6

There exist protocols for 2-party computation e.g., GMW that use Boolean circuits. I could also use Paillier and arithmetic circuits for a 2 party computation. However after reading about SPDZ is my understanding I could use it to do 2-party computation. Is my understanding correct? Besides the fact that I would have to generate tons of triples, is there any other drawback of using SPDZ for 2-PC? If this is the case why is not widely use for the 2-party case? Should I favor a 3 party setting instead of a 2 party one when using SPDZ?

DaWNFoRCe
  • 892
  • 7
  • 17

2 Answers2

7

Your understanding is correct. The SPDZ protocol can be used for any number of two or more parties. In fact, this is one of the strengths of the SPDZ protocol. Namely, many recent secure computation protocols such as the various versions of the Yao protocol or the TinyOT protocol are limited to two parties. So it may sometimes be overemphasized that SPDZ goes beyond two parties.

There is no drawback to using SPDZ with just two parties compared to three parties. Certain aspects such as the required broadcast actually becomes simpler in the two party case. So you should never try to add additional parties beyond what you need, it will only make you application less efficient.

However, there are many trade-offs to consider when choosing a secure computation protocol. Therefore, there could be good reasons to pick an other protocol than SPDZ in a two party setting. For example, SPDZ is based on arithmetic operations. If your application is heavy on Boolean operations, other protocols such as TinyOT which is based on Boolean operations may perform better. Also, SPDZ has round complexity proportional to the depth of the circuit you are evaluating. Yao has constant round complexity for any circuit. So if you are in a high latency setting or evaluating a very deep circuit, Yao may perform better than SPDZ.

Guut Boy
  • 2,907
  • 18
  • 25
5

my understanding I could use it to do 2-party computation

You are correct, SPDZ can give secure MPC for any number of parties. It is just a matter of generating enough multiplication triples.

Should I favor a 3 party setting instead of a 2 party one when using SPDZ?

Whichever makes sense in your application is fine.

why is not widely use for the 2-party case?

The only reason to prefer something else is round complexity. In the 2-party case specifically you have the extra option of using protocols based on garbled circuits (i.e., Yao's protocol). Yao's protocol is constant-round, while SPDZ & GMW require interaction for each multiplication gate (so the round complexity is proportional to the depth of the circuit).

Note: the BMR protocol is a constant-round variant of Yao for $n > 2$, but it is much less efficient than something like SPDZ.

Mikero
  • 14,908
  • 2
  • 35
  • 58