O(depth) | O(n) field elements | Malicious |
| Cut-and-Choose GC | 2PC | O(1) | s·2κ bits (s copies) | Malicious |
| Authenticated GC | 2PC | O(1) | ~4κ bits | Malicious |
High bandwidth compensates
for large messages. Deep circuits OK.
Latency dominates. Constant-round
protocols (Yao, BMR) preferred.
Bandwidth-constrained. Silent OT
and compact protocols critical.
Several mature open-source frameworks make MPC accessible to practitioners. Each targets different protocol families and security models.
| Framework | Protocols | Security | Language | Key Feature |
|---|---|---|---|---|
| MP-SPDZ | SPDZ, MASCOT, Shamir, BMR, Yao | Both | Python-like DSL / C++ | 30+ protocol variants; most comprehensive |
| EMP-toolkit | Garbled circuits, OT, authenticated GC | Both | C++ | Fastest 2PC garbled circuits |
| ABY / ABY3 | Arithmetic, Boolean, Yao (mixed) | Semi-honest | C++ | Mixed-protocol optimization |
| MOTION | GMW, BMR, arithmetic SS | Semi-honest | C++ | Multi-party, extensible |
| CrypTen | Arithmetic SS, Beaver triples | Semi-honest | Python (PyTorch) | ML-focused, PyTorch integration |
| SCALE-MAMBA | SPDZ | Malicious | Python-like / Rust | Full malicious security, MAMBA lang |
# MP-SPDZ program — each party inputs their wealth privately
wealth_alice = sint.get_input_from(0) # Party 0's private input
wealth_bob = sint.get_input_from(1) # Party 1's private input
result = (wealth_alice > wealth_bob) # Secure comparison
print_ln("Alice is richer: %s", result.reveal()) # Open result onlyMPC has moved from theory to production. Major technology companies deploy MPC at scale for privacy-critical applications.
Google's Privacy Sandbox uses MPC (attribution reporting API) for measuring ad effectiveness without tracking individual users. Two non-colluding servers compute aggregate reports via secret sharing.
Production Billions of events
iCloud Private Relay: Two-server architecture where neither server sees both user identity and destination. Threshold PSI used for CSAM detection (later paused).
Production Millions of users
Signal uses SGX-based PIR/PSI to discover which contacts are on Signal without revealing the user's full contact list to Signal's servers. SGX + cryptographic protocol for defense-in-depth.
Production 100M+ users
Boston Fed + MIT: MPC for cross-bank regulatory reporting. Unbound/Sepior (Coinbase): Threshold ECDSA for custody. ING: MPC-based money laundering detection across banks.
Production Regulatory
Practical performance of MPC protocols on representative computations. All numbers assume 128-bit security.
| Computation | Protocol | Parties | LAN Time | WAN Time | Comm. |
|---|---|---|---|---|---|
| AES-128 | Yao (half-gates) | 2 | 0.5 ms | 55 ms | 218 KB |
| AES-128 | SPDZ (malicious) | 3 | 3 ms | 180 ms | ~1 MB |
| SHA-256 | Yao (half-gates) | 2 | 2.1 ms | 110 ms | 850 KB |
| PSI (220 items) | KKRT + OT ext. | 2 | 2.8 s | 12 s | 42 MB |
| PSI (224 items) | KKRT + OT ext. | 2 | 38 s | 145 s | 672 MB |
| Logistic Reg. (MNIST) | ABY (mixed) | 2 | 0.3 s/epoch | 8 s/epoch | ~50 MB |
| ResNet-50 Inference | CrypTFlow2 | 2 | 4.1 s | ~60 s | ~600 MB |
| Sorting (106) | 3PC Shamir | 3 | 12 s | ~90 s | ~2 GB |
A complete implementation of Shamir's (t, n)-threshold secret sharing over a prime field.
import secrets
def shamir_share(secret: int, t: int, n: int, p: int) -> list:
"""Split secret into n shares with threshold t+1."""
# Random polynomial: f(x) = secret + a1*x + a2*x^2 + ... + at*x^t
coeffs = [secret] + [secrets.randbelow(p) for _ in range(t)]
def eval_poly(x):
return sum(c * pow(x, i, p) for i, c in enumerate(coeffs)) % p
return [(i, eval_poly(i)) for i in range(1, n + 1)]
def lagrange_interpolate(shares: list, p: int) -> int:
"""Reconstruct secret from t+1 shares using Lagrange interpolation."""
secret = 0
for i, (xi, yi) in enumerate(shares):
num, den = 1, 1
for j, (xj, _) in enumerate(shares):
if i != j:
num = (num * (-xj)) % p
den = (den * (xi - xj)) % p
secret = (secret + yi * num * pow(den, -1, p)) % p
return secret
# Example: (2, 5)-threshold sharing — need 3 of 5 shares
p = 2**127 - 1 # Mersenne prime
shares = shamir_share(42, t=2, n=5, p=p)
assert lagrange_interpolate(shares[:3], p) == 42 # Any 3 suffice
assert lagrange_interpolate(shares[2:5], p) == 42 # Any 3 sufficeTwo-party secure multiplication using precomputed Beaver triples over additive secret sharing.
class Party:
def __init__(self, x_share, a_share, b_share, c_share, p):
self.x = x_share; self.a = a_share
self.b = b_share; self.c = c_share; self.p = p
def compute_masked(self, y_share):
"""Step 1: Compute and broadcast masked values."""
self.d_share = (self.x - self.a) % self.p # [d] = [x] - [a]
self.e_share = (y_share - self.b) % self.p # [e] = [y] - [b]
return self.d_share, self.e_share
def compute_product(self, d, e, is_party_1=False):
"""Step 2: Compute share of x*y from opened d, e."""
# [x*y] = d*e + d*[b] + e*[a] + [c]
result = (d * self.b + e * self.a + self.c) % self.p
if is_party_1:
result = (result + d * e) % self.p # Only P1 adds d*e
return result
# Simulation: x=7, y=13, a=3, b=5, c=15 (c = a*b), p=97
p = 97
# Additive shares: x=7 → (2, 5), y=13 → (8, 5), etc.
p1 = Party(2, 1, 3, 10, p) # Party 1 shares
p2 = Party(5, 2, 2, 5, p) # Party 2 shares
d1, e1 = p1.compute_masked(8); d2, e2 = p2.compute_masked(5)
d, e = (d1 + d2) % p, (e1 + e2) % p # Open d=4, e=6
z1 = p1.compute_product(d, e, True); z2 = p2.compute_product(d, e)
assert (z1 + z2) % p == (7 * 13) % p # 91 mod 97 = 91 ✓MPC research remains extremely active, pushing boundaries in efficiency, functionality, and new computational models.
Standard MPC reveals the function f to all parties. Function-hiding MPC keeps f private too — only one party knows what is being computed. Built on garbled circuits + universal circuits or indistinguishability obfuscation.
Application: proprietary algorithms on outsourced data
Theoretical
Goal: MPC with communication overhead approaching O(|C|) — proportional to circuit size with constant factor. Recent breakthroughs:
Boyle et al. (2019): Pseudorandom correlation generators (PCG) — generate correlated randomness from short seeds using LPN assumptions. Silent OT: Near-zero communication OT extension.
Breakthrough
Parties can dynamically join and leave the computation. Eliminates the requirement for a fixed set of participants. Uses committee rotation and handoff protocols.
Motivated by blockchain / decentralized settings where participants change over time.
Emerging
Simulate an MPC protocol "in your head" to construct zero-knowledge proofs. IKOS paradigm (2007) → BBQ, Limbo, SDitH. Foundation of the NIST PQC signature candidate SDitH (based on MPC-in-the-Head of syndrome decoding).
Cross-domain
Foundations — Yao's Millionaires' Problem, ideal/real world paradigm, semi-honest vs. malicious security models, honest vs. dishonest majority thresholds.
Secret sharing — Shamir's polynomial-based (t, n)-threshold scheme, additive sharing (XOR and arithmetic), Beaver triples for multiplication with 2-round online phase.
Two-party protocols — Garbled circuits (Yao) with half-gates optimization (2 ciphertexts/AND), GMW gate-by-gate evaluation, oblivious transfer and OT extension (IKNP).
Multi-party protocols — BMR for constant-round n-party garbled circuits, BGW for Shamir-based honest majority, SPDZ for malicious security with information-theoretic MACs.
Applications — Private set intersection at scale (268M elements), privacy-preserving ML (ResNet-50 in 4.1s), secure auctions, threshold key management, ad measurement.
Frontiers — Pseudorandom correlation generators, silent OT, constant-overhead MPC, fluid MPC for dynamic participants, MPC-in-the-Head for zero-knowledge proofs.