MP-SPDZ icon indicating copy to clipboard operation
MP-SPDZ copied to clipboard
verified publisher icon data61

Are there tools for Linear SS Conversion

Open otouat opened this issue 2 months ago • 7 comments

Hi everyone,

I try to implement the following on MP-SPDZ and I wonder how can I achieve that :

  • I run a 3-PC (or more) in additive sharing (for example with the semi protocol) to compute a function on the parties input ( lets assume one per party for now), lets call that group A. They now all have additive shares of the computed function.
  • I want now for each of those previous parties to transform their shares in shamir (t,n) and send those share (now as a dealer) to a group of n parties (I will call that group S).
  • In S, each party recieve the share of each party of A (aborts if it dont recieve a share from all parties of A). After each party of S sums the shares over the parties of A, they now hold a (t,n)- shamir share of the ouput of the function computed by A.

I wonder how can I add this resharing scheme using what is already existing in this framework. Right now I naively tried to save the share output of A in a file using sfix.write_to_file, and then try to read that file, without success

otouat avatar Nov 03 '25 14:11 otouat

You can use external clients as "share receivers". The easiest way to do so would be to generate each clients share within the MPC (i.e., sample random coefficients and compute the polynomial points in the Python code), and then reveal the share to receiving clients.

It may be possible to slightly optimize this in the semi-honest setting by having all parties generate the same coefficients using a shared PRNG and then sending the shares directly to the external clients, but that would require changes to the virtual machine. Depending on how MP-SPDZ samples random values in the semi-honest setting (which I do not know from the top of my head), this might not even be faster than the easy approach.

Vinc0682 avatar Nov 03 '25 18:11 Vinc0682

I don't think MP-SPDZ offers much for the share conversion you're looking for. Shamir secret sharing is implemented in Protocols/ShamirInput.hpp where init sets up reconstruction factors (a matrix such that matrix multiplication with a vector of the secret and some shares results in the remaining shares). These are then used in add_mine to compute the actual secret sharing. This approach comes from the ATLAS paper and is designed to minimise communcation. In your case, the necessary matrix would most likely look different. You can of course use the C++ functionality for your implementation, which would provide you with efficient modular arithmetic and some functions for communication (serialisation and networking). However, unless you expect this part to be highly performance critical, you might have an easier time doing this part independently of MP-SPDZ as e.g. Python provides somewhat efficient modular arithmetic with gmpy2, and it has plenty of functionality for communication. Furthermore, MPyC has a Python module for Shamir sharing: https://mpyc.readthedocs.io/en/latest/mpyc.html#module-mpyc.thresha

To transmit shares from a larger computation in MP-SPDZ to your component, I agree with @Vinc0682 to use the client interface, which is also available in Python.

mkskeller avatar Nov 04 '25 01:11 mkskeller

Thanks you very much for helping me on that matter. I think I do understand the explanation.

I was also meddling with the bankers client example for the client interface, I was able to reproduce a case were each client would be able to secretly share their value (i.e a scalar or a vector of scalar) as a secret to multiple server that would be able to continue computation (with shamir + malicious security). For that I had a client module that established a connection with the server and use the octetstream class to rend values that the client would read from a file.

I was now looking at a way to make those client share secretly share "the share of the computed value done with additive sharing" to that same set of servers. But I struggled to find direct access to the shares so that I would try to reproduce what I explained on top.

otouat avatar Nov 04 '25 09:11 otouat

If by servers you mean the MP-SPDZ computing parties, they cannot switch the protocol/sharing scheme, and you would need to run another set for another secret sharing scheme. Furthermore, an octetStream is a serialization that you can access with unpack methods of the relevant domain classes in both C++ and Python.

mkskeller avatar Nov 05 '25 01:11 mkskeller

I am sorry if I was not clear! Yes it's not the same set of parties,

For exemple after doing additive sharing, P1, P2, P3 then act as dealers, to send to their share to another set (P4 to P10) using Shamir Secret Sharing, and then that new set would continue computation in that new scheme (only requiring that those new parties receive all shares from P1 to P3).

So to do that, I tried to save the share of parties P1 to P3 in a file, to directly reuse the client interface, so that P1 to P3 would generate shamir share (from their additive share) and send them to that new set of parties. But I struggle to read the file that would contain the share. I will take a look to octetstream to try to unpack the share in that file.

Thanks you again for your time

otouat avatar Nov 05 '25 14:11 otouat

Which file do you mean? The client interface works without files.

mkskeller avatar Nov 06 '25 01:11 mkskeller

In the bankers-bonus-client.py module, the client input that would be shared is an argument, so when I took what was on it to reproduce my case, I did write the file so that the client would instead read a file and share its content.

otouat avatar Nov 06 '25 06:11 otouat

For what it's worth, in my use cases I have also done what @Vinc0682 suggested - I have an implementation of Shamir's secret sharing as a module written in the python interface, and whenever I have a functionality that is supposed to output Shamir shares to parties, I compute the result, and then in a final step I secret share the result and write it back to the parties with the client interface. Seems to work pretty well and implementation was easy since field arithmetic is taken care of with sint/sgf2n, though I have not done any kind of rigorous benchmarking on its performance. My only concern with this approach is somewhat orthogonal and has to do with the privacy of writing back to parties with the client - see #1744

csasmith avatar Nov 12 '25 16:11 csasmith

Hello all,

So yes I've finally got a working script following all the previous advice (thanks again), so I used the client class in a python module to recieve the share from semi parties (with the semi parties using write_to_socket to send its share to the client class in the python module using recieve_plain_values), then privately send them to shamirs parties (that I was already able to do using the bankers client example, creating a connection with the shamirs parties and then sending "secretly" with send_private_inputs() ). I needed to have one python module per running semi parties, then it was done.

So in that case, having a client forwarding the shares was the way to go (which follows what was said by @Vinc0682). While the semi parties computed an average function, the shamir parties only needed to compute the sum, then reveal the output, which was the semi parties computed mean as wanted.

Thanks again for your help

otouat avatar Nov 12 '25 17:11 otouat