Supported MPC Protocol#

Currently, SPU implements the following protocols.

ABY3: A honest majority 3PC-protocol, SPU provides semi-honest implementation, note, it’s hard to resist collusion attacks if more than two computing nodes deployed together.
Semi2k-SPDZ* : A semi-honest NPC-protocol similar to SPDZ but requires a trusted third party to generate offline randoms. By default this protocol now uses trusted first party. Hence, it should be used for debugging purposes only.
Cheetah* : A fast 2pc semi-honest protocol, which uses carefully designed homomorphic encryption-based protocols for arithmetic operations and Ferret for boolean operations.

Currently, we mainly focus on bridging existing AI frameworks to SPU via XLA, an intermediate representation where we can hook Tensorflow, Torch and Jax.

We welcome security experts to help contribute more security protocols.

Complexity#

Note

The complexity metrics are dumped from the source code, it’s supposed to be accurate and could be used as a formal cost model.
In Semi2k, only online stage complexity is considered.

Notation:

N is short for the number of parties.
K is short for the k in module 2^k.
m is short for rows of mmul lhs operand.
n is short for cols of mmul rhs operand.

Naming convention:

a for arithmetic share.
b for boolean share.
p for public value.

For example, mul_aa is short for multiply of two arithmetic shares.

Semi2k#

kernel	latency	comm
a2b	(log(K)+1)*log(N)	(2log(K)+1)2K(N-1)*(N-1)
b2a	1	K*(N-1)
a2p	1	K*(N-1)
b2p	1	K*(N-1)
add_bb	log(K)+1	log(K)K2+K
add_aa	0	0
add_ap	0	0
mul_aa	1	K2(N-1)
mul_ap	0	0
mmul_aa	1	K2(N-1)mn
mmul_ap	0	0
trunc_a	1	K*(N-1)
xor_bb	0	0
xor_bp	0	0
and_bb	1	K2(N-1)
and_bp	0	0

Aby3#

kernel	latency	comm
a2b	log(K)+1+1	log(K)K+K2
b2a	TODO	TODO
a2p	1	K
b2p	1	K
add_bb	log(K)+1	log(K)K2+K
add_aa	0	0
add_ap	0	0
mul_aa	1	K
mul_ap	0	0
mmul_aa	1	Kmn
mmul_ap	0	0
trunc_a	3	4*K
xor_bb	0	0
xor_bp	0	0
and_bb	1	K
and_bp	0	0