Protocol Suites¶
Various techniques for secure computation are currently known. In the literature these are referred to as secure computation protocols. However, as these usually consist of a number of sub-protocols in FRESCO we use the term protocol suites to avoid ambiguity. I.e., in FRESCO a protocol suite is taken to be a set of sub-protocols that as a collection implements general secure computation.
FRESCO is designed to work with multiple interchangeable protocol suites and aims to support the development of new protocol suites. FRESCO also comes with a few protocol suites already implemented. The following table gives a rough comparison of the currently included protocol suites.
| Suite | Parties | Adversary | Model of Computation | Reactive |
|---|---|---|---|---|
| Dummy Boolean | 1+ | none | Boolean | yes |
| Dummy Arithmetic | 1+ | none | Arithmetic | yes |
| TinyTables | 2 | semi-honest | Boolean | yes |
| SPDZ | 2+ | malicious | Arithmetic | yes |
| SPDZ2k | 2+ | malicious | Arithmetic | yes |
Here the Parties column describes the number of parties that can be involved in secure computation using the given protocol suite. Adversary describes the type of adversary the protocol suite tolerates. The Model of Computation describes how the protocol represent the computation to be securely computed. Currently, protocol suites in FRESCO are tied to a single model of computation, i.e., the SPDZ suite only supports Arithmetic computations and does not support Boolean computations. Finally, a protocol suite being reactive means that it allows intermediate values to be opened, and further secure computation may continue on closed values that depend on the values opened so far.
Below we will describe the protocol suites in a little more detail.
The Dummy Boolean and Arithmetic Protocol Suites¶
The dummy suites do all computations in the clear and thus provide no security at all. These suites are intended for testing and debugging. Contrary to other protocol suites they can run with only one party.
The dummy suites are also useful for benchmarking: The overhead of the dummy suite can be seen as the baseline overhead of FRESCO when no security is applied.
The TinyTables Protocol Suite¶
The TinyTables protocol suite is based on work by Damgård et al. [DNNR17]. This protocol suite works in the Boolean setting, with exactly two parties and the original protocol comes in versions that provide security against both a semi-honest and malicious adversary. The version currently implemented in FRESCO, however, only implements security against semi-honest adversaries.
TinyTables uses a simple technique to preprocessing the function to be evaluated before the input is known. This preprocessing involves creating a small table of values for each AND gate involved, hence the name TinyTables. Online evaluation is reduced to a lookup into such a table for each AND gate with minimal communication overhead. As with other Boolean protocol suites, TinyTables evaluates XOR’s locally without communication.
The SPDZ Protocol Suite¶
The SPDZ suite is based on another work of Damgård et al. [DPSZ12]. This protocol suite works over a finite field of size at least \(2^s\) where s is a statistical security parameter. I.e., it works in the arithmetic setting. SPDZ allows for two or more parties to participate in the secure computation and is secure against malicious adversaries.
SPDZ is based on additive secret sharing over the given finite field. It requires a preprocessing step to produce so called Beaver Triples which will be used online to evaluate multiplications. Contrary to TinyTables, SPDZ preprocessing is not directly dependent on the function to be evaluated online beyond the number of multiplications to be performed. In the online evaluation, SPDZ uses the preprocessed data to evaluate each multiplication with a small amount of communication, whereas addition can be done locally.
The SPDZ2k Protocol Suite¶
The SPDZ2k protocol suite is based on a variant of SPDZ due to Cramer et al. [CDESX18]. In contrast to the regular SPDZ protocol which works over a field SPDZ2k works over the ring \(Z_{2^k}\) for some \(k\). This is an advantage as working in such a ring more closely resembles how arithmetic on the integers behaves in normal programming languages and it allows for various optimizations compared to working over a field.
The current implementation supports all numeric native protocols, however there are higher level computations (for instance equality and comparison) which it is not yet compatible with. Support for those is forthcoming.