PentaGOD: Stepping beyond Traditional GOD with Five Parties

Nishat Koti, Varsha Bhat Kukkala, Arpita Patra,

Bhavish Raj Gopal
kotis,varshak,arpita@iisc.ac.in
gbhavish@gmail.com
Indian Institute of Science
Bangalore, India

ABSTRACT systems [35, 59] and real-world deployments such as the Estonian
Secure multiparty computation (MPC) is increasingly being used study on correlation between tax data and educational records [8]
to address privacy issues in various applications. The recent work and the study of salary inequities across various employees in the
of Alon et al. (CRYPTO’20) identified the shortcomings of tradi- city of Boston [7]. Although MPC has been the apt solution for ad-
tional MPC and defined a Friends-and-Foes (FaF) security notion dressing privacy issues in various real-world problems, we expose
to address the same. We showcase the need for FaF security in real- the inadequacy of traditional security offered by MPC for applica-
world applications such as dark pools. This subsequently necessi- tions with highly sensitive data. We use the example of financial
tates designing concretely efficient FaF-secure protocols. Towards trading forums such as dark pools to demonstrate the same.
this, keeping efficiency at the center stage, we design ring-based The need for privacy naturally extends to processing financial
FaF-secure MPC protocols in the small-party honest-majority set- transaction data. This has been one of the primary reasons for the
ting. Specifically, we provide (1,1)-FaF secure 5 party computation emergence of dark pools that allow investors to trade (buy and/or
protocols (5PC) that consider one malicious and one semi-honest sell) financial instruments such as securities (stocks, bonds etc.)
corruption and constitutes the optimal setting for attaining honest- outside of the prying eyes of the public and ensure the trade remains
majority. At the heart of it lies the multiplication protocol that unexposed until it is completed. This allows investors to trade large
requires a single round of communication with 8 ring elements blocks of securities privately and ensure the market is not impacted
(amortized). To facilitate having FaF-secure variants for several by the knowledge of such potential large-scale trade. For example,
applications, we design a variety of building blocks optimized for public knowledge of an institution trying to sell a large portion of
our FaF setting. The practicality of the designed (1,1)-FaF secure its shares would cause a sudden depreciation of its share value even
5PC framework is showcased by benchmarking dark pools. In the before the transaction is completed. On the other hand, the market
process, we also improve the efficiency and security of the dark pool impact is known to be much smaller when the trade is reported
protocols over the existing traditionally secure ones. This improve- after it is executed. This is the working principle underlying dark
ment is witnessed as a gain of up to 62× in throughput compared pools, which makes them a popular choice for trading. Dark pools
to the existing ones. Finally, to demonstrate the versatility of our are traditionally operated by trusted brokers who are made aware
framework, we also benchmark popular deep neural networks. of the trade interests of the clients. They are then expected to find
matching counter-parties within their network of private clients.
KEYWORDS The clients, in the process, place complete trust on the broker to
not misuse the trade interests disclosed on clear. However, several
multi-party computation; friends-and-foes security (FaF); honest
instances have showcased misuse of insider information where
majority; dark pools; PPML
dark pool operators have been fined for the same [47–53].
To guarantee complete privacy, the interest to trade must never
1 INTRODUCTION
be disclosed in the open, not even to the broker operating the dark
With the steady incline in the awareness of data privacy, we are pool. Ideally, matches between sellers and buyers must be found
witnessing a paradigm shift in healthcare, finance, and various without disclosing this sensitive information. Thus, the problem
other sectors involved in processing a large amount of sensitive can be modeled as an instance of MPC, where the private input is
client data. Various privacy-preserving practices are being adopted the data related to the trade, and the clients are interested in se-
to reassure clients and provide them with the highest level of se- curely matching the possible trades. In this setting, rather than the
curity guarantees. Given the ease of accommodating multiple data dark pool being operated by a central trusted broker, it is emulated
owners and its computational efficiency, many real-world appli- by an MPC protocol run among a set of parties. Clients secret share
cations prefer the use of secure multiparty computation (MPC) their trade data to these parties in such a way that no subset, of
to perform privacy-preserving computations [7–9, 55]. Informally, at most 𝑡 of these parties, learns any information. These parties
MPC enables 𝑛 mutually distrusting parties to compute a function are responsible for running the MPC protocol designed to identify
over their private inputs, while ensuring the privacy of the same matching trades securely. The applicability of MPC for securely
against an adversary controlling up to 𝑡 parties. Various applica- operating dark pools has been shown previously [5, 16, 17, 23].
tion scenarios where MPC based solutions have been proposed Although MPC is befitting to the addressed problem, the current so-
include– secure auctions [9], privacy-preserving machine learn- lutions are far from complete. All the proposed protocols only offer
ing [13, 18, 19, 24, 36, 37, 43, 45, 56, 63], secure recommendation malicious security with abort. That is, the protocols are designed to
This is the full version of the paper to appear at ACM CCS 2022. abort if the malicious adversary misbehaves and it is possible that
1
 Nishat Koti, Varsha Bhat Kukkala, Arpita Patra, Bhavish Raj Gopal

the adversary alone obtains the output. This could cause denial of Friends and Foes (FaF). This definition requires honest parties’ in-
service attacks and result in the protocol terminating even before puts to be protected against not only the adversary (foes), but also
the matched trades are disclosed. Further, such a setting allows an from quorums of other honest parties (friends). This is modeled
adversary to cause repeated failures. Since time is of essence in by a decentralized adversary which comprises two different non-
applications such as dark pools, this not only results in wastage of colluding adversaries– (i) a malicious adversary that corrupts any
valuable compute resources, but may also hamper the functionality subset of at most 𝑡 out of 𝑛 parties, (ii) a semi-honest adversary
of the system. Hence, any security notion that empowers the ad- that corrupts any subset of at most ℎ★ out of the remaining 𝑛 − 𝑡
versary to abort does not fit the bill. Instead, a security notion that parties. A protocol secure against such an adversary is said to be
guarantees delivery of output regardless of the adversary’s misbe- (𝑡, ℎ★)-FaF secure. Further, the FaF model requires security to hold
haviour is desirable. This is achieved by guaranteed output delivery even when an adversary sends its view to other parties, thereby
(GOD) or robustness, which is the strongest security notion that an closely modeling our need. Hence, departing from the traditional
MPC protocol offers. Hence it is imperative to realize robust, secure MPC model, we identify the need to design FaF-secure MPC pro-
dark pools. The presence of GOD uplifts the trust and encourages tocols for applications such as dark pools that deal with highly
client participation in the system. sensitive financial information that needs protection from all forms
It is well known that an honest majority among the parties is of misuse. As described earlier, existing lawsuits against dark pool
necessary to achieve GOD [21]. Moreover, honest majority enables operators showcase the temptation to misuse profitable informa-
designing efficient protocols in comparison to dishonest majority. tion, thereby reasserting the need for stepping beyond traditional
Further, honest-majority MPC for a small set of parties has wit- security. Further, our protocols also secure in the mixed adversarial
nessed huge interest lately [2, 3, 10, 11, 13, 15, 18, 19, 29, 44, 46, 56]. model2 , as described in §E.3.
This is due to the various customizations it allows resulting in huge
Small-party honest-majority FaF model. Alon et. al. [1] show
efficiency gains. Hence, to realize applications such as secure dark
that GOD can be achieved in the (𝑡, ℎ★)-FaF model iff 2𝑡 + ℎ★ <
pools, we focus on designing honest-majority MPC protocols with
𝑛. Thus, obtaining GOD requires 𝑛 ≥ 4 for non-zero values of 𝑡
small number of parties that provide the strongest security of GOD.
and ℎ★. Since our focus is on MPC with small number of parties,
Traditional GOD does not suffice. Most GOD protocols in the liter- observe that instantiating 𝑛 = 4 and 𝑡 = ℎ★ = 1 provides the
ature [11, 12, 15, 36] rely on an honest party identified as the trusted optimal threshold for 4 party computation (4PC) to achieve GOD.
third party (TTP) to carry out the computation if misbehavior is However, two corruptions result in a dishonest majority setting,
detected. Elaborately, the parties entrust the TTP with their inputs, which renders less efficient protocols than their honest majority
which carries out the computation and delivers the output to all. counterparts. Hence, to design efficient protocols, we augment this
According to the standard security definition, this leakage of inputs setting with one additional honest party, and design 5PC protocols
towards a TTP is not considered a privacy breach. This is because which are (1, 1)-FaF secure. We remark that while (𝑡, ℎ★) can be
the TTP is deemed to be honest and the goal is to protect against instantiated with a varied range of values to attain GOD such that
information leakage towards an adversary. However, entrusting a 2𝑡 + ℎ★ < 5, we set 𝑡 = ℎ★ = 1 because of the following reasons:
TTP with all the inputs may not be acceptable in real-world appli- (a) this results in an honest majority setting; (b) we believe that
cations. Specifically, in the case of a dark pool, this is equivalent ℎ★ = 1 suffices for most practical applications since honest parties
to having a central broker who learns all the inputs and is trusted (friends) are unlikely to collude with each other (note that when
to perform the matching. This defeats the purpose of employing ℎ★ = 1, the only possible value of 𝑡 is 1). We note that in the current
an MPC protocol, as one of the goals of a secure dark pool system setting of 𝑛 = 5 and 𝑡 = ℎ★ = 1, one could alternatively avoid
is to hide the trade from every single party since it contains highly the aforementioned weaknesses by deploying a traditional (5,2)
sensitive information of the client. malicious secure protocol since the latter protects against view
Another drawback of traditional MPC protocols is the view leak- leakage and also avoids reliance on a TTP when deployed in the
age attack. While executing an MPC protocol, nothing prevents an presence of a single malicious party. However, since the traditional
adversary from sending its view, which consists of the view of 𝑡 protocol is designed to cater to two malicious parties as opposed to
corrupt parties, to an honest party. This is not treated as an attack in one in our setting, it may lose out on performance. Hence, keeping
the traditional security definition, since an honest party is expected efficiency for real-world applications at center stage, the objective is
to discard non-protocol messages, unlike a semi-honest one1 . How- to leverage the presence of a semi-honest party to design customised
ever, if this honest party turns rogue in the future, the party can efficient (1, 1)-FaF secure protocols. We note that a traditional (𝑛, 𝑡)
obtain all the information about the submitted trade requests in malicious protocol is capable of protecting against view leakage
the system. This holds because it would now possess information attack and avoids the reliance on a TTP as long as at most 𝑡 − 1
with respect to 𝑡 + 1 parties (𝑡 views received from the adversary parties are malicious.
and its own view), which suffices to obtain the underlying secret
information. This, too, goes against the goal of providing trade 1.1 Our contributions
secrecy expected in the system. (1, 1)-FaF secure 5PC. We observe that traditionally secure MPC
To address these drawbacks of the traditional MPC security defi- providing GOD is a misfit for several sensitive real-world applica-
nition, Alon et. al. [1] proposes a new definition, called MPC with tions. This necessitates designing GOD protocols in the FaF-secure
1Asemi-honest adversary follows the protocol specification but always tries to learn 2 Mixed adversarial model is one where a single (centralized) adversary is allowed to
more information that it is not entitled to. corrupt 𝑡 parties maliciously and a disjoint subset of ℎ★ parties semi-honestly.
2
PentaGOD: Stepping beyond Traditional GOD with Five Parties

model. Towards this, with efficiency in mind, we work over the 1.2 Related Work
ring Z2ℓ , both arithmetic and Boolean (ℓ = 1), and design (1,1)-FaF The work of [1] focuses on extending the standard security notion
secure 5PC protocols. The protocols are cast in the preprocessing of MPC to the FaF-setting. In this regard, they provide both a full-
model since it offloads heavy input-independent computations to security as well as fairness variants in this new setting. They further
a preprocessing phase, resulting in a fast input-dependent online provide a detailed investigation of various feasibility results and
phase. The highlight here is the multiplication which requires–(i) limitations in the FaF-setting. The (1,1)-FaF secure 5PC protocol
just three parties to be online for most of the computation and (ii) designed in the current work forms the first concrete instantiation
requires one round (amortized) and eight ring elements of communi- of a FaF-secure protocol, particularly as the optimal case for an
cation in the online phase. The efficiency and resource management honest-majority setting for a small number of parties. We therefore
(involvement of only 3 parties for most of the computation) of the next discuss relevant secret sharing based MPC works that provide
multiplication results in a concretely efficient 5PC framework. We GOD in small-party setting under the traditional security model. A
concretely showcase the benefit of having reduced number of on- concretely efficient protocol for achieving GOD was provided in
line parties over a naive solution (all parties online) as well as the [36], both for 3PC and 4PC setting, which improved over the 4PC of
traditional (5, 2) maliciously secure protocol. [13] and the 3PC of [11]. Note that [13] in turn improved upon the
Building blocks and generality. We resort to a modular approach GOD protocols in [32]. The work in [24] proposed 4PC protocols
to design various building blocks, as shown in Fig. 1, where pro- on par with [36], albeit with security of private robustness. How-
tocols in each layer build on those in the previous layers. Layer 0 ever, the security guarantees of both SWIFT and [24] are known
forms the core MPC, with layers above it providing the building to be theoretically equivalent. The recent work of [37] provides
blocks. This constitutes our generic and comprehensive framework an improved multiplication protocol over [36] in the 4PC setting.
since it provides support for a wide range of building blocks that The improvement is seen in the preprocessing phase, where [37]
suffice for various applications. While these building blocks have requires only 2 ring elements as opposed to 3. While there are no
been well studied in the literature, our contribution lies in designing protocols explicitly designed for 5PC that attain GOD, [12] provides
and optimizing these for the 5PC (1,1)-FaF setting. protocols for the 𝑛-party setting, from which a 5PC protocol can
be derived. The work of [14] attains GOD in the 5PC setting, albeit
relying on garbled circuits.
Organization. We describe the preliminaries and threat model
in §2. The core (1, 1) FaF-secure 5PC is explained in §3. The build-
ing blocks follow in §4. Finally, the practicality of our framework
is demonstrated through benchmarks for dark pools and PPML,
together with improved dark pool algorithms, in §5.

2 PRELIMINARIES
Figure 1: Designed (1, 1) FaF-secure 5PC framework
Threat model. We design protocols that comprise five parties
Applications and Benchmarks. The designed (1,1)-FaF secure 5PC P = {𝑃1, 𝑃2, . . . , 𝑃 5 } that are connected via pairwise private and
is ideal for real-world applications that deal with highly sensitive in- authentic channels in a synchronous network. Our protocols are
formation such as systems with financial transaction data [58], bio- FaF-secure with a static, malicious probabilistic polynomial time
metric data [62], allegations reported by victims or whistle-blowers (PPT) adversary that can corrupt up to one party, and a different
[4, 39], personal health record data [27], etc. We consider two such semi-honest adversary that can corrupt at most one other party. We
applications to showcase the practicality of our framework. prove the security of our protocols in the standard real-world/ideal-
(i) Dark pools: Although secure dark pools have been considered world paradigm. The security definition as per this paradigm in FaF
in the traditional MPC setting, we design improved protocols for model is recalled in Appendix §A.
the same in the 5PC (1,1)-FaF setting. Specifically, we optimize All our primitives assume a one-time shared key setup to facili-
the continuous double auction (CDA) and volume-based matching tate each subset of parties to generate common randomness among
algorithms. We identify several aspects of the matching algorithms themselves. We model this as an ideal functionality Fsetup (Fig. 8),
that can be performed in parallel, which improves the efficiency of which can be instantiated with any FaF protocol in our setting (say
the designed protocols. We benchmark the performance of these using that of [1]). Several works [2, 3, 11, 13, 18, 19, 36, 43, 56]
secure matching algorithms and observe a throughput improvement rely on such a setup. Therefore, the high-level protocols, either
of up to 62× in comparison to [16]. application protocols or general 5PC, start with such a setup phase
(ii) PPML: The designed building blocks have been extensively which is done once and for all. The set of computing parties P may
used in realizing privacy-preserving machine learning (PPML) [13, be equivalently represented as P = {𝑃𝑖 , 𝑃 𝑗 , 𝑃𝑘 , 𝑃𝑙 , 𝑃𝑚 } for ease of
18, 19, 36, 43, 45, 56], albeit in the traditional security model. Since presentation. Our protocol works over the ring Z2ℓ (and Z2 ). We use
PPML in itself is suitable for a wide range of application scenarios, fixed-point arithmetic (FPA) notation to represent decimal values,
we also demonstrate the practicality of the designed (1,1)-FaF secure in signed 2’s complement notation. Here, the most significant bit
5PC for PPML. For this, we benchmark the performance of the denotes the sign, the last 𝑑 bits represent the fractional part, and
designed protocols for secure inference using popular deep neural the remaining ℓ − 𝑑 − 1 bits denote the integer part. We let ℓ = 64
networks such as LeNet [40] and VGG16 [60]. and 𝑑 = 13.
3
 Nishat Koti, Varsha Bhat Kukkala, Arpita Patra, Bhavish Raj Gopal

3 ROBUST (1, 1)-FAF SECURE 5PC is executed on the flow, and verify phase is deferred to a later stage.
Our protocols are cast in the preprocessing model, where during an This deferring of verify brings significant challenges in our protocols
input-independent preprocessing phase, computationally heavy op- such as multiplication. A part of our novelty comes from handling
erations are carried out which pave way for a fast input-dependent these challenges. Fig. 9 details the modified (Π jmp ) protocol.
online phase. Our online phase requires active participation mostly We say 𝑃𝑖 , 𝑃 𝑗 jmp-send msg to 𝑃𝑘 when they invoke only the send
from only three parties, 𝑃1, 𝑃2, 𝑃3 , while 𝑃4, 𝑃5 come online only for phase of Πjmp (𝑃𝑖 , 𝑃 𝑗 , 𝑃𝑘 , msg). Without loss of generality, we let 𝑃𝑖
a short while, towards the end the computation, for verification. be the speaker and 𝑃 𝑗 be the silent party. Since verification can be
All the building blocks, except reconstruction which is robust, deferred, we say that 𝑃𝑖 , 𝑃 𝑗 jmp-vrfy towards 𝑃𝑘 when they invoke
follow a common paradigm: either the protocol is successful or only the deferred verify phase corresponding to Πjmp (𝑃𝑖 , 𝑃 𝑗 , 𝑃𝑘 , msg).
the protocol finds a conflicting pair of parties, CP, that includes Finally, we say 𝑃𝑖 , 𝑃 𝑗 jmp-sv msg to 𝑃𝑘 when they invoke the com-
the malicious party; in the latter case, the input shares amongst 5 plete Π jmp (𝑃𝑖 , 𝑃 𝑗 , 𝑃𝑘 , msg) protocol and execute both the send and
parties are reshared amongst the 3 parties outside the conflict set, verify phases together. Note that, the verify phase (both deferred
without affecting the secrets, and the computation is rerun amongst and in-place) was described with respect to a single message. How-
the 3 parties. Since the malicious party is already excluded, the 3- ever, the details of improving the amortization (in both cases) by
party protocol needs to be only semi-honest secure tolerating one bundling together the verify across several messages for a fixed
corruption. To enable this paradigm, we employ a share-conversion ordered pair of senders and a given receiver is described in §B.1.
primitive (see §3.5), which reshares the state of the 5 parties to the 3
parties, to continue computation with the latter. In any application 3.1 Secret sharing semantics
protocol such as the secure matching, as soon as a CP is detected In the 5PC (1, 1)-FaF setting, a (semi-honest) adversary may be
as a part of the computation, the rest of the execution switches entitled to the view of at most two parties (itself and the malicious
to the 3-party computation (3PC). Note that any semi-honest 3PC party). Thus, to ensure that the view of two parties does not leak
framework that respects the secret-sharing semantics (replicated any additional information, we rely on a (5, 2) replicated secret
secret sharing) can be deployed (such as the 3PC of [3, 18]), and sharing (RSS) scheme and its variants. A value v ∈ Z2ℓ is said to
hence we treat the 3PC as a black-box. be RSS-shared among 5 parties with threshold 2 if for every subset
The above paradigm of identifying a CP and completing the of two parties, say {𝑃𝑖 , 𝑃 𝑗 }, the residual three parties hold share
Í
computation in a smaller subset of parties is mostly facilitated by v𝑖 𝑗 ∈ Z2ℓ such that v = 1≤𝑖< 𝑗 ≤5 v𝑖 𝑗 . Observe that since any set of
a message-passing primitive invoked in the sharing and multipli- two parties in P always miss one share of v, they cannot reconstruct
cation protocols (which in turn form the basis of all the building the value, whereas any three parties can. The total number of shares


blocks). We introduce this primitive below, followed by our secret- of a value is thus 52 = 10 and the RSS-share possessed by 𝑃𝑠 ∈ P
sharing semantics. We then describe the protocols for input sharing,

is a tuple of 42 = 6 shares v𝑖 𝑗 where 𝑠 ≠ 𝑖, 𝑠 ≠ 𝑗 and 1 ≤ 𝑖 < 𝑗 ≤ 5.
multiplication – which forms the core of all our constructions, fol- With this background, we define our sharing semantics below.
lowed by output reconstruction. [v] denotes a value v ∈ Z2ℓ is [·]-shared among parties in P
if it is (5, 2) RSS-shared among them. We let [v]𝑠 denote 𝑃𝑠 ’s [·]-
Joint message passing (jmp). This primitive enables two parties
shares of v. Note that [v]𝑠 is a tuple of 6 elements and [v] is a tuple
to send a common message to a third party such that the recipient
of 10 elements. ⟨v⟩ denotes a value v ∈ Z2ℓ is ⟨·⟩-shared among
either receives the correct message or in case of an inconsistency in
parties in P if there exists v1, v2, v3, v4, v5 ∈ Z2ℓ such that v =
the received messages, a trusted third party (TTP) is identified [36].
v1 +v2 +v3 +v4 +v5 and 𝑃𝑠 ∈ P possess v𝑠 . Let ⟨v⟩ = (v1, v2, v3, v4, v5 ).
The protocol involves one sender sending the value, while other
JvK denotes value v ∈ Z2ℓ is J·K-shared among P, if–(i) there exists
sending the hash to the receiver, who then compares the received
𝛼 v ∈ Z2ℓ that is [·]-shared among parties in P, and (ii) there exists
values; in case of an inconsistency, the parties proceed to identify
𝛽 v ∈ Z2ℓ such that 𝛽 v = v + 𝛼 v is held by all parties in P.
a TTP, who then completes the computation of MPC on the clear
For a set of 𝑛 values {v1, . . . v𝑛 }, we let 𝛽 v1 ...vn = Π𝑛𝑖=1 𝛽 vi and
after receiving inputs from the parties. As opposed to the protocol
𝛼 v1 ...vn = Π𝑛𝑖=1 𝛼 vi . We use the superscript B to denote the Boolean
of SWIFT [36], we cannot use TTP in the same way in the (1, 1)-FaF
sharing over Z2 , while the absence of it implies arithmetic sharing
setting as the TTP learns all the inputs. Thus, we modify the jmp
over Z2ℓ . All the above sharing schemes are linear, i.e., given shares
protocol in [36] to adapt it to the (1, 1)-FaF setting as follows– in
of v1, v2 , and public constants 𝑐 1, 𝑐 2 , parties can locally compute
case of an inconsistency, we modify jmp to output a pair of parties
the shares of 𝑐 1 v1 + 𝑐 2 v2 .
in conflict, one of which is guaranteed to be maliciously corrupt,
Conversion between J·K and [·] shares during preprocessing. Given
instead of identifying a TTP. Note that the jmp protocol consists
[v], protocol Π [· ]→J · K generates JvK from it by setting 𝛽 v = 0 and
of two phases (send, verify). The send phase consists of one of the
two senders, denoted as the speaker party sending the message [𝛼 v ] = − [v]. Conversely, Π J · K→[· ] generates [v] from JvK. For this,
to the receiver, while the other sender party referred as the silent parties set v12 = 𝛽 v − 𝛼 v12 while v𝑖 𝑗 = −𝛼 v𝑖 𝑗 for 1 ≤ 𝑖 < 𝑗 ≤
party keeps quite. This distinction between the speaker and a silent 5, (𝑖, 𝑗) ≠ (1, 2).
party is made only for the send phase. Verify phase comprises all the
other steps of the jmp protocol, and either confirms that message 3.2 Input sharing
delivery to the recipient was a success or identifies a conflict pair, Protocol Π sh enables 𝑃𝑖 ∈ P holding a value v ∈ Z2ℓ to generate
CP. Looking ahead, our protocols rely on several invocations of JvK. For this, parties generate [·]-shares of a random value 𝛼 v ∈ Z2ℓ
jmp. Hence, to leverage amortization, in most cases, the send phase in the preprocessing phase, non-interactively, using their shared
4
PentaGOD: Stepping beyond Traditional GOD with Five Parties

key setup such that the dealer 𝑃𝑖 learns all the [·]-shares of 𝛼 v . This the send phase of jmp where only speaker party communicates) is
enables 𝑃𝑖 to compute 𝛽 v = v + 𝛼 v in the online phase and jmp-sv needed for reconstructing each 𝛽 among the online parties. Observe
it to all the parties. The protocol appears in Fig. 10. The protocol that the following two issues may arise while executing the above
for generating [·]-shares of v ∈ Z2ℓ is similar as above and formal approach– (a) correctness: 𝛽 z reconstructed among online parties
details appear in Fig. 11. Protocol Π JSh2 is a variant of input sharing 𝑃1, 𝑃2, 𝑃3 may be incorrect; (b) agreement: online parties may not
Πsh , which enables two parties 𝑃𝑖 , 𝑃 𝑗 to jointly generate J·K-shares be in agreement with respect to the 𝛽 z they hold, let alone hold
of a value v ∈ Z2ℓ known to both. Looking ahead, this protocol the correct 𝛽 z . Both the issues arise since only the send phase of
is heavily used in designing the building blocks, and is similar to jmp is executed among the online parties while reconstructing 𝛽 z ,
Πsh . Here, during the preprocessing phase parties generate [𝛼 v ] for which may lead to incorrect reconstruction among them. We next
𝛼 v ∈ Z2ℓ such that 𝑃𝑖 , 𝑃 𝑗 learn all its shares. Following this, 𝑃𝑖 , 𝑃 𝑗 describe how both these issues can be addressed in the verification
generate and jmp-send 𝛽 v = v + 𝛼 v towards all the other parties phase. Looking ahead, resolution for both issues either results in
with its jmp-vrfy deferred. The protocol appears in Fig. 12 and other successfully completing the protocol, or identification of CP. In the
optimizations are deferred to §B.3. latter case, parties switch to 3PC (after share conversion) for rest
of the computation.
3.3 Multiplication (a) Ensuring correctness. Correctness of the 𝛽 z reconstructed to-
The multiplication protocol Πmult allows parties to compute JzK = wards the online parties can be enforced by executing the jmp-vrfy
Ja·bK, where a, b ∈ Z2ℓ are J·K-shared. The highlight of our protocol towards them, and requires 𝑃4, 𝑃5 . For this, 𝑃4, 𝑃5 should possess
is that it requires a single online round for evaluating a multiplica- the correct inputs used for generating 𝛽 z , which may themselves
tion gate and requires active participation from only three parties be outputs, 𝛽 a, 𝛽 b , of multiplications. As mentioned earlier, 𝑃4, 𝑃5
for most of the computation. The protocol proceeds as follows. In receive all these 𝛽s in a single invocation of jmp-sv from 𝑃1, 𝑃2 just
the preprocessing phase, parties first generate [𝛼 z ] ∈ Z2ℓ , non- before output reconstruction. However, 𝑃1, 𝑃2 may not be in agree-
interactively, using their shared key setup. To generate JzK, parties ment with respect to these 𝛽s due to incorrect reconstruction of the
need to compute 𝛽 z which can be written as follows: 𝛽 z = z + 𝛼 z = same. Performing jmp when the senders are not in agreement with
ab+𝛼 z = (𝛽 a −𝛼 a ) (𝛽 b −𝛼 b )+𝛼 z = 𝛽 ab −𝛽 a 𝛼 b −𝛽 b 𝛼 a +𝛼 ab +𝛼 z , where respect to the value being sent may result in incorrectly identifying
𝛽 ab = 𝛽 a 𝛽 b and 𝛼 ab = 𝛼 a 𝛼 b . Observe that parties already possess a pair of honest parties as a CP (conflict pair). This necessitates a
𝛽 a, 𝛽 b and [·]-shares of 𝛼 a, 𝛼 b, 𝛼 z . Assuming that [𝛼 ab ] is also made consistency check to ensure that 𝑃1, 𝑃2 are in agreement, and is
available, parties can compute [𝛽 z ], leveraging the linearity of [·]- discussed later. Hence, assuming 𝑃 1, 𝑃2 are in agreement after this
sharing. We discuss how to generate [𝛼 ab ] in the preprocessing consistency check, they proceed to jmp-sv 𝛽s for all these multi-
phase later and focus on the remaining steps assuming that [𝛼 ab ] is plications to 𝑃 4, 𝑃5 . If this jmp-sv towards 𝑃4, 𝑃5 succeeds (i.e., no
given. Now, 𝛽 z can be reconstructed towards all the parties, thereby CP identified), verification of 𝛽s, reconstructed among the online
generating JzK. This reconstruction towards 𝑃𝑖 ∈ P can be per- parties, is performed. This is done by invoking deferred jmp-vrfy
formed using just two invocations of Π jmp as follows. The four corresponding to all the jmp-send performed among the online par-
shares missing at 𝑃𝑖 , which include {𝛽 zij , 𝛽 zik , 𝛽 zil , 𝛽 zim } are sent to ties. The success of all the verify phases guarantees the correctness
it as– 𝑃 𝑗 , 𝑃𝑘 jmp-sv {𝛽 zil + 𝛽 zim } while 𝑃𝑙 , 𝑃𝑚 jmp-sv {𝛽 zij + 𝛽 zik }. of 𝛽s. In case if any verify fails, a CP is identified.
(b) Ensuring agreement. We now describe the consistency check
Towards an efficient online phase. The above approach requires mentioned above. In order to ensure agreement among online par-
all parties to be online. However, observe that 𝑃1, 𝑃2, 𝑃3 possess ties 𝑃1, 𝑃2, 𝑃3 , they exchange the hash of 𝛽s for all the multiplica-
the required shares to compute the entire function. Hence, to re- tions among themselves. If these are consistent, then they proceed
duce the number of active parties in the online phase, whenever with the correctness check as described above. If the consistency
multiplication is invoked, we restrict the reconstruction of 𝛽 z only check fails, the goal is to identify a CP. Observe that the check
towards the online parties, 𝑃1, 𝑃2, 𝑃3 (but without the correctness may fail due to one of the following reasons: (i) an incorrect 𝛽
guarantee), and defer reconstruction towards 𝑃4, 𝑃5 to a later point. was reconstructed towards some honest online party which led
Thus, only the jmp-send with respect to following 6 jmps are to sending an incorrect hash during the check, or (ii) an incorrect
invoked– Π jmp (𝑃2, 𝑃4, 𝑃1, 𝛽 z 13 + 𝛽 z 15 ), Π jmp (𝑃3, 𝑃5, 𝑃1, 𝛽 z 12 + 𝛽 z 14 ), hash was deliberately sent. Note that case (i) arises if a malicious
Πjmp (𝑃1, 𝑃 4, 𝑃 2, 𝛽 z 23 + 𝛽 z 25 ), Πjmp (𝑃3, 𝑃 5, 𝑃 2, 𝛽 z 12 + 𝛽 z 24 ), online party misbehaved during a jmp-send performed at some
Πjmp (𝑃1, 𝑃4, 𝑃3, 𝛽 z 23 + 𝛽 z 35 ), Πjmp (𝑃2, 𝑃5, 𝑃3, 𝛽 z 13 + 𝛽 z 34 ). Recall level (layer in the circuit comprising addition and multiplication
that since only the send of jmp is performed, the silent parties, gates.) during circuit evaluation. Hence, performing the jmp-vrfy
𝑃4, 𝑃5 , can remain offline. To complete the generation of JzK, and of this particular jmp-send can identify a CP and address case (i).
enable 𝑃4, 𝑃5 to obtain 𝛽 z , we let 𝑃1, 𝑃2 jmp-sv 𝛽 z to 𝑃4, 𝑃5 . We can A keen observer would note the circularity involved in addressing
defer this step until output reconstruction stage, where 𝛽s cor- the agreement issue by relying on verify of jmp (to identify a CP).
responding to all the invocations of multiplication until output The circularity arises due to the following reason. jmp-vrfy towards
reconstruction are sent in a single round. Deferring the send of 𝑃1, 𝑃2, 𝑃3 requires 𝑃4, 𝑃5 to hold consistent 𝛽. Since 𝑃4, 𝑃5 receive
𝛽 z to after output reconstruction, may result in incorrectly recon- the 𝛽 via jmp-sv from 𝑃1, 𝑃2 , it requires the latter to already be in
structing z. With this approach, evaluating multiplications requires agreement, and hence the circularity. To break the circularity, on-
participation from only the online parties (𝑃1, 𝑃2, 𝑃3 ) for most of line parties rely on a binary search of levels within the circuit. The
the computation and offline parties (𝑃4, 𝑃5 ) become active only be- search identifies consecutive levels 𝐿𝑝 , 𝐿𝑝+1 such that all 𝛽s up to
fore output reconstruction. Further, only a single round (owing to level 𝐿𝑝 are consistently held among 𝑃 1, 𝑃2, 𝑃3 while 𝐿𝑝+1 onwards
5
 Nishat Koti, Varsha Bhat Kukkala, Arpita Patra, Bhavish Raj Gopal

they are inconsistent. The consistency of 𝛽s up to 𝐿𝑝 thus enables phase in Fig. 3. The green arrows denote the steps that lead to
usage of jmp. For the binary search, parties exchange the hash successful circuit evaluation and also showcase the correctness of
with respect to 𝛽s in the first (top) half of the circuit, say max/2 our protocol. The flow where one of the offline parties is malicious is
levels (where max denotes the maximum levels in the circuit). If trivial and follows from the verify of jmp towards parties 𝑃1, 𝑃2, 𝑃3
the hash is inconsistent, they recursively proceed with the first in the verification phase.
half (𝐿1 to 𝐿max/2 ), else if consistent, they proceed with the second
Protocol Πmult ( P, JaK, JbK)
half (𝐿max/2+1 to 𝐿max ). In this way, they recursively operate on
the appropriate half that has inconsistent hash to identify 𝐿𝑝 , 𝐿𝑝+1 . Preprocessing: Non-interactively generate [· ]-shares of a random 𝛼 z ∈
Note that one is guaranteed to identify such a 𝐿𝑝 , 𝐿𝑝+1 since the Z2ℓ , using the shared-key setup. Invoke FMulPre on [𝛼 a ] , [𝛼 b ] (Fig. 34)
above recursion would terminate and at least at the first level in to generate [𝛼 ab ].
the circuit is guaranteed to be consistent and correct, owing to the
Online:
correctness of the input sharing.
On identifying levels 𝐿𝑝 and 𝐿𝑝+1 , 𝑃1, 𝑃2 jmp-sv all the 𝛽s up to – Compute [𝛽 ′ ] = −𝛽 a [𝛼 b ] − 𝛽 b [𝛼 a ] + [𝛼 ab ] + [𝛼 z ].
level 𝐿𝑝 to 𝑃4 , 𝑃5 . This is followed by the deferred jmp-vrfy towards – Send missing [𝛽 ′ ]-shares to 𝑃 1 , 𝑃 2 , 𝑃 3 : (a) 𝑃 2 , 𝑃 5 jmp-send 𝛽 ′ 13 + 𝛽 ′ 14
𝑃1, 𝑃2, 𝑃3 for all 𝛽s up to level 𝐿𝑝+1 . If no CP is identified during to 𝑃 1 , while 𝑃 3 , 𝑃 4 jmp-send 𝛽 ′ 12 + 𝛽 ′ 15 to 𝑃 1 , (b) 𝑃1 , 𝑃 5 jmp-send 𝛽 ′ 23 +
any of the verify phases, it implies case (ii), and hence, honest on- 𝛽 ′ 24 to 𝑃 2 , while 𝑃 3 , 𝑃 4 jmp-send 𝛽 ′ 12 + 𝛽 ′ 25 to 𝑃 2 , (c) 𝑃 1 , 𝑃 4 jmp-send
line parties will be guaranteed to be in agreement with respect to 𝛽 ′ 23 + 𝛽 ′ 35 to 𝑃 3 , while 𝑃 2 , 𝑃 5 jmp-send 𝛽 ′ 13 + 𝛽 ′ 34 to 𝑃 3 .
the correct 𝛽s up to level 𝐿𝑝+1 . Thus, the correct hash that should – 𝑃 1 , 𝑃 2 , 𝑃 3 reconstruct 𝛽 ′ and compute 𝛽 z = 𝛽 ′ + 𝛽 ab .
have been sent at level 𝐿𝑝+1 in the binary search can be computed One-time Verification (for entire circuit): Let M be the set of all 𝛽 z s
locally (using the 𝛽) and matched against the hash received from where each z is the output of a multiplication in the circuit. Parties do
others. This determines the corrupt party that deliberately sent an the following.
 
incorrect hash. This corrupt party, together with another honest
– 𝑃𝑖 ∈ {𝑃 1 , 𝑃 2 , 𝑃 3 } computes the hash, H𝑖 = H 𝛽 z1 , . . . , 𝛽 z|M| where
party, is identified as a CP. Note that the binary search can termi-
𝛽 zj ∈ M and mutually exchange it among themselves.
nate with the last level being identified as 𝐿𝑝 . This happens when
circuit evaluation is correct, but malicious party deliberately sends – 𝑃𝑖 ∈ {𝑃 1 , 𝑃 2 , 𝑃 3 } broadcasts an inconsistency bit b to indicate whether
all the obtained hashes are consistent (b = 0) or not (b = 1).
an incorrect hash in consistency check and behaves honestly in
binary search. 𝐿𝑝 being the last level implies that honest parties are – If all parties in {𝑃 1 , 𝑃 2 , 𝑃 3 } broadcast b = 0, then–(a) 𝑃 1 , 𝑃 2 jmp-sv all
𝛽 z ∈ M to 𝑃 4 , 𝑃 5 . (b) If this jmp-sv succeed, (i.e., no CP is identified), then
guaranteed to be in agreement with respect to all 𝛽s. Hence, corrupt
parties perform the deferred jmp-vrfy with with respect to all 𝛽 z ∈ M.
party can be identified as the party who sent incorrect hash in the
consistency check. Similar to above, the CP can thus be formed. – Else, if some 𝑃𝑖 ∈ {𝑃 1 , 𝑃 2 , 𝑃 3 } broadcasts b = 1, then
◦ Each 𝑃𝑖 ∈ {𝑃 1 , 𝑃 2 , 𝑃 3 } broadcasts H𝑖 .
Generating [𝛼 ab ]. Since [𝛼 a ] , [𝛼 b ] are available in the prepro- ◦ If for any 𝑃𝑖 ∈ {𝑃 1 , 𝑃 2 , 𝑃 3 }, the hash sent via broadcast does not
cessing phase, [𝛼 ab ] can be computed there. For obtaining [𝛼 ab ], match the hash received on point-to-point communication by some
party, 𝑃 𝑗 , then 𝑃𝑖 broadcasts its complaint against 𝑃 𝑗 . Parties set CP =
we rely on a robust (1, 1)-FaF secure multiplication protocol for 5PC
(𝑃𝑖 , 𝑃 𝑗 ) where 𝑃𝑖 is the party with the least index that complained,
which works on [·]-shares (RSS shares), and is abstracted out as a
and terminate.
functionality, FMulPre , in Fig. 34. To leverage amortization, we pre-
◦ If a CP was not identified via a complaint, then
process several multiplication triples in single shot. Hence, FMulPre
is defined with respect to several triples. We instantiate FMulPre - Let H𝑖𝐿𝑠 denote the hash computed by 𝑃𝑖 ∈ {𝑃 1 , 𝑃 2 , 𝑃 3 } on all 𝛽 z
up to level 𝐿𝑠 in the circuit.
using a variant of the protocol of [12] for the 5-party setting. Similar
- 𝑃 1 , 𝑃 2 , 𝑃 3 perform a binary search to identify a pair of consecutive
to the original protocol, the modified protocol involves performing 𝐿𝑝 𝐿𝑝+1
a 5PC semi-honest multiplication followed by a verification phase to levels 𝐿𝑝 , 𝐿𝑝+1 in the circuit such that H𝑖 is consistent, but H𝑖
is inconsistent.
check the correctness of the semi-honest execution. The difference
lies in the steps performed when verification fails, and it outputs a - 𝑃 1 , 𝑃 2 jmp-sv 𝛽 z up to level 𝐿𝑝 to 𝑃 4 , 𝑃 5 .
pair of conflicting parties. In such a case, we eliminate the pair of If the jmp-sv is a success, then parties perform deferred jmp-vrfy
with respect to all 𝛽 z up to level 𝐿𝑝+1 . If the jmp-vrfy is a success, 𝑃𝑖
parties, and the computation proceeds via semi-honest 3PC (since 𝐿𝑝+1
there is at most one malicious party in our case), unlike the mali- matches its hash H𝑖 against the hashes received to identify the
cious 3PC used in the original protocol. The verification phase relies party that sent an incorrect H𝐿𝑝+1 . 𝑃𝑖 broadcasts the identity of this
on distributed zero-knowledge proof system [10], and is designed corrupted party 𝑃 ★ to all parties in P. All parties set CP = (𝑃𝑖 , 𝑃 ★ )
where 𝑃𝑖 is the party with the least index.
such that its communication cost gets amortized over multiple in-
stances of multiplication. Thus, the amortized communication cost - If 𝐿𝑝 is the same as the last level in the segment, then 𝑃𝑖 ∈
{𝑃 1 , 𝑃 2 , 𝑃 3 } matches its hash H𝑖 against the hashes received to
of this 5PC protocol is the same as that of the semi-honest proto-
identify the party that sent an incorrect H in the first consistency
col. The original protocol [12] is secure according to the standard check. 𝑃𝑖 broadcasts the identity of this corrupted party 𝑃 ★ to all
definition of security. We prove that the modified variant, for 5PC, parties in P. All parties set CP = (𝑃𝑖 , 𝑃 ★ ) where 𝑃𝑖 is the party
is secure in the (1, 1)-FaF model. We refer readers to §F for details. with the least index.
Our multiplication protocol appears in Fig. 2.
To showcase all the cases handled and improve the readability Figure 2: Multiplication protocol
of our algorithm we also provide a flowchart of the verification
6
PentaGOD: Stepping beyond Traditional GOD with Five Parties

Consistency check
Protocol 5PC − FaF
To ensure P1 P2 are in
agreement One-time shared key setup is performed to generate common PRF keys
Check Success Check Fail which can be used to generate correlated randomness.
Updating P4 P5 Broadcast hash
To check if hash sent on
Preprocessing Phase:
P1 P2 jmp-sv all
P2P is a match

jmp-vrfy Fail jmp-vrfy Success Mismatch No Mismatch

– For each input gate u, parties execute preprocessing phase of Πsh to
obtain [𝛼 u ].
Deferred jmp-vrfy
CP identified CP identified Binary search
via jmp-vrfy
verify all used by
via complaint To find Lp and Lp+1
– For each addition gate with input wires u, v and output wire w, parties
P1 P2 P3
locally compute [𝛼 w ] = [𝛼 u ] + [𝛼 v ].
jmp-vrfy Fail jmp-vrfy Success Found Lp is last level
– For each multiplication gate with input wires u, v and output wire w,
CP identified Circuit evaluation Updating P4 P5 CP identified
via broadcast
parties execute preprocessing phase of Πmult to obtain [𝛼 w ] , [𝛼 uv ].
via jmp-vrfy successful P1 P2 jmp-sv all up to Lp
corrupt P★
Online Phase:
jmp-vrfy Fail jmp-vrfy Success

Deferred jmp-vrfy
– For each input v held by a party, parties invoke the online phase of
CP identified
via jmp-vrfy
verify all used by P1 P2 Πsh to generate JvK.
P3 up to level Lp+1
– For each addition gate with input wires u, v and output wire w, parties
jmp-vrfy Fail jmp-vrfy Success
locally compute JwK = JuK + JvK.
CP identified
CP identified – For each multiplication gate with input wires u, v and output wire w,
via broadcast
via jmp-vrfy
corrupt P★
parties execute the online phase of Πmult to generate JwK.
– For each output gate, parties execute Π rec to reconstruct output w
Figure 3: Flow of verification phase when online party is malicious towards the designated party.
Semi-honest 3PC: If a CP is identified at any step, perform share con-
3.4 Reconstruction
version and continue computation with semi-honest 3PC.
Protocol Πrec enables robust reconstruction of a J·K-shared value v
towards 𝑃𝑖 . For this, observe that each party misses 4 shares, and Figure 4: 5PC FaF Protocol
each such share is held by three other parties. Thus, to reconstruct v
towards 𝑃𝑖 , parties can send the missing shares to 𝑃𝑖 . For each share, Share conversion. We describe the (3, 1) replicated secret sharing
𝑃𝑖 uses the value which appears in the majority to reconstruct v. As (RSS) semantics for a 3PC protocol followed by the steps for share
on optimization, we let two parties send the value while the third conversion, where the latter is similar to that described in [12]
send its hash to 𝑃𝑖 . The protocol appears in Fig. 13. optimized for our setting. Let P ′ = {𝑃0′ , 𝑃1′ , 𝑃2′ } denote the three
parties. Let v = v0 + v1 + v2 where (v𝑖 , v (𝑖+1)%3 ) are the shares held
3.5 The complete 5PC by 𝑃𝑖′ that define a (3, 1) RSS scheme. Observe here that a value is
split into three shares, each of which is held by two parties. Our
We give an overview of the execution of 5PC for computing any
goal is to convert from the 5PC J·K-sharing (which is an augmented
function. The complete protocol can be divided into three stages: in-
(5, 2)-RSS sharing with an additional 𝛽 held by all parties) to a (3,
put sharing, evaluation, output reconstruction. Each stage is further
1)-RSS sharing. The conversion proceeds as follows. Let 𝑃𝑖 , 𝑃 𝑗 be
cast in the preprocessing model, which comprises a preprocessing
parties to be eliminated. The residual three parties are arbitrarily
phase and an online phase. The protocol execution is preceded by a
assigned roles of 𝑃0′ , 𝑃1′ , 𝑃2′ . To generate the (3, 1)-RSS shares among
one-time shared key setup and begins by executing the preprocess-
parties in P ′ = P \ {𝑃𝑖 , 𝑃 𝑗 }, consider the following types of shares.
ing phase for each of the three stages. Note that protocols in each
of these stages rely on several invocations of jmp. Thus, they either 1. Shares that are known to either 𝑃𝑖 or 𝑃 𝑗 : Such shares are already
complete successfully or in case of a misbehaviour, a conflict pair held by two other parties in P \ {𝑃𝑖 , 𝑃 𝑗 }, which is what is needed
CP is identified. To leverage amortization, only the send of all jmps for the (3, 1)-RSS sharing.
are run on the flow while all verify steps are deferred until output 2. Shares that are not known to both 𝑃𝑖 , 𝑃 𝑗 : Such shares are known
reconstruction. Recall that identification of CP calls for rerunning to all the three residual parties. Since exactly two parties should
of the protocol via 3PC. Thus, deferring verification until output hold each share, we let the party with the lowest index remove this
reconstruction would result in the worst-case cost of executing share from its possession.
5PC and 3PC. To avoid this, a possible optimization is to divide 3. Shares that are known to both 𝑃𝑖 and 𝑃 𝑗 : Such shares are known
the computation of the circuit into segments3 , with a checkpoint to exactly one other party, say 𝑃𝑘 , in P \ {𝑃𝑖 , 𝑃 𝑗 }. To enable one
placed at the end of each segment. Computation carried out in a other party to hold this share to complete the (3, 1)-RSS sharing,
segment can be verified at each checkpoint. In this way, if a CP we let 𝑃𝑘 send this share to the remainder party, say 𝑃𝑙 .
is identified in any segment, computation of this segment restarts 4. Shares that are held by all (𝛽): We let parties enacting the role
with a 3PC execution. For this, a share conversion is performed of 𝑃1′ , 𝑃2′ incorporate this share in its set of common shares, and let
to convert shares from 5PC to 3PC. The details of the same are 𝑃0′ remove this share from its possession.
provided next. All the subsequent segments can now be evaluated We explain the share conversion steps with a concrete example.
via the 3PC. The complete protocol appears in Fig. 4 and proofs in Let 𝑃 1, 𝑃2 be the parties to be eliminated, and let 𝑃0′ = 𝑃3, 𝑃1′ =
§E. 𝑃4, 𝑃2′ = 𝑃5 . Consider conversion of JvK to a (3,1)-RSS share. For type
1 shares, shares that are held by 𝑃 1 or 𝑃 2 include 𝛼 v13 , 𝛼 v23 , 𝛼 v14 , 𝛼 v24 ,
3A circuit is sliced depth-wise into segments comprising multiple levels/layers. 𝛼 v15 , 𝛼 v25 , where every consecutive pair of shares is held by {𝑃 4, 𝑃5 },
7
 Nishat Koti, Varsha Bhat Kukkala, Arpita Patra, Bhavish Raj Gopal

n n , [𝜎], to verify correct-

   
{𝑃3, 𝑃5 }, {𝑃3, 𝑃4 }, respectively. With respect to type 2 shares, shares the dot product triple, {𝛼 xi }𝑖=1 , {𝛼 yi }𝑖=1
that are not known to both 𝑃1, 𝑃2 include 𝛼 v12 . These are included ness of [𝜎]. As opposed to verification of 𝑚 multiplication triples
by {𝑃4, 𝑃5 } in their set of shares. For type 3 shares, shares that which requires a communication cost of O (log(𝑚)) elements, the
are known to both 𝑃 1, 𝑃2 include 𝛼 v34 , 𝛼 v35 , 𝛼 v45 , which are held by cost for verifying the correctness of 𝑚 dot products with vectors
𝑃5, 𝑃4, 𝑃3 , respectively. Let 𝑃 3 send 𝛼 v45 to 𝑃4 , let 𝑃4 send 𝛼 v35 to of size n now becomes O (log(𝑚n)) elements. Thus, for large 𝑚,
𝑃5 , and let 𝑃5 send 𝛼 v34 to 𝑃3 . Finally, for the last type of share, the verification cost can be amortized, making the preprocessing
we let 𝑃 4, 𝑃5 include 𝛽 v in its set of shares. The (3, 1)-RSS shares communication cost independent of n. Due to its similarity to mul-
of v are now defined as v0 = −𝛼 v25 − 𝛼 v15 − 𝛼 v45 which is held tiplication, we omit formal protocol for dot product.
by 𝑃 3, 𝑃4 , v2 = −𝛼 v24 − 𝛼 v14 − 𝛼 v34 which is held by 𝑃 3, 𝑃5 , and
Matrix multiplication and convolution. Matrix multiplication can
v1 = 𝛽 v − 𝛼 v23 − 𝛼 v13 − 𝛼 v35 − 𝛼 v12 which is held by 𝑃4, 𝑃5 . This
easily be reduced to dot product where each element in the re-
generates the (3, 1)-RSS shares of v from JvK.
sultant matrix can be computed via a dot product. Convolutions
can also be reduced to matrix multiplication following standard
4 BUILDING BLOCKS
techniques [61].
In this section, we discuss 5PC (1, 1)-FaF realizations of building
blocks (Table 1) required for the applications considered. Most of Truncation. Repeated multiplications in fixed point arithmetic
these are well studied in the literature [36, 37, 43, 55]. Hence, here (FPA) cause an overflow. This necessitates the need for truncation,
we only highlight those which were challenging to achieve in the which truncates the last 𝑑 bits from the result of multiplication, to
5PC (1, 1)-FaF setting. retain FPA semantics. We follow a similar approach as in [43, 45]
for probabilistic truncation. Here, to truncate a value v, we rely
Multi-input multiplication. To reduce the online communication on a (r, r𝑑 )-pair, where r ∈ Z2ℓ and r𝑑 is the truncated value of
cost as well as the round complexity, we design protocols to en-
r (i.e. r𝑑 = r/2𝑑 ). The truncated value v𝑑 of v, is computed as
able multiplication of 3 and 4 inputs in a single shot [37, 54, 55].
v𝑑 = (v − r)𝑑 + r𝑑 .
Compared to the naive approach of performing sequential multi-
Given JrK, Jr𝑑 K can be generated in the preprocessing phase, our
plications to multiply 3 and 4 inputs, the multi-input multiplica-
multiplication protocol can be modified to incorporate truncation
tion protocol enjoys the benefit of having the same online phase
without incurring any overhead in the online phase as follows. Use r
complexity as that of the 2-input multiplication protocol. This
instead of 𝛼 z while computing 𝛽 z . Parties truncate 𝛽 z locally to gen-
brings in a 2× improvement in the online round complexity, while
also improving the online communication cost. We extend the erate 𝛽 z𝑑 = (z + r)𝑑 and generate J(z + r)𝑑 K non-interactively (see
ideas of [37] to achieve this in our setting. For instance, the goal §B.3), followed by computing Jz𝑑 K = J(z + r)𝑑 K − Jr𝑑 K. To generate
of 3-input multiplication is to generate JzK given J·K-shares of J·K-shares of the truncation pair (r, r𝑑 ), we extend ideas in [43] to
a, b, c ∈ Z2ℓ where z = abc. Observe that, 𝛽 z = abc + 𝛼 z = our setting, and the resultant protocol is called Π TrPair . For this, par-
𝛽 abc −𝛽 ac 𝛼 b −𝛽 bc 𝛼 a −𝛽 ab 𝛼 c +𝛽 a 𝛼 bc +𝛽 b 𝛼 ac +𝛽 c 𝛼 ab −𝛼 abc +𝛼 z . Thus, ties non-interactively generate JrKB using their shared-key setup,
parties generate [𝛼 ab ] , [𝛼 ac ] , [𝛼 bc ] , [𝛼 abc ] during preprocessing and truncate the last 𝑑 bits of each of its share to generate Jr𝑑 KB . To
by invoking FMulPre (Fig. 34), and proceed with a similar online obtain JrK from JrKB , parties proceed as follows. Analogous steps
phase as in 2-input multiplication. Similarly, for 4-input multipli- enable generation of Jr𝑑 K from Jr𝑑 KB . Set 𝛽 r = 0 in JrK. Let the
cation [·]-shares of 𝛼 ab, 𝛼 ac, 𝛼 ad, 𝛼 bc, 𝛼 bd, 𝛼 cd, 𝛼 abc, 𝛼 abd, 𝛼 acd, 𝛼 bcd, other shares of JrK be denoted as r𝑖 𝑗 for 1 ≤ 𝑖 < 𝑗 ≤ 5. Without
𝛼 abcd are needed. loss of generality, parties non-interactively sample all r𝑖 𝑗 but r12 , as
Í
per the J·K-sharing. Enabling 𝑃3, 𝑃4, 𝑃5 obtain r12 = r − 𝑖 𝑗≠12 r𝑖 𝑗
Dot product. Given J·K-shares of vectors x®, y® where each element
of the vector is J·K-shared, protocol Π dotp , enables generation of will complete generation of JrK. For this, observe that we can write
r = v1 + v2 + v3 + v4 where v1 = r34 + r35 + r45 is held by 𝑃1, 𝑃2 ,
J·K-shares of z = x® ⊙ y® , where ⊙ denotes the dot product operation.
For this, observe that 𝛽 z can be written as v2 = r45 + r25 is held by 𝑃 1, 𝑃3 , v3 = r14 + r15 is held by 𝑃2, 𝑃3 and
𝑛
∑︁ n
∑︁
v4 = r12 +r13 +r23 is held by 𝑃4, 𝑃5 . Thus, revealing v4 = r−v1 −v2 −v3
𝛽 z = z + 𝛼 z = x® ⊙ y® + 𝛼 z = x𝑖 y𝑖 + 𝛼 z = (𝛽 xi yi − 𝛽 xi 𝛼 yi − 𝛽 yi 𝛼 xi + 𝛼 xi yi ) + 𝛼 z to 𝑃4, 𝑃5 enables them to compute r12 = v4 − r13 − r23 which
𝑖=1 𝑖=1
(1)
they can send to 𝑃3 by invoking Πjmp , thereby generating JrK.
For this, given JrKB , parties compute Jv4 KB = JrKB + 𝑖=1 J−v𝑖 KB
Í3
Thus, the goal of preprocessing phase is to generate [·]-shares of
Í by evaluating Boolean addition circuit. Elaborately, 𝑃1, 𝑃2 gener-
𝜎 = 𝑛𝑖=1 𝛼 xi yi , which is a dot product of {𝛼 xi }𝑛𝑖=1, {𝛼 yi }𝑛𝑖=1 . Given
ate J−v1 KB , 𝑃1, 𝑃3 generate J−v2 KB , and 𝑃 2, 𝑃3 generate J−v3 KB by
[𝜎], parties proceed with a similar online phase as that in multipli-
invoking the joint sharing protocol, ΠJSh2 (§B.3). Note that this
cation to compute 𝛽 z (Eq. (1)), where the terms are locally added
before being sent, making the online communication independent joint sharing generates J−v𝑖 [𝑘]KB for each bit −v𝑖 [𝑘] of −v𝑖 for
of n [36, 56]. Similar to [36], to make the preprocessing commu- 𝑖 ∈ {1, 2, 3}, 𝑘 ∈ {0, . . . , ℓ − 1}. Parties proceed to compute the
sum Jv4 [𝑘]KB = Jr[𝑘]KB + 𝑖=1 J−v𝑖 [𝑘]KB for each bit using a
Í3
nication for generating [𝜎] independent of n, parties execute a
semi-honest dot-product protocol [25] whose communication cost full adder (FA) circuit, as described in [43]. It follows from [43]
is independent of n. This is followed by a verification phase, similar that 𝑥 = 𝑥 1 + 𝑥 2 + 𝑥 3 can be expressed as 𝑥 = 2𝑐 + 𝑠 where
to the one in [12], where parties invoke Π Verify 4 (see Fig. 33, §F) on FA(𝑥 1 [𝑘], 𝑥 2 [𝑘], 𝑥 3 [𝑘]) → (𝑐 [𝑘], 𝑠 [𝑘]) for 𝑘 ∈ {0, . . . , ℓ − 1}. Here,
𝑠 and 𝑐 denote the sum and carry bits respectively. Thus, parties
ΠVerify remain unchanged except that its input parameters
4 Note that computations in compute Jv4 [𝑘]KB for 𝑘 ∈ {0, . . . , ℓ − 1}, simultaneously, by execut-
now correspond to dot product triples. ing the FA’s as given below.
8
PentaGOD: Stepping beyond Traditional GOD with Five Parties

– FA(r[𝑘], −v1 [𝑘], −v2 [𝑘]) → (𝑐 1 [𝑘], 𝑠 1 [𝑘]) Bit injection. Given JbKB , JvK where b ∈ Z2 , v ∈ Z2ℓ , bit injection
– FA(−v3 [𝑘], 𝑐 1 [𝑘 − 1], 𝑠 1 [𝑘]) → (𝑐 2 [𝑘], 𝑠 2 [𝑘]) (Π BitInj ) generates JbR · vK. For this, parties run Π bit2A to generate
– PPA(2𝑐 2, 𝑠 2 ) → v4 JbR K, followed by Πmult to generate JbR · vK.
After the FA is executed, Jv4 KB is computed using the 2-input
Parallel Prefix Adder (PPA) circuit [43] on inputs 2J𝑐 2 KB , J𝑠 2 KB . Oblivious select. Protocol Π sel takes as input Jx1 K, Jx2 K, JbKB ,
The computations above are carried out on the J·KB -shares, and where x1, x2 ∈ Z2ℓ and b ∈ Z2 , and outputs re-randomized J·K-
shares of z = xb . Since z = xb = b(x1 − x0 ) + x0 , computing JzK
2𝑐 1 [𝑘] = 𝑐 1 [𝑘 − 1] and 𝑐 [−1] = 0. Having obtained Jv4 KB , parties
requires one invocation of Π BitInj and addition operations.
reconstruct v4 towards 𝑃4, 𝑃5 , who compute r12 = v4 − r13 − r23 ,
and invoke Π jmp to send it to 𝑃3 . This completes generation of JrK. Equality check. On input JxK, JyK, equality check protocol (Πeq )
Bit to arithmetic. Protocol Πbit2A allows computation of arith- outputs JbKB where b = 1, if x = y, and b = 0, otherwise. Similar
metic shares, JbR K of a bit b ∈ Z2 from its Boolean shares, JbKB , to [55], the approach is to compute v = x − y and check if all bits of v
where bR denotes arithmetic equivalent of b over Z2ℓ . Observe that, are 0. Concretely, parties first obtain JvKB by invoking ΠA2B on JvK,
following [37], compute Jv̄KB (v̄ denotes bit complement of v) non-interactively, fol-
lowed by invoking the 4-input (Boolean) multiplication, recursively,
bR = (𝛽 b ⊕ 𝛼 b ) R = 𝛽 b R + 𝛼 b R − 2𝛽 b R 𝛼 b R . (2)
to generate JbKB .
Given 𝛼 b R and [r] for r ∈ Z2ℓ can be generated in the prepro-
 

cessing phase, parties can compute bR + r in the online phase

  Comparison. On input JxK, JyK, Πcomp outputs JbKB where b = 1,
if x < y, and b = 0, otherwise. This reduces to checking msb of
and reconstruct it towards all. Possession of bR + r by all enables
v = x − y, and hence, Πbitext can be used.
non-interactive generation of its J·K-shares (§B.3), from which
JbR K = JbR + rK − JrK can be computed. To generate 𝛼 b R , par-
 
Maxpool/minpool. Maxpool allows computing the maximum el-
ties first generate J𝛼 b R K, and convert it to [·]-shares via Π J · K→[·] ement from a set of 𝑚 elements. We follow a similar approach as
((§3.1). To generate J𝛼 b R K, observe that the [·] B -shares of 𝛼 b can in [37], where the elements are recursively compared in a pair-
be written as 𝛼 b = 𝜈 1 ⊕ 𝜈 2 ⊕ 𝜈 3 ⊕ 𝜈 4 where 𝜈 1 = 𝛼 b34 ⊕ 𝛼 b35 ⊕ 𝛼 b45 , wise manner to obtain the maximum element. Minpool can also be
𝜈 2 = 𝛼 b24 ⊕ 𝛼 b25 , 𝜈 3 = 𝛼 b14 ⊕ 𝛼 b15 and 𝜈 4 = 𝛼 b12 ⊕ 𝛼 b13 ⊕ 𝛼 b23 . computed analogously.
As seen in truncation pair generation, 𝑃1, 𝑃2 hold 𝜈 1 , 𝑃 1, 𝑃3 hold ReLU. The relu function computes the maximum between 0 and
𝜈 2 , 𝑃2, 𝑃3 hold 𝜈 3 and 𝑃4, 𝑃5 hold 𝜈 4 . Given J·KB -shares of each of a value v, and can be computed as ReLU(v) = b̄ · v, where b = 1
𝜈 1, 𝜈 2, 𝜈 3, 𝜈 4 can be generated via Π JSh2 , parties generate J·K-shares if v < 0 and b = 0, otherwise. Here, b̄ denotes the complement of
of p = 𝜈 1 ⊕ 𝜈 2 and q = 𝜈 3 ⊕ 𝜈 4 using Eq. (2), and use these values to bit b. Given JvK, b can be computed via Π bitext , followed by non-
generate J𝛼 b R K = J(p ⊕ q) R K. The protocol appears in Fig. 14. interactively computing b̄, followed by Π BitInj to compute Jb̄R · vK.
Bit extraction. Bit extraction (Πbitext ) enables generation of J·KB - Complexity of building blocks. Table 1 lists the complexities of
shares of the most significant bit (msb) of a value v ∈ Z2ℓ given the designed building blocks.
JvK. Support for multi-input multiplication enables usage of the
optimized bit extraction circuit proposed in [55], which takes two Building block Online Preprocessing
Rounds Comm. (in bits) Comm. (in bits)
values as inputs and outputs the msb of the sum of these values.
Multiplication 1 8ℓ 6ℓ
Given JvK, we generate the Boolean shares of the two inputs to 3-input Multiplication 1 8ℓ 24ℓ
the bit extraction circuit as follows. Observe that v can be written 4-input Multiplication 1 8ℓ 66ℓ
v = 𝛽 v + (−𝛼 v ). Thus, 𝛽 v and −𝛼 v serve as the two inputs. J𝛽 v KB can Dot product 1 8ℓ 6ℓ
be generated non-interactively in the online phase since all parties Matrix Multiplication 1 8pqℓ 6pqℓ

hold 𝛽 v (see §B.3). To generate J−𝛼 v KB from [𝛼 v ], parties proceed Multiplication with Truncation 1 8ℓ 27ℓ + 6ℓ log2 ℓ
8ℓ 22ℓ
as follows in the preprocessing phase. Parties first generate −𝛼 v Bit to arithmetic 1
Bit extraction log4 ℓ u2′ 16ℓ + 6ℓ log2 ℓ + u1′
by locally negating all their shares of 𝛼 v . For ease of presentation, Arithmetic to Boolean log4 ℓ u2 16ℓ + 6ℓ log2 ℓ + u1
let 𝛼 = −𝛼 v and [𝛼 ] = [−𝛼 v ] = (𝛼 𝑖 𝑗 )1≤𝑖< 𝑗 ≤5 . Recall that 𝛼 = Bit Injection 2 16ℓ 28ℓ
𝜈 1 + 𝜈 2 + 𝜈 3 + 𝜈 4 where 𝜈 1 = 𝛼 34 + 𝛼 35 + 𝛼 45 , 𝜈 2 = 𝛼 24 + 𝛼 25 , Oblivious Select 2 16ℓ 28ℓ
𝜈 3 = 𝛼 14 + 𝛼 15 and 𝜈 4 = 𝛼 12 + 𝛼 13 + 𝛼 23 , and each term is held by a Equality log4 ℓ u2 + 168 16ℓ + 6ℓ log2 ℓ + u1 + 1386

pair of parties. Similar to ΠTrPair , after the different pairs of parties Comparison log4 ℓ u2′ 16ℓ + 6ℓ log2 ℓ + u1′
(𝑚 − 1) (u2′ + 16ℓ ) (𝑚 − 1) (44ℓ + 6ℓ log2 ℓ + u1′ )
generate J𝜈 1 KB, J𝜈 2 KB, J𝜈 3 KB, J𝜈 4 KB , evaluating two sequential full Maxpool/minpool log2 𝑚 (log4 ℓ + 2)
log4 ℓ + 2 u2′ + 16ℓ 44ℓ + 6ℓ log2 ℓ + u1′
adders followed by a PPA circuit generates J𝛼 KB . Having obtained
ReLU

- ℓ : size of ring in bits, instantiated with ℓ = 64

J𝛼 KB and J𝛽 v KB , parties execute the optimized bit extraction circuit - p × q denotes the dimension of resultant matrix after matrix multiplication
to extract the msb(v). - u1′ = 6n2 + 24n3 + 66n4 , u2′ = 8 (n2 + n3 + n4 ) where n2 = 41, n3 = 27, n4 = 47
denote the number of AND gates in the optimized bit extraction circuit of [55]
Arithmetic to Boolean. Protocol ΠA2B generates J·KB -shares for with 2, 3, 4 inputs, respectively.
- u1 = 6n2 + 24n3 + 66n4 , u2 = 8 (n2 + n3 + n4 ) where n2 = 216, n3 = 184,
each bit of v ∈ Z2ℓ , denoted as JvKB , from JvK. For this, observe that n4 = 179 denote the number of AND gates in the optimized PPA circuit of [55]
v = 𝛽 v + (−𝛼 v ). Thus, evaluating the optimized PPA circuit [55] with 2, 3, 4 inputs, respectively.
on J𝛽 v KB, J−𝛼 v KB generates JvKB . For this, J𝛽 v KB can be generated - 𝑚 denotes number of elements to be compared via maxpool.
non-interactively since all parties hold 𝛽 v (see §B.3). To generate Table 1: Building blocks with their complexity
J−𝛼 v KB from [𝛼 v ], parties follow the steps as described in Π bitext .
9
 Nishat Koti, Varsha Bhat Kukkala, Arpita Patra, Bhavish Raj Gopal

5 APPLICATIONS AND BENCHMARKS 5.1 Benefit of having fewer parties online

As described in §3.3, rather than having a multiplication protocol We compare our optimized multiplication protocol, which requires
with all parties online, considerable effort was spent in reducing the only 3 out of the 5 parties for most of the online phase, with the non-
number of online parties to only 3. We now showcase the concrete optimized variant, that requires all parties to remain online. We also
improvements brought in by this approach. The results corroborate compare our protocol with the traditional (5, 2) protocol obtained
that the reduction in online parties is indeed beneficial. In addition from [12], which also requires all parties to be online. To showcase
to the above, we empirically show the practicality of our protocols the improvement achieved in the optimized variant, we benchmark
for securely performing matching in dark pools, and for evaluating synthetic circuits of varying depths (10, 100, 1000, 10000) with 100
privacy-preserving machine learning (PPML) algorithms. For this, multiplication gates at each layer. For all the variants, we report
we consider the secure outsourced setting (see §A for details), and the time, throughput (number of circuit evaluations that can be
benchmark via the optimized variant of the multiplication protocol. performed in a second) and monetary cost of the system in Table 2.
Our (1,1)-FaF 5PC is the first instantiation of a FaF secure pro- While throughput simultaneously captures the improvements in
tocol. In comparison to (traditional) protocols in the literature, we communication and round complexity, we additionally report mon-
note the following. The setting of (5,1) is not popular and there etary costs to showcase the effect of the number of parties on the
is no concretely secure protocol. On the other hand, the setting operational cost of the system. We report these values only for the
of (4,1) achieving GOD is well-studied [24, 36, 37]. However, it is online phase. We estimate the monetary cost following standard
unsurprising, given the asymptotic complexity of (4,1) MPC proto- Google Cloud pricing5 .
col, it would naturally fare better. Hence, despite the mismatch in The round complexity of the non-optimized variant is roughly
the number of parties, we can estimate the overhead incurred in 3× that of the optimized variant, assuming that the time taken for
moving from traditional 4PC [37] to FaF secure 5PC. We observe an jmp-vrfy gets amortized. This is evident from the reported online
overhead of 1.62× in the online and 3× in the preprocessing commu- time, for circuit depth 100 and beyond. This is however not the
nication cost. We believe that the overhead, which is the price paid case for circuit of depth 10. This is because the time taken for
for obtaining FaF security, is reasonable enough. Further, in §5.1, we the jmp-vrfy in the optimized variant (2 rounds) is comparable
establish a concrete efficiency gain of up to 1.6× of our (1, 1)-FaF to that of circuit evaluation (10 rounds for jmp-send) and hence
secure protocol over the traditional (5, 2) protocol with respect to does not get amortized. The improved online time is reflected as
online efficiency. In §5.2 we benchmark the performance of the improvements in throughput as well, where the gain is up to 3×.
applications by instantiating them with our FaF-secure protocols. Finally, the reduction in the number of online parties is clearly
evident in monetary cost, since it captures the price paid to host
the required number of parties (inclusive of its computation and
communication). The optimized variant witnesses up to 69% savings
Benchmark environment and parameters. We report results in in monetary cost compared to the non-optimized variant.
LAN (1 Gbps bandwidth) with 2.3 GHz Quad-Core Intel Core i7 With respect to [12], our optimized variant has an improvement
machines having 16GB RAM. The average round trip time (rtt) for of up to 1.6× in run time and throughput. While the monetary cost
communicating 1KB data between a pair of machines is 0.29 mil- reported in Table 2 is for online phase, to draw a fair comparison
liseconds (ms). The protocols build on the ENCRYPTO library [22] between our (optimized) protocol and [12], we also account for the
in C++17 over a 64 bit ring. We use multi-threading, wherever pos- monetary cost of preprocessing phase. In doing so, we observe that
sible, to facilitate efficient computation and communication among even for a circuit of depth 10000, the overall monetary cost of our
the parties. We only estimate these results since the correctness protocol is 2.57 × 10 −3 USD, which is only slightly higher than that
of the dark pool algorithms and accuracy of NN algorithms fol- of [12].
low from prior works [16, 45, 63]. Since there is no defined way
to capture an adversary’s misbehaviour, following standard prac- Circuit depth Protocol type Online time (s) TP (×102 ) Monetary cost (×10 −3 USD)
tice [13, 36, 43, 56], we benchmark honest executions of the proto- Optimized 0.005 121.189 0.002
cols, including the verification required to attain GOD. Hence the 10
Non-optimized 0.011 59.435 0.006
reported run time does not account for the 3PC execution. Note, [12] 0.008 78.259 0.002
however, that 5PC execution itself accounts for the worst-case Optimized 0.034 19.037 0.018
computation because it has a higher number of parties, including 100
Non-optimized 0.107 6.006 0.057
one malicious corruption as opposed to 3PC. Further, considering [12] 0.0543 11.783 0.031
perennially running protocols such as CDA, the cost of switching Optimized 0.329 1.948 0.178
to 3PC and continuing a semi-honest execution would be much 1000
Non-optimized 1.059 0.604 0.571
lesser compared to executing the protocol using 5PC perennially. [12] 0.530 1.206 0.253
We use the time taken for the protocol to complete and commu- Optimized 3.152 0.203 1.758
10000
nication between parties as the two parameters for benchmarks. Non-optimized 10.638 0.060 5.711
We report these values separately for the online and preprocessing [12] 5.154 0.124 2.452
phases. Further, we also report online throughput (TP), which is Table 2: Comparison for synthetic circuits
the number of buy/sell orders that can be processed in a second
for the dark pool algorithms, whereas it is the number of inference 5 See https://cloud.google.com/vpc/network-pricing for network cost and
queries that can be processed in a second for PPML algorithms. https://cloud.google.com/compute/vm-instance-pricing for computation cost.
10
PentaGOD: Stepping beyond Traditional GOD with Five Parties

5.2 Dark pools 𝑤𝑖 of the units of the first 𝑖 sell orders in S which facilitates single
We consider two popular matching algorithms used in dark pools– shot identification of matching sell orders. While the satisfaction
continuous double auction (CDA) algorithm and volume-based of the price criteria for all sell orders in S can be determined in
matching algorithm. While the former processes orders in a contin- parallel, 𝑤 allows determining satisfaction of the volume criteria
uous manner, the latter does so in scheduled intervals, and both the also, for all sell orders in parallel. Thus, one does not require to wait
algorithms rely on different parameters for matching orders. Both for the 𝑖 th order to be matched before processing the 𝑖 + 1th order.
these matching algorithms have been considered in prior works, Hence, all those sell orders where both the conditions are met can
albeit in the traditional MPC setting [16, 23]. Although the func- be executed and revealed in public. Note that the last sell order
tionality of these algorithms remains the same as described in [16], to be matched could either be fully satisfied or partially satisfied,
we take advantage of possible parallelization and tweak the algo- and hence needs extra care. The protocol for the above matching
rithms to improve their round complexity. This, in turn, improves phase is given in Fig. 5, where the changes made over the existing
the run time of the protocols and the number of orders that can be protocol are highlighted. The insertion phase follows this, where
processed in unit time (throughput). We next detail each of these the incoming buy order is obliviously inserted into B in the correct
algorithms and their overall performance. slot that respects the ordering maintained as an invariant. Since
the steps of protocol for the insertion phase as well as the overall
5.2.1 Continuous Double Auction. The CDA algorithm maintains CDA algorithm remain the same as in [16], we do not elaborate on
a sorted list of buy orders (B) and sell orders (S) that are yet to be them. However, we continue to execute independent instructions
matched. A buy order comprises the client’s identity, 𝑛𝑎𝑚𝑒𝑏 , the in parallel within these protocols, too, and render the overall exe-
units to be bought, 𝑏, and the buying price also known as bid, 𝑞. cution as efficient as possible. The protocols for the insertion phase
Analogously, a sell order comprises the client’s identity 𝑛𝑎𝑚𝑒 𝑠 , the and overall CDA are given in Fig. 15 and Fig. 16 respectively in §D.
units to be sold 𝑠, and the selling price also known as offer 𝑝. All the  
Protocol ΠPSL P, (J𝑛𝑎𝑚𝑒 𝑏0 K, J𝑏 0 K, J𝑞 0 K), S
unmatched buy orders in the list B (where |B| = 𝑀) are sorted in
descending order of their bid. Similarly, sell orders in list S (where – Set J𝑤0 K = J0K
|S| = 𝑁 ) are sorted in ascending order of offer. The CDA algorithm – For each 𝑖 = 1 to 𝑁 do in parallel: J𝑤𝑖 K =
Í𝑖
𝑗 =1 J𝑠 𝑗 K
maintains this as an invariant.
– For each 𝑖 = 1 to 𝑁 do in parallel:
The CDA algorithm for processing a new order has two phases–
◦ J𝑧𝑖 KB = Πcomp ( P, J𝑤𝑖 −1 K, J𝑏 0 K), J𝑧𝑖′ KB = Πcomp ( P, J𝑝𝑖 K, J𝑞 0 K + 1)
(i) matching, and (ii) insertion. In the matching phase, the incoming
order is matched with orders of the opposite type. Elaborately, a – For 𝑖 = 1 to 𝑁 do in parallel: J𝑓𝑖 KB = Πmult ( P, J𝑧𝑖 KB , J𝑧𝑖′ KB )
buy order is said to match a sell order if the following criteria are – Reconstruct 𝑓𝑖 ’s and set 𝑘 = 𝑖 such that 𝑓𝑖 = 1 and 𝑓𝑖+1 = 0 for 𝑖 ∈
met– (i) Price criteria: the bid of the buy order must be greater than {1, . . . , 𝑁 }. Else set 𝑘 = 0.
or equal to the offer of the sell order and, (ii) Volume criteria: the – for each 𝑖 = 1 to 𝑘 − 1 do in parallel:
units of one order must be able to satisfy the units of the other. ◦ Reconstruct (J𝑛𝑎𝑚𝑒 𝑠𝑖 K, J𝑠𝑖 K, J𝑝𝑖 K)
Thus, when a new buy order arrives, it is matched with the first
– J𝑠𝑘′ K = Π sel (J𝑏 0 K − J𝑤𝑘 −1 K, J𝑠𝑘 K, J𝑧𝑘+1 KB )
order in S based on the matching criteria. The buy order may
continue to be matched with other sell orders in S, until either of – Reconstruct (J𝑛𝑎𝑚𝑒𝑘𝑠 K, J𝑠𝑘′ K, J𝑝𝑘 K), set J𝑠𝑘 K = J𝑠𝑘 K − J𝑠𝑘′ K
the criteria for matching fails. Hence matches need not be one-to- – Delete first 𝑘 − 1 elements from S.
one. An incoming sell order can also be processed analogously. The Figure 5: CDA matching phase: processing sell list
matching phase concludes with the incoming order being in one of
the following two states. The order may be satisfied if all of its units 5.2.2 Volume Matching. Unlike the CDA algorithm, where orders
are exhausted by getting matched to opposite orders, or, it may are processed in a continuous manner, the volume-based matching
be partially satisfied if some of its units are still unmatched. If the processes all the requests at fixed intervals. The algorithm matches
incoming order is partially satisfied, the algorithm enters insertion orders based only on the volume. Hence, the 𝑖 𝑡ℎ client only submits
phase that involves inserting this order into the corresponding list the number of units it wishes to buy 𝑏𝑖 or sell 𝑠𝑖 , and the matching
B or S while respecting the sorted order maintained within it. We is done on a first-come-first-serve basis. Similar to CDA the buy
refer to the algorithm in [16] for further details. orders and sell orders are maintained in a separate list (queue),
A secure variant of the CDA algorithm was given in [16], where ordered by their arrival. Since the algorithm only accounts for
all orders remain hidden until they are satisfied. However, the order volume, one is guaranteed that either all the sell orders or all buy
type (buy or sell) and hence the size of S and B is not regarded orders are satisfied. That is, the type of orders whose total volume
as sensitive information. We now describe an improved secure is lesser will be satisfied completely. After processing the orders,
protocol for the CDA algorithm to process an incoming buy order. the algorithm outputs the sequence of updated buy/sell orders such
An incoming sell order can be processed analogously. that the value now at 𝑏𝑖′ or 𝑠𝑖′ denotes the number of units traded
In [16], the protocol identifies matching sell orders in S sequen- out of the original 𝑏𝑖 or 𝑠𝑖 request. Although the algorithm is the
tially, and terminates when the incoming order can no longer be same as in [16], we provide a parallel variant of the same in Fig. 6
matched. Instead, we perform additional bookkeeping to identify and highlight the changes made over the existing protocol. Unlike
all the matching sell orders in a single shot. This was not possible in [16], the algorithm can be improved to process each sell/buy
in [16] because the number of unmatched units remaining were order in parallel by some additional bookkeeping, as done in §5.2.1.
tracked sequentially. However, we compute the cumulative sum
11
 Nishat Koti, Varsha Bhat Kukkala, Arpita Patra, Bhavish Raj Gopal
 
Protocol ΠVM P, {J𝑠𝑖 K}𝑖=1
𝑁 , {J𝑏 K} 𝑀
𝑗 𝑗 =1
Preprocessing Online
Í𝑁 Í𝑀 s Ref
1. Compute J𝑆K = 𝑖=1 J𝑠𝑖 K and J𝐵K = 𝑗 =1 J𝑏 𝑗 K Time (ms) Com (KB) Time (ms) Com (KB) TP (orders/s)
2. Compute J𝑓 KB = Π comp ( P, J𝐵K, J𝑆K) Ours 3.41 333.19 17.13 190.09 58.37
1
3. Set J𝑇 K = Π sel (J𝑆K, J𝐵K, J𝑓 KB ), J𝑠 0 K = 0 and J𝑏 0 K = 0 [16] 2.42 158.41 16.58 79.24 60.30
4. For 𝑖 from 1 to 𝑁 do in parallel: J𝐿𝑖𝑠 K = J𝑇 K − 𝑖𝑗−1
Í
=0 J𝑠 𝑗 K Ours 3.25 333.19 15.98 192.90 62.57
Í𝑖 −1 2
5. For 𝑖 from 1 to 𝑀 do in parallel: J𝐿𝑖 K = J𝑇 K − 𝑗 =0 J𝑏 𝑗 K
𝑏 [16] 2.56 161.32 24.50 84.68 40.81
6. For 𝑖 from 1 to 𝑁 do in parallel: Ours 3.28 333.19 15.38 198.53 65.00
4
◦ J𝑧 1 KB = Πcomp ( P, J𝐿𝑖𝑠 K, J1K) ) and J𝑧 2 KB = Πcomp ( P, (J𝐿𝑖𝑠 K, J𝑠𝑖 K) [16] 2.55 167.13 37.22 96.11 26.87
◦ J𝑧 1 K = Πbit2A ( P, J𝑧 1 KB ) and J𝑧 2 K = Πbit2A ( P, J𝑧 2 KB ) Ours 3.37 333.19 15.40 201.34 64.95
5
◦ J𝑠𝑖 K = ( (J𝐿𝑖𝑠 K − J𝑠𝑖 K) · J𝑧 2 K + J𝑠𝑖 K) · (1 − J𝑧 1 K) [16] 2.48 170.04 42.73 102.08 23.40
7. For 𝑗 from 1 to 𝑀 do in parallel: Ours 3.26 333.19 15.46 215.40 64.67
10
◦ J𝑧 1 KB = Πcomp ( P, J𝐿𝑏𝑗 K, J1K) ) and J𝑧 2 KB = Πcomp ( P, (J𝐿𝑏𝑗 K, J𝑏 𝑗 K) [16] 2.59 184.57 75.20 134.58 13.30
◦ J𝑧 1 K = Πbit2A ( P, J𝑧 1 KB ) and J𝑧 2 K = Πbit2A ( P, J𝑧 2 KB ) Ours 3.33 333.19 17.16 299.78 58.26
40
◦ J𝑏𝑖 K = ( (J𝐿𝑏𝑗 K − J𝑏𝑖 K) · J𝑧 2 K + J𝑏 𝑗 K) · (1 − J𝑧 1 K) [16] 3.06 271.77 281.21 421.39 3.56
8. Reconstruct J𝑠𝑖 K and J𝑏 𝑗 K for all 𝑖 and 𝑗 Ours 3.18 333.19 15.77 327.90 63.40
50
[16] 3.13 301.12 350.70 551.95 2.85
Figure 6: Volume matching
Table 3: Comparison for CDA for varying s and N=M=100.
5.2.3 Experimental results. Since the complexity of dark pool algo-
rithms depend on the size of buy list (𝑁 ) and sell list (𝑀), follow- the online run time of the protocol, the slow increase in our run
ing [16], we analyze these algorithms by varying 𝑁 and 𝑀 between time helps in obtaining higher TP as 𝑁 , 𝑀 increase. This is not the
10 and 500. Moreover, since the complexity of the CDA algorithm case for [16] whose TP remains almost constant. The gain in TP for
additionally depends on the number of executed sell orders (𝑠), we us thus turns out to be up to 62× over the work of [16]. A visual
set this to be 10% of the maximum of 𝑁 and 𝑀 6 . For CDA, these comparison of TP for CDA and volume matching appears in Fig. 7b
results are reported in Table 6 (§D) . As expected and evident from and Fig. 7c.
Fig. 7a, the run time of the algorithms increases with increasing 𝑁 Preprocessing Online
and 𝑀. However, this increase is more pronounced in the algorithm N M Ref
Time (ms) Com (KB) Time (ms) Com (KB) TP (×103 orders/s)
of [16] due to its sequential nature and heavy dependence on 𝑠. To Ours 1.72 47.82 7.13 32.70 2.81
capture this effect more clearly, we perform experiments with fixed 10 10
[16] 1.70 45.94 18.93 9.31 1.06
𝑁 = 𝑀 = 100 and vary 𝑠 between 1 to 50, and report these results Ours 1.81 71.06 7.83 48.45 3.83
in Table 3. 20 10
[16] 1.89 90.54 37.61 17.96 0.80
As explained earlier and as is evident from Table 3, observe Ours 1.92 94.30 7.86 64.20 5.09
that the run time of CDA linearly depends on 𝑠 for the algorithm 20 20
[16] 1.89 90.54 34.83 17.96 1.15
of [16]. On the contrary, the parallelizations in our algorithm help in Ours 2.11 140.78 7.79 95.69 7.70
making the run time independent of 𝑠, and thereby bring up to 20× 40 20
[16] 2.28 179.74 66.50 35.26 0.90
saving in run time. The poor run time of [16] in comparison to ours Ours 2.65 233.78 9.10 158.68 10.99
can also be attributed to the large number of reconstructions in the 50 50
[16] 2.56 224.37 83.28 43.91 1.20
former’s CDA algorithm that necessitate performing verification
Ours 3.11 350.27 9.29 237.42 16.14
each time a value is reconstructed (in our (1, 1)-FaF setting). The 100 50
[16] 3.50 447.69 163.73 87.17 0.92
improvement of our algorithm is also reflected in throughput (TP)
Ours 4.03 466.55 10.77 316.15 18.57
where our algorithm’s TP remains almost constant, whereas the 100 100
[16] 3.74 447.73 167.17 87.17 1.20
algorithm of [16] sees a steady fall. Here, TP is computed as 1/𝑡𝑜
Ours 5.04 699.44 10.02 473.62 29.95
where 𝑡𝑜 is the online run time of the protocol. 200 100
[16] 6.64 875.48 326.77 173.67 0.92
The results for volume matching appear in Table 4. As expected,
Ours 7.89 932.34 10.18 631.09 39.31
the throughput (TP) of volume matching is better than CDA. Further, 200 200
[16] 7.19 894.37 323.33 173.67 1.24
due to the parallelizations introduced by our work, our algorithm’s
Ours 10.73 1397.75 12.20 946.03 49.18
runtime increases very slowly compared to that of [16] with increas- 400 200
[16] 12.30 1787.73 640.70 346.66 0.94
ing 𝑁 , 𝑀. This is visually represented in Fig. 7a, which compares
Ours 26.98 2329.07 12.99 1575.92 76.98
the online runtime of volume matching and CDA algorithm. Since 500 500
[16] 23.34 2234.94 803.91 433.17 1.24
TP for volume matching is computed as 𝑁 +𝑀/𝑡𝑜 , where 𝑡𝑜 denotes
Table 4: Comparison for volume matching for varying N, M.
6 Dark pools are not obligated to report the detailed information regarding volumes and
types of transactions. Hence, we can only speculate the parameters such as 𝑠, 𝑁 , 𝑀 .
Further, accounting for the recent trend of smaller traders entering into dark pools, we 5.3 Privacy-preserving ML (PPML)
consider the possibility of a large volume order matched against several small volume
orders and set 𝑠 to be 10%. This is in contrast to the unrealistic case of 𝑠 ∈ {0, 1, 2, 3} To showcase that our FaF-secure protocols have wide applicability,
as in [16] we also benchmark the performance of popular neural networks
12
PentaGOD: Stepping beyond Traditional GOD with Five Parties

10 CDA Ours
CDA [16]
fails. We consider the specific case of dark pools and showcase that

Online Time (on log2 scale)

VM ours
VM [16]
traditional MPC is a misfit for it. In the process of designing FaF-
8
secure protocols for dark pools, we also improve the underlying
6
algorithms and showcase it in the benchmarks. Given the popularity
of PPML, we also benchmark deep neural networks.
4

ACKNOWLEDGEMENTS
10 50 100 200 500
N=M (𝑠 = 1/10N)
Arpita Patra, Varsha Bhat Kukkala and Bhavish Raj Gopal would like
(a) CDA and Volume matching to acknowledge financial support from National Security Council,
Ours Ours India. Nishat Koti would like to acknowledge support from Centre
[16] 16 [16]

60
for Networked Intelligence (a Cisco CSR initiative) at the Indian
Institute of Science, Bengaluru. The authors would also like to
TP (on log2 scale)

14
40 acknowledge the support from Google Cloud for benchmarking.
TP

12
20
REFERENCES
10
0 [1] Bar Alon, Eran Omri, and Anat Paskin-Cherniavsky. 2020. MPC with Friends
10 50 100 200 500 10 50 100 200 500 and Foes. In CRYPTO.
N=M (𝑠 = 1/10N) N=M (𝑠 = 1/10N)
[2] Toshinori Araki, Assi Barak, Jun Furukawa, Tamar Lichter, Yehuda Lindell, Ariel
(b) CDA algorithm (c) Volume matching algorithm Nof, Kazuma Ohara, Adi Watzman, and Or Weinstein. 2017. Optimized Honest-
Majority MPC for Malicious Adversaries - Breaking the 1 Billion-Gate Per Second
Barrier. In IEEE S&P.
Figure 7: Online time (a) and TP (orders/sec) comparison (b, c) of [3] Toshinori Araki, Jun Furukawa, Yehuda Lindell, Ariel Nof, and Kazuma Ohara.
our algorithm with [16] 2016. High-Throughput Semi-Honest Secure Three-Party Computation with an
Honest Majority. In ACM CCS.
[4] Venkat Arun, Aniket Kate, Deepak Garg, Peter Druschel, and Bobby Bhattachar-
in our setting. We consider a variety of network architectures, jee. 2020. Finding Safety in Numbers with Secure Allegation Escrows. In NDSS.
the accuracy of which follow from [43, 45, 63]. We begin with a [5] Gilad Asharov, Tucker Hybinette Balch, Antigoni Polychroniadou, and Manuela
fully connected 3 layer network (NN-1) that considers around 118K Veloso. 2020. Privacy-Preserving Dark Pools. In AAMAS.
[6] Saikrishna Badrinarayanan, Aayush Jain, Nathan Manohar, and Amit Sahai. 2020.
model parameters. We also consider a convolutional neural network Secure MPC: Laziness Leads to GOD. In ASIACRYPT.
(NN-2) comprising 2 hidden layers, with 100 and 10 nodes, respec- [7] Azer Bestavros, Andrei Lapets, and Mayank Varia. 2017. User-centric distributed
solutions for privacy-preserving analytics. Communications of ACM (2017).
tively. Lastly, we consider the two popular deep neural networks [8] Dan Bogdanov, Marko Jõemets, Sander Siim, and Meril Vaht. 2015. How the
of LeNet [40] and VGG16 [60]. LeNet comprises 2 convolutional Estonian Tax and Customs Board Evaluated a Tax Fraud Detection System Based
and fully connected layers, followed by maxpool for convolutional on Secure Multi-party Computation. In FC.
[9] Peter Bogetoft, Dan Lund Christensen, Ivan Damgård, Martin Geisler, Thomas
layers, with approximately 431K parameters. On the other hand, Jakobsen, Mikkel Krøigaard, Janus Dam Nielsen, Jesper Buus Nielsen, Kurt
VGG16 has 16 layers and contains fully-connected, convolutional, Nielsen, Jakob Pagter, et al. 2009. Secure multiparty computation goes live.
ReLU activation and max pool layers with around 138 million pa- In FC.
[10] Dan Boneh, Elette Boyle, Henry Corrigan-Gibbs, Niv Gilboa, and Yuval Ishai.
rameters. We rely on the standard MNIST [41] dataset to perform 2019. Zero-Knowledge Proofs on Secret-Shared Data via Fully Linear PCPs. In
secure inference using NN-1 and LeNet, while the CIFAR-10 [38] CRYPTO.
[11] Elette Boyle, Niv Gilboa, Yuval Ishai, and Ariel Nof. 2019. Practical Fully Secure
dataset for NN-2 and VGG16 networks. The benchmarks for the Three-Party Computation via Sublinear Distributed Zero-Knowledge Proofs. In
different NNs appear in Table 5. As expected, the run time and ACM CCS.
communication of our protocols increase as the depth of the NNs [12] Elette Boyle, Niv Gilboa, Yuval Ishai, and Ariel Nof. 2020. Efficient Fully Secure
Computation via Distributed Zero-Knowledge Proofs. In ASIACRYPT.
increases from NN-1 to VGG16. [13] Megha Byali, Harsh Chaudhari, Arpita Patra, and Ajith Suresh. 2020. FLASH:
Fast and Robust Framework for Privacy-preserving Machine Learning. PETS
Preprocessing Online (2020).
NN type [14] Megha Byali, Carmit Hazay, Arpita Patra, and Swati Singla. 2019. Fast actively
Time (s) Com (MB) Time (s) Com (MB) TP (queries/s) secure five-party computation with security beyond abort. In ACM CCS.
NN-1 0.011 0.417 0.008 0.071 1010.86 [15] Megha Byali, Arun Joseph, Arpita Patra, and Divya Ravi. 2018. Fast Secure
Computation for Small Population over the Internet. In ACM CCS.
NN-2 0.037 1.708 0.010 0.290 814.99 [16] John Cartlidge, Nigel P Smart, and Younes Talibi Alaoui. 2019. MPC joins the
dark side. In ACM ASIACCS.
LeNet 0.560 35.898 0.053 6.298 152.21 [17] John Cartlidge, Nigel P Smart, and Younes Talibi Alaoui. 2021. Multi-party compu-
VGG16 9.676 549.664 0.473 94.951 16.89 tation mechanism for anonymous equity block trading: A secure implementation
of turquoise plato uncross. Intell. Syst. Account. Finance Manag. (2021).
Table 5: NN inference. [18] Harsh Chaudhari, Ashish Choudhury, Arpita Patra, and Ajith Suresh. 2019.
ASTRA: High Throughput 3PC over Rings with Application to Secure Prediction.
In ACM CCSW@CCS.
[19] Harsh Chaudhari, Rahul Rachuri, and Ajith Suresh. 2020. Trident: Efficient 4PC
6 CONCLUSION Framework for Privacy Preserving Machine Learning. NDSS (2020).
[20] David Chaum. 1989. The Spymasters Double-Agent Problem: Multiparty Com-
We designed the first concretely efficient FaF-secure MPC protocol putations Secure Unconditionally from Minorities and Cryptographically from
in the (1,1) 5 party setting. Further, we designed several building Majorities. In CRYPTO.
blocks and optimized them for the setting under consideration. [21] Richard Cleve. 1986. Limits on the Security of Coin Flips when Half the Processors
Are Faulty (Extended Abstract). In ACM STOC.
Thus, we provide a comprehensive framework that allows designing [22] Cryptography and Privacy Engineering Group at TU Darmstadt. [n. d.]. EN-
secure variants of various applications where traditional security CRYPTO Utils. https://github.com/encryptogroup/ENCRYPTO_utils.
13
 Nishat Koti, Varsha Bhat Kukkala, Arpita Patra, Bhavish Raj Gopal

[23] Mariana Botelho da Gama, John Cartlidge, Antigoni Polychroniadou, Nigel P Act of 1934 Release No. 84548. https://www.sec.gov/litigation/admin/2018/33-
Smart, and Younes Talibi Alaoui. 2021. Kicking-the-Bucket: Fast Privacy- 10572.pdf.
Preserving Trading Using Buckets. IACR Cryptol. ePrint Arch. (2021). [54] Satsuya Ohata and Koji Nuida. 2020. Communication-Efficient (Client-Aided)
[24] Anders Dalskov, Daniel Escudero, and Marcel Keller. 2020. Fantastic Four: Honest- Secure Two-Party Protocols and Its Application.
Majority Four-Party Secure Computation With Malicious Security. USENIX [55] Arpita Patra, Thomas Schneider, Ajith Suresh, and Hossein Yalame. 2021. ABY2.0:
security. Improved Mixed-Protocol Secure Two-Party Computation. In USENIX, Michael
[25] Ivan Damgård and Jesper Buus Nielsen. 2007. Scalable and unconditionally Bailey and Rachel Greenstadt (Eds.).
secure multiparty computation. In CRYPTO. [56] Arpita Patra and Ajith Suresh. 2020. BLAZE: Blazing Fast Privacy-Preserving
[26] Danny Dolev, Cynthia Dwork, Orli Waarts, and Moti Yung. 1993. Perfectly Machine Learning. NDSS (2020).
Secure Message Transmission. J. ACM (1993). [57] Phillip Rogaway and Thomas Shrimpton. 2004. Cryptographic hash-function
[27] Xiao Dong, David A Randolph, Chenkai Weng, Abel N Kho, Jennie M Rogers, and basics: Definitions, implications, and separations for preimage resistance, second-
Xiao Wang. 2021. Developing High Performance Secure Multi-Party Computation preimage resistance, and collision resistance. In FSE. Springer.
Protocols in Healthcare: A Case Study of Patient Risk Stratification. In AMIA. [58] Alex Sangers, Maran van Heesch, Thomas Attema, Thijs Veugen, Mark Wigger-
[28] Matthias Fitzi, Martin Hirt, and Ueli M. Maurer. 1998. Trading Correctness man, Jan Veldsink, Oscar Bloemen, and Daniël Worm. 2019. Secure multiparty
for Privacy in Unconditional Multi-Party Computation (Extended Abstract). In PageRank algorithm for collaborative fraud detection. In FC. Springer.
CRYPTO. [59] Erez Shmueli and Tamir Tassa. 2017. Secure multi-party protocols for item-based
[29] Jun Furukawa, Yehuda Lindell, Ariel Nof, and Or Weinstein. 2017. High- collaborative filtering. In ACM RecSys.
Throughput Secure Three-Party Computation for Malicious Adversaries and an [60] Karen Simonyan and Andrew Zisserman. 2015. Very deep convolutional net-
Honest Majority. In EUROCRYPT. works for large-scale image recognition. ICLR (2015).
[30] Hossein Ghodosi and Josef Pieprzyk. 2009. Multi-Party Computation with Om- [61] Stanford. [n. d.]. CS231n: Convolutional Neural Networks for Visual Recognition.
nipresent Adversary. In PKC. https://cs231n.github.io/convolutional-networks/
[31] Oded Goldreich. 2007. Foundations of cryptography: volume 1, basic tools. Cam- [62] Christina-Angeliki Toli, Abdelrahaman Aly, and Bart Preneel. 2016. A privacy-
bridge university press. preserving model for biometric fusion. In CANS.
[32] S. Dov Gordon, Samuel Ranellucci, and Xiao Wang. 2018. Secure Computation [63] Sameer Wagh, Shruti Tople, Fabrice Benhamouda, Eyal Kushilevitz, Prateek
with Low Communication from Cross-Checking. In ASIACRYPT. Mittal, and Tal Rabin. 2021. FALCON: Honest-Majority Maliciously Secure
[33] Martin Hirt, Ueli M. Maurer, and Vassilis Zikas. 2008. MPC vs. SFE : Unconditional Framework for Private Deep Learning. PoPETs (2021).
and Computational Security. In ASIACRYPT.
[34] Martin Hirt and Marta Mularczyk. 2020. Efficient MPC with a Mixed Adversary.
In ITC.
[35] T Ryan Hoens, Marina Blanton, and Nitesh V Chawla. 2010. A private and
reliable recommendation system for social networks. In IEEE. IEEE. A PRELIMINARIES
[36] Nishat Koti, Mahak Pancholi, Arpita Patra, and Ajith Suresh. 2021. SWIFT: Super-
fast and Robust Privacy-Preserving Machine Learning. IACR Cryptol. ePrint Arch. Security model. We prove the security of our protocols following
(2021). the standard ideal-world/real-world simulation paradigm [31, 42].
[37] Nishat Koti, Arpita Patra, Rahul Rachuri, and Ajith Suresh. 2022. Tetrad: Actively In this security notion, an ideal functionality F is considered, to
Secure 4PC for Secure Training and Inference. IACR Cryptol. ePrint Arch..
[38] Alex Krizhevsky, Vinod Nair, and Geoffrey Hinton. 2014. The CIFAR-10 dataset. which the corrupted and uncorrupted parties send their inputs
(2014). https://www.cs.toronto.edu/~kriz/cifar.html. over a perfectly secure channel. F executes the computation and
[39] Benjamin Kuykendall, Hugo Krawczyk, and Tal Rabin. 2019. Cryptography for#
metoo. PETS (2019).
sends the output to all. Informally, a protocol is said to be secure if
[40] Yann LeCun, Léon Bottou, Yoshua Bengio, and Patrick Haffner. 1998. Gradient- whatever the adversary can do in the real world can also be done
based learning applied to document recognition. Proc. IEEE (1998). in the ideal world. In the traditional definition, this is captured by
[41] Yann LeCun and Corinna Cortes. 2010. MNIST handwritten digit database. (2010).
http://yann.lecun.com/exdb/mnist/. designing an ideal-world adversary (simulator) which can simulate
[42] Yehuda Lindell. 2017. How to simulate it–a tutorial on the simulation proof the view of the real-world adversary corrupting a subset of the
technique. In Tutorials on the Foundations of Cryptography. parties in P. However, in the FaF-security model [1], the additional
[43] Payman Mohassel and Peter Rindal. 2018. ABY3 : A Mixed Protocol Framework
for Machine Learning. In ACM CCS.
requirement of simulating the view of any subset of uncorrupted (or
[44] Payman Mohassel, Mike Rosulek, and Ye Zhang. 2015. Fast and Secure Three- semi-honest) parties necessitates the use of two simulators. Thus,
party Computation: The Garbled Circuit Approach. In ACM CCS. to prove the security, two simulators are constructed in the ideal-
[45] Payman Mohassel and Yupeng Zhang. 2017. SecureML: A System for Scalable
Privacy-Preserving Machine Learning. In IEEE S&P. world, one for the malicious adversary and one for the semi-honest
[46] Peter Sebastian Nordholt and Meilof Veeningen. 2018. Minimising Communi- adversary. Further, the malicious adversary is allowed to send its
cation in Honest-Majority MPC by Batchwise Multiplication Verification. In entire view to the semi-honest adversary in the ideal world (to
ACNS.
[47] United States of America before the Securities and Exchange Commission. 2005. capture the behaviour where the malicious adversary may send
SEC institutes enforcement action against 20 former New York Stock Exchange non-protocol messages to uncorrupted parties in the real world).
specialists alleging pervasive course of fraudulent trading. Press Release. https:
//www.sec.gov/news/press/2005-54.htm.
Let A denote the probabilistic polynomial time (PPT) real-world
[48] United States of America before the Securities and Exchange Commission. 2011. malicious adversary corrupting 𝑡 parties in I ⊂ P, and S A denote
In the Matter of Pipeline Trading Systems LLC, et al., Securities Exchange Act of the corresponding ideal-world simulator. Similarly, let A H denote
1934 Release No. 65609. https://www.sec.gov/litigation/admin/2011/33-9271.pdf.
[49] United States of America before the Securities and Exchange Commission. 2012. the PPT real-world semi-honest adversary corrupting ℎ★ parties
In the Matter of eBX, LLC Securities Exchange Act of 1934 Release No. 67979. in H ⊂ P \ I, and S A,H , be the ideal-world simulator. Let F
https://www.sec.gov/litigation/admin/2012/34-67969.pdf. be the ideal-world functionality. Let viewreal A,Π
be A’s view and
[50] United States of America before the Securities and Exchange Commission. 2014.
In the Matter of LavaFlow, Inc. Securities Exchange Act of 1934 Release No. outreal
A,Π
denote the output of the uncorrupted parties (in P \ I)
72673. https://www.sec.gov/litigation/admin/2014/34-72673.pdf.
[51] United States of America before the Securities and Exchange Commission. 2014.
during a random execution of a protocol Π. Correspondingly, let
In the Matter of Liquidnet, Inc., Securities Exchange Act of 1934 Release No. viewreal
A,AH ,Π
be A H ’s view during an execution of protocol Π
72339. https://www.sec.gov/litigation/admin/2014/33-9596.pdf.
[52] United States of America before the Securities and Exchange Commission. 2016.
running alongside A. Note that viewreal A,AH ,Π
consists of the non-
In the Matter of Credit Suisse Securities (USA) LLC, Securities Exchange Act of protocol messages sent by the A to A H . Similarly, let viewideal A,F
1934 Release No. 77002. https://www.sec.gov/litigation/admin/2016/33-10013.
pdf. be the malicious adversary’s simulated view and outideal A,F
denote
[53] United States of America before the Securities and Exchange Commission. 2018. the output of the uncorrupted parties during a random execution
In the Matter of ITG Inc. and Alternet Securities, Inc., Securities Exchange
of ideal-world functionality F . Further, let viewideal
A,A ,F
be the
H
14
PentaGOD: Stepping beyond Traditional GOD with Five Parties

semi-honest adversary’s simulated view during an execution of F from U, the parties first arrive on an agreement regarding each
running alongside A. 𝛽 vi received by 𝑃𝑖 . This is followed by selecting the majority value
A protocol Π is said to compute F with computational (𝑡, ℎ★)- among 𝛽 v1 , 𝛽 v2 , 𝛽 v3 , 𝛽 v4 , 𝛽 v5 . For parties to agree on 𝛽 vi , 𝑃𝑖 first sends
FaF security if 𝛽 vi to all other parties. This is followed by 𝑃 𝑗 ∈ P \ 𝑃𝑖 exchanging
𝛽 vi among themselves. Thus, each 𝑃 𝑗 ∈ P \𝑃𝑖 receives four versions
( viewideal ideal real real
A,F , outA,F ) ≡ ( viewA,Π , outA,Π ) of 𝛽 vi and sets the majority value among the four values received
( viewideal
A,A , outideal real
A,F ) ≡ ( viewA,A , outreal
A,Π ) as 𝛽 vi . Since there can be at most one malicious corruption among
H ,F H ,Π
the parties, the majority rule ensures that all honest parties are on
the same page. Once each of the values are agreed on, every party
Shared key setup. Following several recent works [2, 3, 13, 19, takes the majority among 𝛽 v1 , 𝛽 v2 , 𝛽 v3 , 𝛽 v4 , 𝛽 v5 as the value sent by
36, 43, 56], to enable non-interactive communication between the U. If no value appears in majority, the malicious intent of the client
parties, a one-time setup is performed that establishes common is captured and hence the input is discarded.
random keys for a pseudo-random function (PRF) 𝐹 . Here 𝐹 :
{0, 1}𝜅 × {0, 1}𝜅 → 𝑋 is a secure PRF, with co-domain 𝑋 being Z2ℓ .
The key setup is modeled via a functionality Fsetup (Fig. 8) that
B 5PC (1, 1)-FAF SECURE PROTOCOLS
can be realized using any FaF-secure MPC protocol. The goal is to B.1 Joint message passing (jmp)
establish a common key between every set of 2, 3, 4, and all parties. The modified protocol for jmp appears in Fig. 9. The protocol is
To sample a random value r ∈ Z2ℓ among a set of 3 parties described with respect to a single message v for a fixed ordered pair
𝑃𝑖 , 𝑃 𝑗 , 𝑃𝑘 non-interactively, each of these parties invoke 𝐹𝑘𝑖 𝑗𝑘 (𝑖𝑑𝑖 𝑗𝑘 ) of senders and a given receiver. However, we note that verify phase
and obtain r. Here, 𝑖𝑑𝑖 𝑗𝑘 denotes a counter maintained by these three across several messages for the same ordered pair of senders and
parties, and is updated after every PRF invocation. The appropriate receiver can be bundled together. This would involve party 𝑃 𝑗 (silent
keys used to sample the common randomness is implicit from the party) sending a single hash corresponding to all the messages
context and from the identities of the parties that sample. under consideration and performing the verification accordingly.

Functionality Fsetup
Protocol Πjmp (𝑃𝑖 , 𝑃 𝑗 , 𝑃𝑘 , v)
Fsetup interacts with the parties in P and the adversaries SA , SA,H .
Each party 𝑃𝑠 for 𝑠 ∈ {𝑖, 𝑗, 𝑘 } initializes bit b𝑠 = 0. Let CP denote the
Fsetup picks the following keys.
conflict pair which is the pair of parties in conflict, one of which is
• A common random key 𝑘 P for all the parties. guaranteed to be corrupt. Let 𝑃𝑖 , 𝑃 𝑗 denote the senders who wish to
• A common key 𝑘𝑖 𝑗 between every pair of parties 𝑃𝑖 , 𝑃 𝑗 where 1 ≤ send v to receiver 𝑃𝑘 . Let H denote a collision-resistant hash function.
𝑖 < 𝑗 ≤ 5. Send Phase: 𝑃𝑖 sends v to 𝑃𝑘 .
• A common key 𝑘𝑖 𝑗𝑘 between every set of 3 parties 𝑃𝑖 , 𝑃 𝑗 , 𝑃𝑘 where Verify Phase: 𝑃 𝑗 sends H(v) to 𝑃𝑘 .
1 ≤ 𝑖 < 𝑗 < 𝑘 ≤ 5. – 𝑃𝑘 broadcasts "(accuse,𝑃𝑖 )", if 𝑃𝑖 is silent, and all take CP = (𝑃𝑖 , 𝑃𝑘 )
• A common key 𝑘𝑖 𝑗𝑘𝑙 between every set of 4 parties 𝑃𝑖 , 𝑃 𝑗 , 𝑃𝑘 , 𝑃𝑙 as the conflict pair. Analogously for 𝑃 𝑗 . If 𝑃𝑘 accuses both 𝑃𝑖 , 𝑃 𝑗 , then
where 1 ≤ 𝑖 < 𝑗 < 𝑘 < 𝑙 ≤ 5. CP = (𝑃𝑖 , 𝑃𝑘 ). Otherwise, 𝑃𝑘 receives some ṽ and either sets b𝑘 = 0
Output: Keys {𝑘 P , 𝑘𝑠𝑖 , 𝑘 𝑗𝑠 , 𝑘𝑠 𝑗𝑘 , 𝑘𝑖𝑠𝑘 , 𝑘𝑖 𝑗𝑠 , 𝑘𝑠 𝑗𝑘𝑙 , 𝑘𝑖𝑠𝑘𝑙 , 𝑘𝑖 𝑗𝑠𝑙 , 𝑘𝑖 𝑗𝑘𝑠 }, when the value and the hash are consistent or sets b𝑘 = 1. 𝑃𝑘 then sends
generated as above, are output to every 𝑃𝑠 ∈ P. b𝑘 to 𝑃𝑖 , 𝑃 𝑗 and terminates if b𝑘 = 0.
– If 𝑃𝑖 does not receive a bit from 𝑃𝑘 , it broadcasts "(accuse,𝑃𝑘 )"
Figure 8: Ideal functionality for shared-key setup
and CP = (𝑃𝑖 , 𝑃𝑘 ). Analogously for 𝑃 𝑗 . If both 𝑃𝑖 , 𝑃 𝑗 accuse 𝑃𝑘 , then
CP = (𝑃𝑖 , 𝑃𝑘 ). Otherwise, 𝑃𝑠 for 𝑠 ∈ {𝑖, 𝑗 } sets b𝑠 = b𝑘 .
Collision-resistant hash. A family of hash functions [57] {H : – 𝑃𝑖 , 𝑃 𝑗 exchange their bits with each other. If 𝑃𝑖 does not receive b 𝑗
K × M → Y} is called collision resistant if for all probabilistic from 𝑃 𝑗 , it broadcasts "(accuse,𝑃 𝑗 )" and CP = (𝑃𝑖 , 𝑃 𝑗 ). Analogously
polynomial time adversaries A, given the hash function H𝑘 for for 𝑃 𝑗 . Otherwise, 𝑃𝑖 resets its bit to b𝑖 ∨ b 𝑗 and likewise 𝑃 𝑗 resets its
bit to b 𝑗 ∨ b𝑖 .
𝑘 ∈𝑅 K, the following holds: Pr[(𝑥, 𝑥 ′ ) ← A (𝑘) : (𝑥 ≠ 𝑥 ′ ) ∧
H𝑘 (𝑥) = H𝑘 (𝑥 ′ )] = negl(𝜅), where 𝑥, 𝑥 ′ ∈ {0, 1}𝑚 , 𝑚 = poly(𝜅), – 𝑃𝑠 for 𝑠 ∈ {𝑖, 𝑗, 𝑘 } broadcasts H𝑠 = H(v∗ ) if b𝑠 = 1, where v∗ = v for
and 𝜅 is security parameter. 𝑠 ∈ {𝑖, 𝑗 } and v∗ = ṽ otherwise. If 𝑃𝑘 does not broadcast, terminate. If
either 𝑃𝑖 or 𝑃 𝑗 does not broadcast, then CP = (𝑃𝑖 , 𝑃 𝑗 ). Otherwise,
• If H𝑖 ≠ H 𝑗 : CP = (𝑃𝑖 , 𝑃 𝑗 ).
Outsourced setting. In this setting, the required computation (e.g., • Else if H𝑖 ≠ H𝑘 : CP = (𝑃𝑖 , 𝑃𝑘 ).
matching for dark pools) is outsourced to external servers. Since
• Else if H𝑖 = H 𝑗 = H𝑘 : CP = (𝑃 𝑗 , 𝑃𝑘 ).
these servers are external to the system, it is required that all the
information regarding the system (dark pools) must be hidden from Figure 9: Joint Message Passing Protocol
the servers. Hence, it is also essential to consider how the data
owner or client would share his private data among the external
servers. Thus, we elaborate on the agreement protocol executed B.2 Input sharing
among the computing parties (servers) to agree on the value sent by The protocol for Πsh appears in Fig. 10.
the client U. At a high-level, the protocol proceeds as follows. Let
𝛽 vi denote the value received by 𝑃𝑖 from U. To agree on 𝛽 v received
15
 Nishat Koti, Varsha Bhat Kukkala, Arpita Patra, Bhavish Raj Gopal

Protocol Πsh (𝑃𝑖 , v)

B.4 Reconstruction
Preprocessing: The protocol for reconstruction appears in Fig. 13.
– Parties non-interactively generate [· ]-shares of a random 𝛼 v ∈ Z2ℓ
Protocol Πrec (𝑃𝑖 , v)
such that 𝑃𝑖 learns all shares of 𝛼 v , using the shared-keys.
Online: Let the missing shares at 𝑃𝑖 be v𝑖 𝑗 , v𝑖𝑘 , v𝑖𝑙 , v𝑖𝑚 .
– Let 𝑃𝑘 , 𝑃𝑙 , 𝑃𝑚 possess v𝑖 𝑗 . 𝑃𝑘 , 𝑃𝑙 send v𝑖 𝑗 to 𝑃𝑖 while 𝑃𝑚 sends its
– 𝑃𝑖 computes and sends 𝛽 v = v + 𝛼 v to one other party, say 𝑃 𝑗 .
hash to 𝑃𝑖 . Analogous steps are carried out for the other three shares.
– 𝑃𝑖 , 𝑃 𝑗 then jmp-sv 𝛽 v to all other parties.
– 𝑃𝑖 uses the value which appears in majority for the received miss-
Figure 10: Generating JvK by party 𝑃𝑖 ing shares, together with its own shares, for reconstructing v as v =
Í
1≤𝑝<𝑞 ≤5 v𝑝𝑞 .
Protocol for generating [·]-shares appears in Fig. 11.
Figure 13: Reconstruction of v towards 𝑃𝑖
Protocol ΠRSS−Sh (𝑃𝑖 , v)

Let v𝑙𝑚 be a share of v held by 𝑃𝑖 , 𝑃 𝑗 , 𝑃𝑘 ∈ P. C BUILDING BLOCKS

– Parties in P \ {𝑃𝑝 , 𝑃𝑞 } for 1 ≤ 𝑝 < 𝑞 ≤ 5 and 𝑝 ≠ 𝑙, 𝑞 ≠ 𝑚, non- Bit to arithmetic. The protocol appears in Fig. 14.
interactively generate v𝑝𝑞 ∈ Z2ℓ together with 𝑃𝑖 , using the shared-key
setup. Protocol Πbit2A ( P, JbKB )
Í
– 𝑃𝑖 computes and sends v𝑙𝑚 = v − 1≤𝑝<𝑞 ≤5,𝑝≠𝑙,𝑞≠𝑚 v𝑝𝑞 to 𝑃 𝑗 , fol- Preprocessing:
lowing which 𝑃𝑖 , 𝑃 𝑗 jmp-sv v𝑙𝑚 to 𝑃𝑘 .

– 𝑃 1 , 𝑃 2 jointly share 𝜈1 = 𝛼 b34 ⊕ 𝛼 b35 ⊕ 𝛼 b45 , 𝑃 1 , 𝑃 3 jointly share 𝜈2 =



Figure 11: Generating [v] by party 𝑃𝑖 𝛼 b24 ⊕ 𝛼 b25 , 𝑃 2 , 𝑃 3 jointly share 𝜈3 = 𝛼 b14 ⊕ 𝛼 b15 and 𝑃 4 , 𝑃 5 jointly
share 𝜈4 = 𝛼 b12 ⊕ 𝛼 b13 ⊕ 𝛼 b23 to generate J𝜈1 K, J𝜈2R K, J𝜈3R K, J𝜈4R K, re-
R

spectively.
B.3 Joint sharing – Parties execute Πmult on (J𝜈1R K, J𝜈2R K) and (J𝜈3R K, J𝜈4R K) to generate
J𝜈1R · 𝜈2R K and J𝜈3R · 𝜈4R K, respectively.
Here we discuss the various optimizations possible in the joint
sharing protocol. When the value to be shared is available with – Parties non-interactively compute JpR K = J(𝜈1 ⊕𝜈2 ) R K = J𝜈1R K+J𝜈2R K−
𝑃𝑖 , 𝑃 𝑗 in the preprocessing phase, the protocol can be optimized as 2 · J𝜈1R · 𝜈2R K and JqR K = J(𝜈3 ⊕ 𝜈4 ) R K = J𝜈3R K + J𝜈4R K − 2 · J𝜈3R · 𝜈4R K.
follows. All parties set 𝛽 v = 0. 𝑃𝑖 , 𝑃 𝑗 , 𝑃𝑘 non-interactively sample – Parties execute Πmult on JpR K, JqR K to generate JpR · qR K, and compute
a random r𝑙𝑚 ∈ Z2ℓ and set the common [·]-share of 𝛼 v they J𝛼 b R K = J(p ⊕ q) R K = JpR K + JqR K − 2 · JpR · qR K.
possess as 𝛼 vlm = r𝑙𝑚 . Similarly, 𝑃𝑖 , 𝑃 𝑗 , 𝑃𝑙 non-interactively sample – Parties non-interactively generate JrK for r ∈ Z2ℓ , and invoke ΠJ · K→[· ]
(§3.1) to generate 𝛼 b R , [r].
 
a random r𝑘𝑚 ∈ Z2ℓ and set the common [·]-share of 𝛼 v they
possess as 𝛼 vkm = r𝑘𝑚 . 𝑃𝑖 , 𝑃 𝑗 set the common share of 𝛼 v held Online:
together with 𝑃𝑚 as 𝛼 vkl = −(v + r𝑙𝑚 + r𝑘𝑚 ) and jmp-sv 𝛼 vkl to 𝑃𝑚 .
– Compute bR + r = 𝛽 b R + 𝛼 b R − 2𝛽 b R 𝛼 b R + [r], and reconstruct
     
The other [·]-shares of 𝛼 v are set as 0.
bR + r towards all, similar to multiplication.
When the value to be shared is held by three parties, say 𝑃𝑖 , 𝑃 𝑗 , 𝑃𝑘 ,
the protocol proceeds similarly to Π JSh2 , with the following difference– – Non-interactively generate JbR + rK (§B.3).
in the preprocessing phase, 𝛼 v will be also be learned by 𝑃𝑘 , and in – Non-interactively compute JbR K = JbR + rK − JrK.
the online phase, only two jmp-sv are required. We call the resul-
Figure 14: Bit to arithmetic conversion
tant protocol ΠJSh3 , and omit the formal protocol due to its close
resemblance to ΠJSh2 . Moreover, when the value is available with Note that the preprocessing phase can be optimized further. In-
these three parties in the preprocessing phase, the protocol can be stead of invoking the entire Πmult in the preprocessing phase which
made completely non-interactive. For this, similar to the previous requires communicating 14ℓ elements, we can generate the required
case, 𝛽 v is set as 0, and the common [·]-share of 𝛼 v held by 𝑃𝑖 , 𝑃 𝑗 , 𝑃𝑘 multiplicative terms by invoking FMulPre (whose current realiza-
is set as −v and all other shares are set as 0. tion via the modified variant of [12] as described in §F, requires
Finally, when all parties hold a value v ∈ Z2ℓ , they can generate 6ℓ elements). For this, J·K-shares of 𝜈 1, 𝜈 2, 𝜈 3, 𝜈 4 are converted to
JvK by setting 𝛽 v = v and all [·]-shares of 𝛼 v as 0. [·]-shares by invoking Π J · K→[·] , followed by invoking FMulPre on
the respective terms. The result of multiplication, generated as
Protocol ΠJSh2 (𝑃𝑖 , 𝑃 𝑗 , v) [·]-shares, can be converted to J·K-shares by invoking Π [· ]→J · K .
Preprocessing:
– Parties non-interactively generate [· ]-shares of a random 𝛼 v ∈ Z2ℓ
D SECURE PROTOCOLS FOR CDA
such that 𝑃𝑖 , 𝑃 𝑗 learn all shares of 𝛼 v , using the shared keys. In protocol, ΠInsert (Fig. 15), for insertion phase of CDA, we note
Online: that each of the 𝑓𝑖 ’s for 𝑖 ∈ {1, 2, . . . } can be computed in parallel.
Subsequently, so can 𝑓𝑖′ ’s followed by 𝑓𝑖′′ ’s.
– 𝑃𝑖 , 𝑃 𝑗 compute and jmp-sv 𝛽 v = v + 𝛼 v to all other parties.

Figure 12: Joint sharing of v by 𝑃𝑖 , 𝑃 𝑗

16
PentaGOD: Stepping beyond Traditional GOD with Five Parties
 
Protocol ΠInsert P, (J𝑛𝑎𝑚𝑒 𝑏0 K, J𝑏 0 K, J𝑞 0 K), B
E SECURITY OF OUR PROTOCOLS
– Insert (J0K, J0K, J0K) to the end of B
The simulation based security proofs for our protocols are pre-
– Compute J𝑓0 KB = Πcomp ( P, J𝑞 0 K, J𝑞 1 K) ) sented in this section. The simulations for 5PC are provided in the
– J𝑓0 K = Πbit2A (J𝑓0 KB ) (Fsetup, Fjmp )-hybrid model. The ideal functionality, Fjmp appears
– For 𝑖 = 1 to 𝑀 + 1 do in Fig. 17. The two simulators considered are S A and S A,H which
◦ J𝑓𝑖 KB = Πcomp ( P, J𝑞 0 K, J𝑞𝑖 K + 1) ) denote the ideal-world malicious adversary and the ideal-world
◦ J𝑓𝑖 K = Πbit2A (J𝑓𝑖 KB ) semi-honest adversary, respectively. We let S 𝑃A𝑖 denote the mali-
◦ J𝑓𝑖′ K = (1 − J𝑓𝑖 K) · J𝑓𝑖 −1 K) cious simulator when party 𝑃𝑖 is maliciously corrupt and S A,H 𝑗𝑃

◦ J𝑓𝑖′′ K = (1 − J𝑓𝑖 K) · (1 − J𝑓𝑖′ K) denote the simulator for the semi-honest corruption of party 𝑃 𝑗 .
– For 𝑖 = 1 to 𝑀 + 1 do in parallel We omit the superscript when it is understood from the context.
◦ J𝑛𝑎𝑚𝑒 𝑖′𝑏 K = J𝑓𝑖 K · J𝑛𝑎𝑚𝑒 𝑏𝑖 K + J𝑓𝑖′ K · J𝑛𝑎𝑚𝑒 𝑏0 K + J𝑓𝑖′′ K · J𝑛𝑎𝑚𝑒 𝑏𝑖−1 K We use the following strategy for simulating the computation of
◦ J𝑏𝑖′ K = J𝑓𝑖 K · J𝑏𝑖 K + J𝑓𝑖′ K · J𝑏 0 K + J𝑓𝑖′′ K · J𝑏𝑖 −1 K a function 𝑓 . The simulation begins with the simulator emulating
◦ J𝑞𝑖′ K = J𝑓𝑖 K · J𝑞𝑖 K + J𝑓𝑖′ K · J𝑞 0 K + J𝑓𝑖′′ K · J𝑞𝑖 −1 K the shared-key setup Fsetup functionality and giving the respective
keys to the adversary. This is followed by the input sharing phase
Figure 15: Obliviously inserting into buy list in which S A obtains the input of A, using the known keys, and
The instructions in ΠCDA are all sequential. sets the inputs of the honest parties to be 0. Note the S A,H already
  knows the inputs of A H . Since S A knows all the inputs, it can
Protocol ΠCDA P, (J𝑛𝑎𝑚𝑒 𝑏0 K, J𝑏 0 K, J𝑞 0 K), B, S honestly carry out the computation and obtain all the intermediate
– Invoke ΠPSL on (J𝑛𝑎𝑚𝑒 𝑏0 K, J𝑏 0 K, J𝑞 0 K) values as required for simulating the view of A. Further, on in-
voking the ideal functionality F5PC−FaF with A’s input (and A H ’s
– Compute J𝑒KB = Π eq ( P, J𝑏 0 K, 0)
input), S A can obtain the output of the function. S A proceeds
– Compute J𝑞 0 K = Πsel (J𝑞 0 K, J0K, J𝑒KB ) to simulate the various sub-protocols in topological order using
– Invoke ΠInsert to insert (J𝑛𝑎𝑚𝑒 𝑏0 K, J𝑏 0 K, J𝑞 0 K) into buy list the aforementioned values (inputs of A (A H ), intermediate values
and circuit output). A similar approach is taken by S A,H while
Figure 16: Overall CDA
ensuring that the messages sent to A H are consistent with that in
The time and communication of the secure protocol for CDA the view received from S A .
algorithm, ours as well as that given in [16], is reported in Table 6. The simulation steps are provided separately for the sub-protocols
to ensure modularity. Carrying out these simulation steps in the
Preprocessing Online respective order results in simulating the computation of the de-
N M Ref
Time (ms) Com (KB) Time (ms) Com (KB) TP (orders/s) sired function 𝑓 . While emulating Fjmp , if a CP is identified, the
Ours 1.67 37.36 13.76 26.61 72.65 simulator stops the simulation at that step, and continues with
10 10
[16] 1.62 24.15 15.70 15.41 63.71 simulation of 3PC using the respective semi-honest 3PC simulator.
Ours 1.73 52.28 14.41 36.52 69.38
20 10 Functionality Fjmp
[16] 1.70 41.97 23.88 27.95 41.87
Ours 1.82 70.19 14.63 47.58 68.37 Fjmp interacts with parties in P and adversary SA and SA,H .
20 20
[16] 1.70 41.97 22.69 27.95 44.06 – Fjmp receives (Input, v𝑠 ) from 𝑃𝑠 for 𝑠 ∈ {𝑖, 𝑗 }, while it receives
(Select, CP) from SA . Here, CP denotes the pair of parties that SA
Ours 1.94 100.02 14.60 67.39 68.52
40 20 wishes to choose as the conflict pair. Let 𝑃 ★ ∈ P denote the party
[16] 1.87 77.61 37.19 53.56 26.89 corrupted by SA .
Ours 2.28 168.68 14.34 110.47 69.74
50 50 – If v𝑖 = v 𝑗 and CP = ⊥, then set msg𝑖 = msg 𝑗 = ⊥, msg𝑘 = v𝑖 .
[16] 1.98 95.44 42.64 66.62 23.45
– Else, if 𝑃 ★ ∈ CP, then set msg𝑖 = msg 𝑗 = msg𝑘 = CP.
Ours 2.73 243.27 15.10 159.99 66.23
100 50 – Else, set CP = {𝑃 ★, 𝑃 } where 𝑃 ∈ CP. Set msg𝑖 = msg 𝑗 = msg𝑘 = CP
[16] 2.43 184.56 75.54 134.58 13.24
– Send (Output, msg𝑠 ) to 𝑃𝑠 ∈ P.
Ours 3.25 333.19 15.80 215.40 63.28
100 100 SA sends its view to SA,H .
[16] 2.66 184.57 75.61 134.58 13.23

200 100
Ours 4.09 482.37 16.73 314.45 59.78 Figure 17: Ideal functionality for jmp
[16] 3.53 363.10 143.25 283.62 6.98

200 200
Ours 5.74 662.14 16.89 425.26 59.22
E.1 Simulations for 5PC protocols
[16] 4.26 363.14 141.81 283.62 7.05
In this section, we describe the simulation steps for input sharing,
Ours 7.73 960.83 17.58 623.36 56.90
400 200 multiplication and reconstruction, followed by the complete 5PC.
[16] 7.04 720.10 281.36 634.16 3.55
Ours 18.95 1648.69 17.67 1054.63 56.59 E.1.1 Sharing. The ideal functionality for Πsh (Fig. 10) appears in
500 500
[16] 10.87 898.78 354.43 835.64 2.82 Fig. 18.
Table 6: Comparison for CDA for varying N, M, and s = 1/10(max(N, M)).

17
 Nishat Koti, Varsha Bhat Kukkala, Arpita Patra, Bhavish Raj Gopal

Functionality Fsh
provided by S 𝑃A𝑖 while emulating Fsetup . This is indistinguishable
Fsh interacts with parties in P and the adversaries SA , SA,H . from A’s view in the real-world. When 𝑃𝑖 is a non-dealer, A’s view
– Receive (Input, v) from dealer 𝑃𝑑 ∈ P. Let 𝑃 ★ be the party corrupted consists of a subset of the random shares of 𝛼 v generated using the
by SA . random keys provided by S 𝑃A𝑖 while emulating Fsetup . Additionally,
– Receive continue or abort with (Select, C) from SA . Here, C denotes it also sees 𝛽 v = 0 + 𝛼 v . Since, the missing shares of 𝛼 v at A are
pair of parties that SA wants to choose as conflict pair.
chosen randomly by S 𝑃A𝑖 , 𝛽 v remains random, and hence the views
– If received continue, randomly pick 𝛼 vij ∈ Z2ℓ , for 1 ≤ 𝑖 < 𝑗 ≤ 5 are indistinguishable.
Í
and compute 𝛽 v = v + 1≤𝑖< 𝑗 ≤5 𝛼 vij . Set msg𝑠 = (𝛽 v , {𝛼 vij }𝑖≠𝑠,𝑗 ≠𝑠 ), for 𝑃𝑗
each 𝑃𝑠 ∈ P. Claim 2: the view generated by S A,H is indistinguishable from
– Else if received abort, then:
A H ’s real-world view, where S A,H knows the input and output
– If 𝑃 ★ ∈ C, then set CP = C and msg𝑠 = CP for each 𝑃𝑠 ∈ P. of A H , and view sent by S 𝑃A𝑖 .
– Else set CP to include 𝑃 ★ and one other party from P, and msg𝑠 = CP
This is argued as follows. If 𝑃 𝑗 is the dealer, the argument follows
𝑗 𝑃
for each 𝑃𝑠 ∈ P. similar to before, and S A,H ’s view is indistinguishable from A H ’s
Output: Send (Output, msg𝑠 ) to 𝑃𝑠 ∈ P. view. If 𝑃 𝑗 is a non-dealer, then A H ’s view consists of 𝛽 v , the six
– SA sends it’s view to SA,H . random shares of 𝛼 v , and among the four missing shares of 𝛼 v , it
also sees three shares which are received as part of the view sent by
Figure 18: Ideal functionality for Πsh 𝑃𝑗
A to A H . Since A H still misses the share 𝛼 vij , the 𝛽 v sent by S A,H
The simulator for the sharing protocol appears in Fig. 19. remains random, and hence the views are indistinguishable. □
𝑃 𝑗 𝑃
Simulator SA𝑖 , SA,H
E.1.2 Joint sharing. The simulator for the joint sharing protocol
Malicious Simulation: where two parties jointly share a value v in the preprocessing phase
Preprocessing: appears in Fig. 20. The simulations for joint sharing when the value
to be shared is available in the online phase is similar.
– SA emulates Fsetup and gives the respective keys to A. The shares
of 𝛼 v that are held by A are sampled non-interactively using the shared 𝑃 𝑗
Simulator SA𝑖 , SA,H
𝑃
keys. Other values (𝛼 vij for 1 ≤ 𝑖 < 𝑗 ≤ 5 and 𝛼 vji for 1 ≤ 𝑗 < 𝑖 ≤ 5),
not known to 𝑃𝑖 , are sampled randomly. Malicious Simulation:
Online: – If 𝑃𝑖 is one among the two dealers, SA emulates Fjmp with A as one
– If 𝑃𝑖 is the dealer, SA receives 𝛽 v from A. Given the knowledge of of the senders to send one share of 𝛼 v to one other party.
all shares of 𝛼 v , SA obtains A’s input as v = 𝛽 v − 𝛼 v . Following this, – Else if 𝑃𝑖 is the recipient of the share of 𝛼 v , then SA emulates Fjmp
SA emulates Fjmp with A as one of the senders, to deliver 𝛽 v to all with A as the receiver.
parties. Depending on A’s behaviour, SA sets CP and invokes Fsh with
– Else, there is nothing to simulate.
(Input, v), and continue/abort and (Select, CP).
– Else, SA honestly generates 𝛽 v by setting the input, v, of honest dealer Semi-Honest Simulation:
as v = 0. SA either sends 𝛽 v to A and/or emulates Fjmp to deliver 𝛽 v to – If 𝑃 𝑗 is one of the dealers, SA,H emulates Fjmp with AH as one of
all, with A either as the sender or receiver, depending on the identity the senders to send the share of 𝛼 v to one other honest party.
of 𝑃𝑖 . Depending on A’s behaviour, SA sets CP and invokes Fsh with – Else, if 𝑃 𝑗 is the recipient of the share of 𝛼 v , then SA,H emulates Fjmp
continue or abort, and (Select, CP). with AH as the receiver.
Semi-Honest Simulation: – Else if 𝑃 𝑗 is neither the dealer nor the receiver, there is nothing to
Preprocessing: simulate.
– SA,H receives the shared keys generated during Fsetup from SA , and
Figure 20: Simulator for Πjsh for sharing v
the corresponding shares of 𝛼 v . The shares of 𝛼 v that are held by AH ,
other than the ones held by A, are sampled non-interactively using the Observe that view generated by S 𝑃A𝑖 is indistinguishable from
shared keys. Shares not known to 𝑃 𝑗 are sampled randomly. A’s real-world view. This is because values received by A are
Online: random which is as per the real-world protocol. Similarly, view of
𝑃𝑗
– If 𝑃𝑖 is the dealer, SA,H sends the 𝛽 v received from SA to AH and/or A H generated by S A,H is indistinguishable from real-world view.
emulates Fjmp . Else, it performs these steps with a 𝛽 v generated by
setting v = 0. E.1.3 Reconstruction. The ideal functionality for Πrec (Fig. 13) ap-
pears in Fig. 21.
Figure 19: Simulator for Πsh for sharing v
Functionality Frec
Lemma E.1 (Security). Protocol Πsh (Fig. 10) realizes Fsh (Fig.
18) with computational security in the (Fsetup, Fjmp )-hybrid model Frec interacts with parties in P and the adversaries SA , SA,H .
against FaF adversaries S A , S A,H controlling 𝑃𝑖 , 𝑃 𝑗 respectively. – Receive (Input, JvK𝑠 , 𝑃𝑖 ) from each 𝑃𝑠 ∈ P.
Í
– Set msg𝑖 = 𝛽 v − 1≤𝑖< 𝑗 ≤5 𝛼 vij and msg𝑠 = ⊥ for 𝑃𝑠 ∈ P \ {𝑃𝑖 }.
Proof. Claim 1: the view generated by S 𝑃A𝑖 is indistinguishable
Output: Send (Output, msg𝑠 ) to 𝑃𝑠 ∈ P.
from A’s real-world view. – SA sends it’s view to SA,H .
This is argued as follows. When 𝑃𝑖 is the dealer, A’s view con-
sists of the random shares of 𝛼 v generated using the random keys Figure 21: Ideal functionality for Πrec
18
PentaGOD: Stepping beyond Traditional GOD with Five Parties

The simulator for the reconstruction protocol appears in Fig. 22. Due to the asymmetry in our multiplication protocol, we consider
𝑃 𝑃𝑗 the following two cases for simulation– (i) when the maliciously
Simulator SA𝑖 , SA,H
corrupt 𝑃𝑖 is one among 𝑃1, 𝑃2, 𝑃3 , and (ii) when the maliciously
Malicious Simulation: corrupt 𝑃𝑖 is one among 𝑃4, 𝑃5 . The simulator for case(i) appears in
Fig. 24.
– To simulate reconstruction towards A:
𝑃 𝑗 𝑃
- Invoke Frec with (Input, JvK𝑖 ). Simulator SA𝑖 , SA,H
- SA sets a missing share of 𝛼 vij of v, not held by 𝑃𝑖 (and 𝑃 𝑗 ) as
Í Malicious Simulation:
𝛼 vij = 𝛽 v − v − 1≤𝑝<𝑞 ≤5,𝑝≠𝑖,𝑞≠𝑗 𝛼 vpq , where 𝛼 vpq were sampled
using the shared keys, and v is the output obtained by SA from the Preprocessing: SA emulates FMulPre .
ideal functionality. Online:
- SA sends 𝛼 vij and its hash to A on behalf of the honest parties that – SA honestly generates shares of 𝛽 z on behalf of honest parties.
hold 𝛼 vij . SA sends the other shares of 𝛼 v which include 𝛼 vik , 𝛼 vil , 𝛼 vim – SA simulates send of jmp with A as one of the senders to send
(and were sampled randomly), together with its hash to A on behalf the missing share of 𝛽 z to the other two online parties (𝑃 1 , 𝑃 2 , 𝑃 3 ). SA
of honest parties that hold these shares. simulates send of jmp with A as the receiver to send the missing shares
of 𝛽 z to A on behalf of the honest parties.
Semi-Honest Simulation:
Verification:
– SA,H receives the view from SA . To simulate reconstruction towards – SA honestly generates hash on all 𝛽 z s involved in verification on
AH , SA,H sends the missing shares and their hashes to AH on behalf behalf of the honest online parties, and sends the hash to A.
of the honest parties by using these values as present in the view received
from SA . – If A sends an inconsistency bit b = 0, SA simulates send and verify
of jmp with A as one of the senders to send 𝛽 z to the offline parties
Figure 22: Simulator for Πrec of output JvK (𝑃 4 , 𝑃 5 ), if 𝑃𝑖 ∈ {𝑃 1 , 𝑃 2 }. This is followed by simulation of verify of jmp
towards A.
Lemma E.2 (Security). Protocol Πrec (Fig. 13) realizes Frec (Fig. – Else, if A sends an inconsistency bit b = 1, SA simulates the binary
21) with computational security in the Fsetup -hybrid model against search where hashes are sent until A broadcasts an inconsistency bit
FaF adversaries S A , S A,H controlling 𝑃𝑖 , 𝑃 𝑗 respectively. with b = 0 and levels 𝐿𝑝 , 𝐿𝑝+1 are identified. SA simulates send and
verify of jmp with A as one of the senders if 𝑃𝑖 ∈ {𝑃 1 , 𝑃 2 } to send 𝛽 z
Proof. The view generated by S 𝑃A𝑖 is indistinguishable from up to level 𝐿𝑝 . This is followed by simulation of verify of jmp towards
A’s real-world view. This is argued as follows. A’s view consists A for 𝛽 z s up to level 𝐿𝑝+1 . If the simulation of verify of latter jmp did
not output a CP, SA sends the identity of 𝑃 𝑗 to A.
of random 𝛼 vpq for 1 ≤ 𝑝 < 𝑞 ≤ 5, 𝑝 ≠ 𝑖, 𝑞 ≠ 𝑖 such that one
share, say, 𝛼 vij (unknown to A) is adjusted as 𝛼 vij = 𝛽 v − v − – Depending on A’s behaviour, SA sets CP and invokes Fmult with
Í (Input, JaK𝑖 , JbK𝑖 , [𝛼 z ]𝑖 ), and continue/abort and (Select, CP).
1≤𝑝<𝑞 ≤5,𝑝≠𝑖,𝑞≠𝑗 𝛼 vpq to ensure reconstruction of correct output.
Semi-Honest Simulation:
Since, these missing shares are chosen randomly by S 𝑃A𝑖 , the 𝛽 v
remains random and, the views are indistinguishable. Similarly, Preprocessing: SA,H emulates FMulPre .
𝑃𝑗 Online: If 𝑃 𝑗 is one of the online parties, then SA,H simulates send
the view generated by S A,H is indistinguishable from A H ’s real- of jmp with AH as one of the senders to send the missing share of 𝛽 z
world view, since A H still misses one random share 𝛼 vij , which to the remainder honest online party. SA,H simulates send of jmp with
keeps 𝛽 v random. □ AH as the receiver to send the missing share of 𝛽 z to AH on behalf of
the honest party.
E.1.4 Multiplication. The ideal functionality for Πmult (Fig. 2) ap- Verification: If 𝑃 𝑗 is one of the online parties, then
pears in Fig. 23. – SA,H honestly generates hash on all 𝛽 z s involved in verification on
behalf of the honest online parties, and sends the hash to AH .
Functionality Fmult
– Depending on the bit obtained in the view from SA , SA,H either
Fmult interacts with parties in P and the adversaries SA , SA,H . proceeds with simulating jmp with AH as one of the senders if 𝑃 𝑗 ∈
– Receive (Input, JaK𝑠 , JbK𝑠 , [𝛼 z ]𝑠 ) from 𝑃𝑠 ∈ P. Let 𝑃 ★ be the mali- {𝑃 1 , 𝑃 2 } for sending 𝛽 z towards offline parties, or it simulates the hash
cious party controlled by SA . based consistency check. For the latter, SA,H recursively performs the
– Receive continue or abort with (Select, C) from SA . Here, C denotes hash exchange until levels 𝐿𝑝 , 𝐿𝑝+1 as present in the view of SA are
pair of parties that SA wants to choose as conflict pair. identified. Following this, SA,H simulates send and verify of jmp with
AH as one of the senders if 𝑃 𝑗 is one among 𝑃 1 or 𝑃 2 for sending 𝛽 z up
– If received continue, compute JzK where z = ab + 𝛼 z . Set msg𝑠 = JzK𝑠 ,
to level 𝐿𝑝 to offline parties. Then, simulation of verify of jmp towards
for each 𝑃𝑠 ∈ P.
AH for 𝛽 z s up to level 𝐿𝑝+1 is performed.
– Else if received abort, then:
If 𝑃 𝑗 is one of the offline parties, then SA,H simulates the similar
– If 𝑃 ★ ∈ C, then set CP = C and msg𝑠 = CP for each 𝑃𝑠 ∈ P. steps as above which are carried out after the hash based consistency
– Else set CP to include 𝑃 ★ and one other party from P, and msg𝑠 = CP check.
for each 𝑃𝑠 ∈ P.
Figure 24: Simulator for Πmult when 𝑃𝑖 ∈ {𝑃1, 𝑃2, 𝑃3 }
Output: Send (Output, msg𝑠 ) to 𝑃𝑠 ∈ P.
– SA sends it’s view to SA,H . The simulator for case(ii) appears in Fig. 25.

Figure 23: Ideal functionality for Πmult

19
 Nishat Koti, Varsha Bhat Kukkala, Arpita Patra, Bhavish Raj Gopal

𝑃 𝑗 𝑃
Simulator SA𝑖 , SA,H
for input sharing, and knows A H ’s input. Thus, it can invoke the
Malicious Simulation: ideal functionality, F5PC−FaF (Fig. 26) to obtain the output of the
Preprocessing: SA emulates FMulPre . function being simulated. Simulation is not required for addition
Online: There is nothing to simulate. gates as it is a local operation. For multiplication gates, the simula-
Verification: tion steps as described for multiplication are invoked. Observe that
– SA honestly generates 𝛽 z on behalf of honest parties. in all steps, the view of A, as generated by S 𝑃A𝑖 , is indistinguishable
– SA emulates Fjmp with A as the receiver to send 𝛽 z to A on behalf from its real-world view. Similar is the case for A H . If at any step,
of the honest parties. Fjmp outputs a CP, 5PC simulation stops and the rest of the steps
– Depending on A’s behaviour, SA sets CP and invokes Fmult with are simulated using the semi-honest 3PC simulator. Steps for share
(Input, JaK𝑖 , JbK𝑖 , [𝛼 z ]𝑖 ), and continue/abort and (Select, CP). conversion have to be simulated towards A H , where the simulator
Semi-Honest Simulation: carries out steps as per the honest protocol execution, reusing the
Preprocessing: SA,H emulates FMulPre . shares held by A, wherever necessary. Finally, for reconstructing
Online: the output, the simulator uses the output received from F5PC−FaF
– If 𝑃 𝑗 is one of the online parties: to adjust the value of the missing share that has to be sent to A
- SA,H emulates Fjmp with AH as one of the senders to send the
and A H . Indistinguishability of the views follows from the indis-
missing share of 𝛽 z (generated honestly) to the other two online tinguishability of the views for each of the phases. Thus, the view
parties. SA,H emulates Fjmp with AH as the receiver to send the generated by S 𝑃A𝑖 is indistinguishable from A’s real-world view,
missing shares of 𝛽 z to AH on behalf of the honest parties. 𝑗
and the view generated by S A,H
𝑃
is indistinguishable from A H ’s
– If 𝑃 𝑗 is one of the offline parties, there is nothing to simulate. real-world view.
Verification:
Functionality F5PC−FaF
– If 𝑃 𝑗 is one of the online parties, SA,H sends the hash of all 𝛽 z in this
segment to AH and emulates Fjmp with AH as one of the senders to F5PC−FaF interacts with the parties in P and the adversaries SA and
send 𝛽 z to the honest offline party. SA,H . Let 𝑥𝑠 , 𝑦𝑠 be the input and output corresponding to a party 𝑃𝑠
– If 𝑃 𝑗 is one of the offline parties, then SA,H emulates Fjmp with AH respectively, i.e. (𝑦1 , 𝑦2 , 𝑦3 , 𝑦4 , 𝑦5 ) = 𝑓 (𝑥 1 , 𝑥 2 , 𝑥 3 , 𝑥 4 , 𝑥 5 ).
as receiver to send 𝛽 z (reused from the view received from SA ) to AH – F5PC−FaF receives (Input, 𝑥𝑠 ) from 𝑃𝑠 ∈ P and computes (𝑦1 , 𝑦2 , 𝑦3 ,
on behalf of honest parties. 𝑦4 , 𝑦5 ) = 𝑓 (𝑥 1 , 𝑥 2 , 𝑥 3 , 𝑥 4 , 𝑥 5 ).
Output: Send (Output, 𝑦𝑠 ) to 𝑃𝑠 ∈ P.
Figure 25: Simulator for Πmult when 𝑃𝑖 ∈ {𝑃4, 𝑃5 }
SA sends its view to SA,H .
Lemma E.3 (Security). Protocol Πmult (Fig. 2) realizes Fmult (Fig. Figure 26: Ideal functionality for evaluating 𝑓 in 5PC (1, 1)-FaF
23) with computational security in the (Fsetup, Fjmp )-hybrid model Model
against FaF adversaries S A , S A,H controlling 𝑃𝑖 , 𝑃 𝑗 respectively.
𝑃
Simulator SA𝑖 , SA,H
Proof. We argue indistinguishability in the following two cases.
Case 1: When the maliciously corrupt 𝑃𝑖 is one among 𝑃1, 𝑃2, 𝑃3 . Malicious Simulation:
Observe that the view generated in this case by S 𝑃A𝑖 is indistinguish- – SA emulates Fsetup to generate common PRF keys.
able from A’s real-world view. This is because A receives random – SA invokes the simulator for input sharing and extracts A’s input.
shares of 𝛽 z which are generated honestly by the simulator. Since SA invokes F5PC−FaF on A’s input to obtain the function output v.
A still misses one share of the mask 𝛼 z , the 𝛽 z received via Fjmp – For addition operations, there is nothing to simulate. For multiplica-
remains random. Hence, the views are indistinguishable. A similar tions, SA invokes the simulator for multiplication.
argument applies to A H ’s view being indistinguishable. – SA invokes the reconstruction simulator to reconstruct output v.
Case 2: When the maliciously corrupt 𝑃𝑖 is one among 𝑃4, 𝑃5 .
– SA sends its view to SA,H .
Similar to case 1, the real-world view of A is indistinguishable
from the view generated by S A since A misses one share of the 𝛼 z Semi-Honest Simulation:
which keeps 𝛽 z random. A similar argument, as before, holds for – SA,H invokes the simulator for input sharing.
indistinguishability of the view of A H . □ – For addition operations, there is nothing to simulate. For multiplica-
tions, SA,H invokes the simulator for multiplication.
E.1.5 The complete 5PC. The ideal functionality for computing a
– SA,H invokes the reconstruction simulator to reconstruct output v.
function 𝑓 via (1, 1)-FaF secure 5PC appears in Fig. 26.
𝑃𝑖
Overview of the simulation steps. Observe that the complete 5PC Figure 27: Simulator SA for 5PC − FaF
protocol begins with the input sharing phase, followed by an eval-
Theorem E.4. Assuming collision resistant hash functions exist,
uation phase where addition and multiplication gates are evalu-
protocol 5PC − FaF (Fig. 4) realizes F5PC−FaF (Fig. 26) with compu-
ated and concludes with a reconstruction phase. For each of these
tational security in the Fsetup -hybrid model with (1, 1)-FaF security.
phases, we use the simulation steps described above depending
on the identity of the maliciously corrupt 𝑃𝑖 and a semi-honest Proof. The view of the adversaries generated by the simulators
𝑃 𝑗 . The simulation proceeds as follows. The simulator is able to is indistinguishable from their real-world views. The indistinguisha-
extract malicious A’s input while performing the simulation steps bility of the views from input sharing and multiplication follows
20
PentaGOD: Stepping beyond Traditional GOD with Five Parties

from Lemma E.1 and Lemma E.3, respectively. With respect to proofs for FaF security, in our case, we restrict to discussing the
reconstruction, on obtaining the output from F5PC−FaF , the simu- mixed-secure simulation for the sharing protocol.
lators either simulate the reconstruction steps (see Lemma E.2 for The ideal functionality for the the sharing protocol secure against
indistinguishability argument), or execute the simulator for semi- a mixed adversary appears in Fig. 28.
honest 3PC. In both cases, the simulated view is indistinguishable mixed
Functionality FSh
from the real-world view. □
mixed interacts with parties in P and the adversary S
FSh mixed .
– Receive (Input, v) from dealer 𝑃𝑑 ∈ P. Let 𝑃 ★ be the malicious party
E.2 Simulations for Building Blocks corrupted by Smixed .
In this section, we describe the simulation steps for the building – Receive continue or abort with (Select, C) from Smixed . Here, C de-
blocks described in §4. We begin with the simulation steps for multi- notes pair of parties that Smixed wants to choose as conflict pair.
input multiplication, dot product, bit to arithmetic, bit injection, bit – If received continue, randomly pick 𝛼 vij ∈ Z2ℓ , for 1 ≤ 𝑖 < 𝑗 ≤ 5
extraction and arithmetic to Boolean. Í
and compute 𝛽 v = v + 1≤𝑖< 𝑗 ≤5 𝛼 vij . Set msg𝑠 = (𝛽 v , {𝛼 vij }𝑖≠𝑠,𝑗 ≠𝑠 ), for
Since the multi-input multiplication and dot product protocol are each 𝑃𝑠 ∈ P.
very similar to the multiplication protocol, we omit simulation steps – Else if received abort, then:
for the same. Further, observe that the protocol for bit to arithmetic
– If 𝑃 ★ ∈ C, then set CP = C and msg𝑠 = CP for each 𝑃𝑠 ∈ P.
essentially invokes the joint sharing and multiplication protocols.
– Else set CP to include 𝑃 ★ and one other party from P, and msg𝑠 = CP
Hence, simulation steps for bit to arithmetic involves executing the
for each 𝑃𝑠 ∈ P.
simulation steps for joint sharing and multiplication in the order in
which they appear in the protocol. Indistinguishability follows from Output: Send (Output, msg𝑠 ) to 𝑃𝑠 ∈ P.
the indistinguishability of the simulation steps in the underlying
Figure 28: Mixed-secure ideal functionality for input sharing
protocols. Similar to bit to arithmetic, bit injection involves an
invocation of bit to arithmetic followed by a multiplication. Hence, The simulator for the sharing protocol secure against a mixed
the simulation steps follow from the simulation of the underlying adversary appears in Fig. 29.
protocols. Finally, bit extraction, truncation as well as arithmetic to
Simulator Smixed
Boolean rely on invocation of joint sharing following by evaluating
the bit extraction or the PPA circuit. Both the circuit evaluations Let 𝑃𝑙 be the malicious party and 𝑃𝑚 be the semi-honest party controlled
rely on invoking the multiplication protocol. Hence, similar to the by adversary A.
previous protocols, simulation steps for bit extraction, truncation Preprocessing
and arithmetic to Boolean can be obtained by following the steps for – Smixed emulates Fsetup and gives the respective keys to A. The shares
simulating joint sharing and multiplication, in the order in which of 𝛼 v that are held by A are sampled non-interactively using the shared
they appear in the resultant protocol. keys. Other values (𝛼 vij for 1 ≤ 𝑖 < 𝑗 ≤ 5 and 𝛼 vji for 1 ≤ 𝑗 < 𝑖 ≤ 5),
Similarly, it is easy to observe that the protocols for oblivious not known to A, are sampled randomly.
select, equality check, comparison, maxpool and ReLU build on top Online
of the prior building blocks. Hence, their simulation follows from
– If 𝑃𝑙 or 𝑃𝑚 is the dealer, Smixed receives 𝛽 v from A. Given the knowl-
simulation of the underlying protocols.
edge of all shares of 𝛼 v , Smixed obtains A’s input as v = 𝛽 v − 𝛼 v . Follow-
ing this, Smixed emulates Fjmp with A as one of the senders, to deliver 𝛽 v
to all parties. Depending on A’s behaviour, Smixed sets CP and invokes
E.3 Security against a (1, 1)-mixed adversary mixed with (Input, v), and continue/abort and (Select, CP).
FSh
A closely related notion to FaF is that of mixed adversarial model – Else, Smixed honestly generates 𝛽 v by setting the input, v, of honest
[6, 20, 26, 28, 30, 33, 34], where a single (centralized) adversary is dealer as v = 0. Smixed either sends 𝛽 v to A and/or emulates Fjmp to
allowed to corrupt 𝑡 parties maliciously and a disjoint subset of ℎ★ deliver 𝛽 v to all, with A either as the sender or receiver, depending on
parties semi-honestly. A protocol secure against such an adversary the identity of 𝑃𝑖 . Depending on A’s behaviour, Smixed sets CP and
is said to be (𝑡, ℎ★)-mixed secure. It may seem that the mixed notion invokes FSh mixed with continue or abort, and (Select, CP).

subsumes the FaF notion, but [1] shows otherwise. However, we

mixed
Figure 29: Simulator corresponding to FSh
show that our designed protocols are also secure in the (1, 1) mixed
adversarial model. The intuition for our protocols being secure in Observe that the view generated by the simulator is indistinguish-
the mixed adversarial model as well is as follows. Observe that since able from the real-world view, and the argument follows similar to
the mixed model comprises a centralized adversary, as opposed as given in Lemma E.1.
to the decentralized one in the FaF model, the view of the semi-
honest parties is available to the adversary while deciding the attack
strategy for the malicious parties. The design of our protocols is
F PREPROCESSING PHASE OF
such that it inherently is capable of withstanding such attacks due MULTIPLICATION
to the threshold of our secret-sharing scheme being set as 𝑡 + ℎ★, Here we discuss the protocol carried out in the preprocessing phase
thus lending our protocols secure against the centralized (1, 1)- to perform multiplication. The protocol is similar to the one pro-
mixed adversary as well. We next provide the simulation proof posed in [12], where first a semi-honest protocol is executed, fol-
for the same. Since the proofs follow easily from the simulation lowed by verifying the correctness of the semi-honest execution.
21
 Nishat Koti, Varsha Bhat Kukkala, Arpita Patra, Bhavish Raj Gopal

The difference lies in the steps performed when the verification given [·]-sharing of {a𝑘 , b𝑘 }𝑘=1 𝐿 (which will be the case in the fi-
fails and a pair of conflicting parties is output. In such a case, ow- nal protocol), parties can locally generate [·]-sharing of the [·]-
ing to the presence of at most one malicious party in our setting, shares ({®a𝑘 }𝑘=1𝐿 , {b ®𝑘 }𝐿 ) held by 𝑃𝑖 . This holds because for ev-
𝑘=1
we eliminate the pair of parties in conflict, and the computation ery share held by 𝑃𝑖 , 2 other parties also possess it. Hence, it is
proceeds via semi-honest 3PC unlike the malicious 3PC used in the possible to define a sharing where the share of one subset of 3
original protocol. Further, we do not require use of tags (or message parties is 𝑃𝑖 ’s share itself, while the other shares are 0. For in-
authentication codes) to ensure a consistent share conversion, due stance, if v is [·]-shared and v® = (v23, v24, v25, v34, v35, v45 ) denote
to the presence of only a single malicious party. The verification the tuple of shares held by 𝑃1 (where the subscript denotes the
  then [®v] =
protocol has a communication cost which is sublinear in the num- pair of parties which does not possess this share),
ber of multiplication triples to be verified, and thus, its cost can ([v23 ] , [v24 ] , [v25 ] , [v34 ] , [v35 ] , [v45 ]), where v 𝑗𝑘 is generated
be amortized away for multiple multiplications. Thus, the cost of by setting all but one of its shares as 0, and the non-zero share being
the preprocessing phase boils down to the cost of the semi-honest v 𝑗𝑘 (which is held by all 3 parties in P \ {𝑃 𝑗 , 𝑃𝑘 }).
5PC protocol which is 6 ring elements. While the protocol of [12] Relying on the distributed zero-knowledge proof system from [10]
is proven to be secure according to the standard security definition, allows to prove the correctness of Eq. (3) with sublinear commu-
we prove that the variant described above is (1, 1)-FaF secure in the nication complexity. Note that in the scenario that the proof is
5PC setting. We provide the details of the protocol (mostly follows rejected due to one of the parties’ misbehaviour, the prover will be
from [12]) as well for ease of understanding of the proof. able to identify the cheating party. In this case, the prover together
The verification of the semi-honest execution can be reduced to with this party are regarded as a pair of conflicting parties, one of
the problem of verifying the correctness of multiplications (several which is guaranteed to be corrupt. This is captured by the ideal
degree-2 equations). We begin with discussing the protocol for ver- functionality FCheatIdentify which checks for correctness of Eq. (3)
ifying the correctness of a degree-2 equations(realized by the ideal and either outputs an accept, or a pair of parties that are in conflict
functionality FCheatIdentify ). This protocol serves as the basis for with each other (one among which is guaranteed to be corrupt).
the verification protocol (realized by the ideal functionality FVerify ) The functionality is defined in Fig. 30.
which is discussed subsequently. The verification protocol relies on
5 invocations (one for each party in P) of FCheatIdentify to verify Functionality FCheatIdentify
the correctness of the multiplication triples. Due to the top-down Let SA be an ideal world malicious adversary and SA,H be the ideal
approach of explaining the functionalities, the use of FCheatIdentify world semi-honest adversary. Let honest parties hold consistent [·]-
may not be evident until the details of FVerify are described. Hence,
n h i o𝐿
sharings [𝑐 ] , { [®a𝑘 ] } 𝐿 , b®𝑘
𝑘=1 . The functionality is invoked by an
we request a reader to read §F.0.1 as an independent section. Finally, 𝑘=1
index 𝑖 sent by honest parties and works as follows.
we discuss the main protocol ΠmulPre , which involves executing 𝐿
(1) FCheatIdentify receives from honest parties their shares of 𝑐, {®a𝑘 }𝑘=1 ,
a semi-honest 5PC protocol followed by an invocation of FVerify . n o𝐿
On the way, we also prove that these protocols are (1, 1)-FaF se- ®b𝑘 .
𝑘=1
cure in the 5PC setting as well as discuss their communication n o𝐿
𝐿
(2) FCheatIdentify computes 𝑐, {®a𝑘 }𝑘=1 , b®𝑘 . It computes the cor-
complexities. 𝑘=1
rupted party’s shares of these values and sends them to SA . If 𝑃𝑖 is
F.0.1 Checking correctness of degree-2 relations. We first discuss a
n o𝐿
𝐿
corrupted, then it also sends [· ]-shares of 𝑐, and {®a𝑘 }𝑘=1 , b®𝑘
protocol that allows parties to prove the correctness of a degree-2 n o 𝐿 𝑘=1
computation carried out on their shares. The protocol follows along 𝐿
to SA . FCheatIdentify sends 𝑃 H ’s shares of 𝑐, {®a𝑘 }𝑘=1 , b®𝑘 to
𝑘=1
the lines of the protocol in [12] and we demonstrate that it is secure SA,H , where 𝑃 H is controlled by SA,H .
in the (1, 1)-FaF model for 5PC. We begin with the protocol for (3) FCheatIdentify checks that Eq 3 holds.
fields and discuss how it can be extended to work over rings as – If it holds then FCheatIdentify sends accept to SA , and receives
shown in [12]. out ∈ {accept, reject} from it. FCheatIdentify forwards out to hon-
Specifically, party 𝑃𝑖 wants to prove the correctness of the fol- est parties.
lowing equation: – If it does not hold then FCheatIdentify sends reject to honest parties.
𝐿 
∑︁ 
𝑐− a®𝑘 ⋄ b®𝑘 = 0 (3) (4) If honest parties received reject:
𝑘=1 – If 𝑃𝑖 is corrupt, SA sends an index 𝑗 ∈ {1, 2, . . . , 5} to FCheatIdentify .
𝐿 , {b
where 𝑐, {®a𝑘 }𝑘=1 ®𝑘 }𝐿 are known to 𝑃𝑖 and [·]-shared among – If 𝑃𝑖 is honest, SA sends an index 𝑗 ∈ {1, 2, . . . , 5} to FCheatIdentify ,
𝑘=1
parties in P. Further, we assume that 𝑃𝑖 knows all [·]-shares of where 𝑃 𝑗 is corrupt.
𝑐. Looking ahead, {®a𝑘 }𝑘=1𝐿 , {b®𝑘 }𝐿 represent 𝑃𝑖 ’s [·]-shares of – FCheatIdentify sends the pair (𝑖, 𝑗 ) to honest parties.
𝑘=1
𝐿 𝐿
{𝑎𝑘 }𝑘=1, {𝑏𝑘 }𝑘=1 , while 𝑐 represents 𝑃𝑖 ’s additive share (⟨·⟩-share) (5) SA sends its view to SA,H .

of 𝐿 a𝑘 ·b𝑘 obtained by operating on its shares {®a𝑘 }𝐿 , {b®𝑘 }𝐿 ,

Í
𝑘=1 𝑘=1 𝑘=1 Figure 30: Ideal functionality for proving correctness of degree-2
which is denoted by the operation ⋄7 . Note here that we abuse equation by prover 𝑃𝑖
the vector notation to mean [·]-sharing. By virtue of [·]-sharing,
7 [𝑎]consists of 10 shares {𝑎 1,2 , 𝑎 1,3 , . . . , 𝑎 4,5 } . Similar is the case with [𝑏 ] . The
product 𝑐 = 𝑎 · 𝑏 can thus be written as the sum of products of the form 𝑎𝑖,𝑗 𝑏𝑘,𝑙
∀1 ≤ 𝑖 ≤ 𝑗 ≤ 5 and 1 ≤ 𝑘 ≤ 𝑙 ≤ 5 . Thus, the additive shares of 𝑐 can be obtained This operation of obtaining additive shares of 𝑐 using local shares of 𝑎, 𝑏 is captured
by splitting each term 𝑎𝑖,𝑗 𝑏𝑘,𝑙 contributed by some party who has both the shares. by the ⋄ operator.
22
PentaGOD: Stepping beyond Traditional GOD with Five Parties

The concrete protocol for FCheatIdentify We begin with a high level Eq. (3) can be written as
idea of the protocol. Given a 𝑔-gate which is defined as follows:
𝐿/2
𝑐 − 𝑔( a®1, b®1, . . . , aL/2 ® ) − 𝑔( aL/2+1
® , bL/2 ® , . . . , a®L, b®L ) = 0
® , bL/2+1
∑︁
𝑔 ( v®1 , . . . , v®L ) = ® ⋄ v®2l
v2l−1
𝑙 =1
The prover, knowing all the inputs, can compute the output of
the two 𝑔-gates and [·]-share them among the parties in P. Let
where ⋄ denotes the operation of obtaining the additive shares of 𝑔1 = 𝑔( a®1, b®1, . . . , aL/2 ® ) and 𝑔2 = 𝑔( aL/2+1
® , bL/2 ® , . . . , a®L, b®L ).
® , bL/2+1
v𝑖 · v 𝑗 given their [·]-sharing, i.e. v®i, v®j . Thus, parties can compute [𝑏] = [𝑐] − [𝑔1 ] − [𝑔2 ] and check if 𝑏 = 0
 n h i o𝐿 
Protocol ΠCheatIdentify P, 𝑃𝑖 , [𝑐 ] , { [®a ]𝑘 }𝑘=1
𝐿
, b® by reconstructing 𝑏. To ensure that a corrupt 𝑃𝑖 did not cheat while
𝑘 𝑘=1 generating [·]-shares of 𝑔1, 𝑔2 , parties perform an additional test.
(1) Parties set 𝐿¯ = 𝐿. For this, parties define polynomials f®1, . . . , f®L as follows: for each
(2) For 𝑙 = 1 to log 𝐿¯ − 1 :
𝑒 ∈ {1, 2, . . . , 𝐿}, ®f𝑒 (1) is the 𝑒th input vector to the 1st 𝑔-gate and
– Parties define linear polynomials ®f1 , ®f2 , . . . , ®f𝐿 such that for each ®f𝑒 (2) is the 𝑒th input vector to the 2nd 𝑔-gate. ®f𝑒 is thus a linear
𝑒 ∈ {1, 2, . . . , 𝐿}, polynomial ®f𝑒 is defined by the following two
points: function. Next, define polynomial 𝑞(𝑥) = 𝑔(®f1 (𝑥), . . . , ®f𝐿 (𝑥)). Thus,
( ( 𝑞(1), 𝑞(2) are the outputs of the first and second 𝑔-gate, respectively,
®f𝑒 (1) = a® ⌈𝑒/2⌉ if 𝑒 mod 2 = 1 ®
f𝑒 (2) = ®
a®𝐿/2+⌈𝑒/2⌉ if 𝑒 mod 2 = 1 and 𝑞 is of degree 2 (since the multiplicative depth of 𝑔-gate is 1 and
b®𝑒/2 if 𝑒 mod 2 = 0 b𝐿/2+𝑒/2 if 𝑒 mod 2 = 0
degree of ®f𝑒 is 1). To ensure that 𝑃𝑖 shared the correct 𝑔(1), 𝑔(2),
– Let 𝑞 (𝑥 ) = 𝑔 ( ®f1 (𝑥 ), ®f2 (𝑥 ), . . . , ®f𝐿 (𝑥 ) ) be a degree-2 polynomial it suffices for the parties to check if 𝑞(r) = 𝑔(®f1 (r), . . . , ®f𝐿 (r)) for a
where
𝐿/2 random r in the ring/field. For this, parties compute [·]-shares of
𝑞(r), ®f1 (r), . . . , ®f𝐿 (r) via Lagrange interpolation on their local shares
∑︁
𝑔 ( ®f1 (𝑥 ), ®f2 (𝑥 ), . . . , ®f𝐿 (𝑥 ) ) = ®f2𝑗 −1 (𝑥 ) ⋄ ®f2𝑗 (𝑥 )
𝑗 =1 and check for the equality on clear. This also requires 𝑃𝑖 to share
𝑃𝑖 computes 𝑞 (1), 𝑞 (2), 𝑞 (3) and shares them among parties in
𝑞(3) so that parties have sufficient points on 𝑞. To reduce the cost
P (via the field equivalent of Π RSS−Sh protocol in Fig. 11).
from 𝐿 shares which is linear in 𝐿, to logarithmic in 𝐿, 𝑃𝑖 is made
– Parties locally compute [𝑏𝑙 ] = [𝑐 ] − [𝑞 (1) ] − [𝑞 (2) ] and store
the result.
to prove that
– Parties generate a random r ∈ F non-interactively using their 𝑞(r) − 𝑔(®f1 (r), . . . , ®f𝐿 (r)) = 0 (4)
shared key setup.
h i h i h i by repeating the same process (since Eq. (4) has the same form as
– Parties locally compute [𝑞 (r) ] and ®f1 (r) , ®f2 (r) , . . . , ®f𝐿 (r) that of Eq. (3)). Parties repeat the process log 𝐿 times until a constant
via Lagrange interpolation. number of inputs are left, which are verified on clear. Since ®f𝑒 (r) is
– Parties set 𝑐 ← 𝑞 (r), and ∀𝑘 ∈ {1, 2, . . . , 𝐿/2} : a®𝑘 ← ®f2𝑘 −1 (r), a linear combination of the inputs, to avoid leaking any information
b®𝑘 ← ®f2𝑘 (r) and 𝐿 ← 𝐿/2. about the inputs, in the final step, the ®f polynomials are randomized
(3) Parties exit the loop with 𝐿 = 2 and inputs 𝑐, a®1 , a®2 , b®1 , b®2 that are by adding one additional random point one each polynomial. This
known to 𝑃𝑖 and secret shared among other parties. Next, increases the degree of ®f to 2 and that of 𝑞 to 4, and requires 𝑃𝑖
– Parties non-interactively generate [ w ® 1 ] , [w
® 2 ] where w® 1, w
®2 ∈ to generate and share additional points on 𝑞. In case parties reject
Fg are known to 𝑃𝑖 . Here, g denotes the number of shares as part the proof, the prover is asked to identify the cheating party. The
of [ ·]-sharing held by each party. Parties define polynomials ®f1 , ®f2 pair of parties including the prover and the party identified by the
of degree 2 such that ®f1 (0) = w ® 1 , ®f1 (1) = a®1 , ®f1 (2) = a®2 and prover, are then regarded as the corrupted pair of parties. For this,
®f2 (0) = w ® ® ®
® 2 , f2 (1) = b1 , f2 (2) = b2 .® observe that every message sent by a party other than the prover
– 𝑃𝑖 defines the degree-4 polynomial 𝑞 (𝑥 ) = 𝑔 ( ®f1 (𝑥 ), ®f2 (𝑥 ) ) where is a function of (i) the messages received from the prover, (ii) the
𝑔 ( ®f1 (𝑥 ), ®f2 (𝑥 ) ) = ®f1 (𝑥 ) ⋄®f2 (𝑥 ), and computes 𝑞 (0), 𝑞 (1), . . . , 𝑞 (4). inputs to the protocol, and (iii) the randomness used. Since the
- 𝑃𝑖 shares 𝑞 (0), 𝑞 (1), . . . , 𝑞 (4) among parties in P (via the field prover knows all of these, it can compute the message that should
equivalent of ΠRSS−Sh protocol in Fig. 11). have been sent by the other parties and identify inconsistencies, if
 
– Parties locally compute 𝑏 log 𝐿 = [𝑐 ] − [𝑞 (1) ] − [𝑞 (2) ]. any. The protocol appears in Fig. 31.
– Parties non-interactively generate r, 𝛾 1 , . . . , 𝛾 log 𝐿 ∈ F, and com-
Ílog 𝐿 Cheating probability over finite fields. There are two cases which
pute [𝑏 ] = 𝑙 =1 𝛾𝑙 · [𝑏𝑙 ].
h i h i lead to the parties outputting accept even when Eq. (3) does not
– Parties locally compute ®f1 (r) , ®f2 (r) and [𝑞 (r) ] via Lagrange hold– (i) the linear combination of the 𝑏 values yields a 0, and (ii)
interpolation. when 𝑃𝑖 cheats during sharing points on 𝑞 and thus 𝑞 ≠ 𝑔(®f1, . . . , ®f𝐿 )
– Parties reconstruct 𝑏, 𝑞 (r), ®f1 (r), ®f2 (r) towards each party where and ℎ(𝑥) = 𝑞(𝑥) − 𝑔(®f1 (𝑥), . . . , ®f𝐿 (𝑥)) is a non-zero polynomial.
each missing share is broadcast. If reconstruction has an inconsis- While (i) happens with probability F1 , for (ii), the probability that
tency, or if 𝑞 (r) ≠ 𝑔 ( ®f1 (r), ®f2 (r) ) of if 𝑏 ≠ 0, then parties output ℎ(r) = 0 for a random r ∈ F \ {1, 2, 3} is bounded by F−2 2 (since
reject. Else, parties output accept. 4
degree of polynomial ℎ is 2) in the first log 𝐿 − 1 rounds and F−5
– If parties output reject, 𝑃𝑖 identifies a party 𝑃 𝑗 who sent incorrect
messages in the previous step, and broadcasts 𝑗 to all the parties.
in the last round (since degree of ℎ is now 4). Thus, the overall
Parties output the conflict pair (𝑖, 𝑗 ). cheating probability is bounded by
2(log 𝐿 − 1) 4 2 log 𝐿 + 4
Figure 31: Realizing FCheatIdentify + <
F−3 F−5 F−5
23
 Nishat Koti, Varsha Bhat Kukkala, Arpita Patra, Bhavish Raj Gopal

Extension to rings. While the protocol described works over fields, Subcase: 𝑃 𝑗 is semi-honest. 𝑃 𝑗 ’s view consists of (i) shares of
using the extension techniques from [10–12], the protocol can be 𝑞(1), 𝑞(2), 𝑞(3) received in each of the log 𝐿¯ −1 iterations, (ii) shares
extended to work over rings. The challenge lies in performing of 𝑞(0), 𝑞(1), . . . , 𝑞(4) received in the last iteration, and, (iii) the
interpolation where not all elements have an inverse over the ring shares received for reconstructing 𝑏, 𝑞(r), ®f1 (r), ®f2 (r). While (i), (ii)
Z2ℓ . To overcome this, the solution is to work over the extended are received as part of view of S A , the (iii) can be simulated by
ring Z2ℓ [𝑥]/𝑓 (𝑥), i.e. the ring of all polynomials with coefficients sending random shares under the constraint that the reconstructed
in Z2ℓ working modulo a polynomial 𝑓 that is of the right degree values are consistent with the ones in the view received from S A .
and irreducible over Z2 . When working over this extension rings, Thus the simulation is perfect.
the number of roots of a polynomial is greater than its degree, and Case 2: 𝑃𝑖 is honest and 𝑃 𝑗 is corrupt. In this case, S A receives
thus changes the error probability. For a protocol which verifies accept from FCheatIdentify . This implies that although S A does not
2 log 𝐿+4
𝐿 values, the error is roughly , where 𝑑 is the extension know the input, it knows that 𝑏 should be 0 in each iteration and
2𝑑
degree. We refer readers to [10, 11] for more details. 𝑞(r) should equal 𝑔(®f1 (r), ®f2 (r)) in the last iteration, unless 𝑃 𝑗 mis-
behaves. Since S A knows 𝑃 𝑗 ’s shares of the inputs, it can simulate
Communication cost. In the first log 𝐿 − 1 iterations, the prover the openings correctly. Elaborately, for each sharing of 𝑞(1), 𝑞(2)
shares 3 elements each. In the last round, it shares 5 elements,
and 𝑞(3) (and ®f1 (0), ®f2 (0), 𝑞(0), . . . , 𝑞(4) in the last step) in the sim-
followed by public reconstruction of 4 elements via broadcast. Gen-
ulation, S A sends random shares on behalf of 𝑃𝑖 to A. Since S A
eration of randomness can be done non-interactively and does not
knows 𝑃 𝑗 ’s shares of 𝑐, 𝑞(1), 𝑞(2), it can computes its shares of
incur any cost. Thus, the total communication cost is
𝑏𝑙 = 𝑐 − 𝑞(1) − 𝑞(2). It then chooses the honest parties shares under
Ílog 𝐿
6(log 𝐿 − 1) + 10 + 7 elements. the constraint that 𝑏 = 𝑙=1 𝛾𝑙 𝑏𝑙 will reconstruct to 0. Follow-
Thus, the per party cost is approximately log 𝐿 + 3 elements. ing this, S A uses 𝑃 𝑗 ’s shares of ®f1 (𝑒), . . . , ®f𝐿 (𝑒) for 𝑒 ∈ {1, 2}, and
𝑞(1), 𝑞(2), 𝑞(3) to compute 𝑃 𝑗 ’s shares of ®f1 (r), . . . , ®f𝐿 (r) and 𝑞(r).
Theorem F.1. Protocol Π CheatIdentify (Fig. 31) securely computes Then, it can simulate the next iteration as before. Finally, S A uses
2 log 𝐿+4
FCheatIdentify over field F in the (1, 1)-FaF model with error ≤ F−5 𝑃 𝑗 ’s shares of ®f1 (0), ®f1 (1), ®f1 (2), ®f2 (0), ®f2 (1), ®f2 (2) and 𝑞(0), . . . , 𝑞(4)
in the 5PC setting . to compute 𝑃 𝑗 ’s shares of ®f1 (r), ®f2 (r), 𝑞(r). S A simulates the open-
Proof. Let S A be the ideal world malicious simulator, S A,H ing of 𝑏, ®f1 (r), ®f2 (r), 𝑞(r) as follows.
be the ideal world semi-honest simulator, A be the real world mali- – To simulate opening of 𝑏, S A chooses random shares for the
cious adversary and A H be the semi-honest real-world adversary. honest parties under the constraint that all the shares together will
Consider the following cases. reconstruct to 0.
Case 1: 𝑃𝑖 is corrupt. In this case S A receives 𝑃𝑖 ’s inputs and – To simulate the opening of ®f1 (r), ®f2 (r), S A chooses random shares
honest parties [·]-shares of 𝑐. This implies that S A can perfectly for the honest parties.
simulate the opening of [𝑏] and 𝑞(r) since it has the honest parties’
– To simulate the opening of 𝑞(r), S A chooses random shares for
[·]-shares of 𝑐, and receives honest parties’ [·]-shares of points on
the honest parties under the constraint that the reconstructed 𝑞(r)
𝑞(·) from A during the simulation. We next show how to simulate
will satisfy the equation: 𝑞(r) = 𝑔(®f1 (r), ®f2 (r)).
the opening of ®f1 (r), ®f2 (r). For this, since S A knows the inputs
If A sends consistent shares, S A sends out = accept to FCheatIdentify .
of 𝑃𝑖 , it knows the actual values of ®f1 (r), ®f2 (r). Thus, S A is only
Else, since S A knows 𝑃𝑖 ’s shares, it can compute the message that
required to choose random values for shares of the honest parties
should have been sent by A, and identifies the cheater on behalf of
while ensuring that together with 𝑃𝑖 ’s shares, it opens to the correct
𝑃𝑖 . S A sends reject with index 𝑗 to FCheatIdentify in this case.
values.
We claim that A’s view in the real and ideal execution is iden-
To see that the view of A is same here as in the real execution,
tically distributed. A’s view consists of (i) shares sent by 𝑃𝑖 for
observe that for each 𝑒 ∈ {1, 2},
points on 𝑞, (ii) shares for points ®f1 (0), ®f2 (0), (iii) the opened 𝑏, and
®f𝑒 (r) = 𝜆®0 (r) ⋄ ®f𝑒 (0) + 𝜆®1 (r) ⋄ ®f𝑒 (1) + 𝜆®2 (r) ⋄ ®f𝑒 (2) (5) (iv) the opened ®f1 (r), ®f2 (r), 𝑞(r). Shares in (i) and (ii) are uniformly
distributed, with respect to (iii), A sees random shares which open
where 𝜆®0 (r), 𝜆®1 (r), 𝜆®2 (r) are the Lagrange coefficients. Since shares
to 0 in both worlds. Finally, the claim in (iv) follows from Eq 5,
of ®f𝑒 (0) held by honest parties are random under the constraint
similar to that in case 1, where ®f𝑒 (r) for 𝑒 ∈ {1, 2} is randomly
that together with 𝑃𝑖 ’s shares they open to ®f𝑒 (0), so are the shares
distributed in the ideal as well as the real world. Given that ®f𝑒 (r)
of ®f𝑒 (r). Thus, the distribution is same in both the executions. If for 𝑒 ∈ {1, 2} is random, we obtain 𝑞(r) being random as long as
some honest party outputs reject, then A broadcasts an index 𝑗,
𝑞(r) = 𝑔(®f1 (r), ®f2 (r)) holds.
which S A forwards to FCheatIdentify . If out = reject, but honest
Subcase: 𝑃𝑖 is semi-honest. S A,H has all inputs of 𝑃𝑖 . Thus, the
parties output accept, then S A outputs fail and halts. Observe
simulation can be carried out honestly, taking into consideration
that when S A does not output fail, the simulation is perfect. The
the view received from S A . Thus, the simulation is perfect.
main difference is when S A outputs fail. This event occurs when
Subcase: 𝑃𝑘 is semi-honest. This is similar to case 2. Since 𝑃𝑖
Eq 3 does not hold, yet honest parties output accept. This occurs
2 log 𝐿+4 is honest, 𝑏 should be 0 in each iteration and 𝑞(r) should equal
with probability ≤ F−5 , which is the error probability of the 𝑔(®f1 (r), ®f2 (r)) in the last iteration. Since S A,H knows 𝑃𝑘 ’s shares
simulation. Finally, S A sends its view to S A,H .
24
PentaGOD: Stepping beyond Traditional GOD with Five Parties

of the inputs, it can simulate the openings correctly. Thus, the equality with 0. However, since ⟨·⟩-sharing does not allow for robust
simulation is perfect. reconstruction, the parties first [·]-share their additive shares of
□ Í
𝜓= 𝑚 𝜃 · x𝑘 · y𝑘 . Let 𝜓 𝑖 denote the additive share of 𝜓 held by
𝑘=1 𝑘
𝑃𝑖 . The consistency check in the [·]-sharing protocol ensures that
Functionality FVerify
all receive consistent [·]-shares of 𝜓 𝑖 . In case of a failure, the dealer
Let SA be an ideal world malicious adversary and SA,H be the ideal broadcasts
 𝑖 the share for which pairwise inconsistency exits. Given
world semi-honest adversary. The functionality is invoked  by honest par-
𝜓 for 𝑖 ∈ {1, . . . , 5}, parties can compute
ties sending their [·]-shares of 𝑚 multiplication triples (x𝑘 , y𝑘 , z𝑘 ) 𝑚
𝑘=1 𝑚 5
to FVerify .
∑︁ ∑︁  𝑖
[𝛽] = 𝜃𝑘 · [z𝑘 ] − 𝜓
(1) FVerify computes all secrets and corrupted party’s shares, and sends 𝑘=1 𝑖=1
these shares to SA . FVerify sends 𝑃 H ’s shares to SA,H , where 𝑃 H is
controlled by SA,H . and reconstruct 𝛽. It is, however, required to ensure that every
(2) FVerify verifies if z𝑘 = x𝑘 · y𝑘 for all 𝑘 ∈ {1, 2, . . . , 𝑚}. party 𝑃𝑖 shares the correct value 𝜓 𝑖 . Towards realizing this, the
– If it holds, it sends accept to SA . property of [·]-sharing,
h i which
h i allows parties to locally convert
– Else, it sends reject to SA and d𝑘 = z𝑘 − x𝑘 · y𝑘 for each 𝑘 ∈ from [x𝑘 ] , [y𝑘 ] to x®𝑖𝑘 , y®𝑖𝑘 , where x®𝑖𝑘 , y®𝑖𝑘 are the vector of [·]-
{1, 2, . . . , 𝑚} such that d𝑘 ≠ 0. shares of x𝑘 , y𝑘 , held by 𝑃𝑖 , respectively, is used. Parties now want
(3) If FVerify sent accept, it receives out ∈ {accept, reject} from SA , to verify if
which is forwarded to the honest parties and SA,H . 𝑚      
∑︁
– If out = reject, SA send a pair of indices (𝑖, 𝑗 ) to FVerify , where ∀𝑖 ∈ {1, . . . , 5} : 𝜃𝑘 · x®𝑖𝑘 ⋄ y®𝑖𝑘 − 𝜓 𝑖 = 0
at least one among 𝑃𝑖 , 𝑃 𝑗 is corrupt. 𝑘=1
– FVerify forwards (𝑖, 𝑗 ) to honest parties and SA,H .     h i h i h i h i
(4) If FVerify sent reject, then SA does one of the following. Letting 𝑐 𝑖 = 𝜓 𝑖 , a®𝑖𝑘 = 𝜃𝑘 · x®𝑖𝑘 and b®𝑖𝑘 = y®𝑖𝑘 , one needs
h i h i
a®𝑖 ⋄ b®𝑖𝑘 = 0 for 𝑖 ∈ {1, . . . , 5}. This
  Í
(1) SA sends a pair of indices (𝑖, 𝑗 ) to FVerify , where at least one to verify that 𝑐 𝑖 − 𝑚 𝑘=1 𝑘
among 𝑃𝑖 , 𝑃 𝑗 is corrupt. FVerify forwards (𝑖, 𝑗 ) to honest parties
can be verified using FCheatIdentify . In case of a reject, FCheatIdentify
and SA,H .
outputs a pair of conflicting parties. Otherwise, parties proceed
(2) SA asks FVerify to find a pair of conflicting parties in 𝑘¯ th multi-
with reconstructing 𝛽. If reconstruction fails due to inconsistency,
plication, 1 ≤ 𝑘¯ ≤ 𝑚. Next, FVerify asks the honest parties to send
pairwise consistency check of [·]-sharing is used to identify a pair
their inputs, randomness and views in the execution to compute
the 𝑘¯ th triple. Based on the received information, FVerify computes
of conflicting parties, where the consistency check is carried out
the messages that should have been sent by the corrupted party, over a broadcast channel. Finally, if 𝛽 ≠ 0, then it implies that no
and finds a pair of parties 𝑃𝑖 , 𝑃 𝑗 , where 𝑃 𝑗 received an incorrect one cheated in the verification protocol (with high probability),
message. FVerify sends (𝑖, 𝑗 ) to honest parties, SA and SA,H . and one of the multiplication triples is incorrect. Parties localize
(5) SA sends its view to SA,H . the fault by running a binary search on the multiplication triples
to identify a triple where z𝑘 ≠ x𝑘 · y𝑘 . In each search step, the
Figure 32: Ideal functionality for verifying semi-honest protocol verification protocol is carried out on half the number of triples
until one incorrect triple is identified. Finally, parties check the
F.0.2 The verification protocol. Using FCheatIdentify , we next pro- execution of the multiplication protocol for this triple to find a
vide the protocol for verification of 𝑚 multiplication triples with pair of disputing parties. This is done by invoking a functionality
sublinear communication complexity in the number of multiplica- FminiMPC which takes the inputs, randomness and view of parties in
tion triples. A multiplication triple is a shared triple [x] , [y] , [z] the multiplication protocol as input and outputs the pair of parties
such that z = x · y. The ideal functionality for the same appears in for which the incoming and outgoing messages do not match. The
Fig. 32. When verification fails, the functionality either obtains a protocol appears in Fig. 33.
pair of conflicting parties, one of which is guaranteed to be corrupt,
from the adversary; or it identifies this pair by itself. In the latter Cheating probability over finite fields. Assume that there is an
case, the functionality obtains the inputs, randomness and views incorrect triple. If the adversary does not cheat in the verification
of honest parties when computing some incorrect multiplication protocol, then there will at most log 𝑚 executions. In each execution,
triple, and uses this information to identify a pair of conflicting the probability that the test will pass is F1 which happens when
parties. the random linear combination outputs a value 0. Thus, the overall
cheating probability is bounded by log 𝑚 · F1 .
The protocol for FVerify . To compute the functionality, the parties
take a random linear combination Communication cost. Protocol Π Verify is recursive. In the 𝑗th step,
𝑚 parties secret share one element each, reconstruct one element, and
∑︁
𝛽= 𝜃𝑘 · (z𝑘 − x𝑘 · y𝑘 ) call FCheatIdentify for every party over a set of triples of size 𝑚/2 𝑗 .
𝑘=1 Thus, the total communication cost in the 𝑗th step is
 
where 𝜃𝑘 is randomly chosen by all the parties and want to check if 5 · 2 + 7 + 5 · 6(log(𝑚/2 𝑗 ) − 1) + 17
𝑚 } which are
𝛽 = 0. Since 𝛽 is a degree-2 function of {(x𝑘 , y𝑘 , z𝑘 )𝑘=1
[·]-shared, parties can compute an additive sharing (⟨·⟩-sharing) = 97 + 30 · log(𝑚/2 𝑗 ) elements.
of 𝛽. Using the ⟨·⟩-shares, parties can reconstruct 𝛽 and check for
25
 Nishat Koti, Varsha Bhat Kukkala, Arpita Patra, Bhavish Raj Gopal

Protocol ΠVerify P, { ( [x𝑘 ] , [y𝑘 ] , [z𝑘 ] ) }𝑚

Theorem F.2. Protocol ΠVerify (Fig. 33) securely computes FVerify
𝑘=1

(1) Parties generate random values 𝜃 1 , . . . , 𝜃𝑚 ∈ F. over field F in the (1, 1)-FaF model with error log 𝑚· F1 in the (FminiMPC,
(2) Parties locally compute
*𝑚 + 𝑚 FCheatIdentify )-hybrid model in the 5PC setting.
∑︁ ∑︁
⟨𝜓 ⟩ = 𝜃𝑘 · x𝑘 · y𝑘 = 𝜃𝑘 · ( [x𝑘 ] ⋄ [y𝑘 ] )
𝑘=1 𝑘=1 Proof. Let S A be the ideal world malicious simulator, S A,H
(3) Let the ⟨·⟩-share of 𝜓 held by 𝑃𝑖 be 𝜓 𝑖 . Each party 𝑃𝑖 shares 𝜓 𝑖 be the ideal world semi-honest simulator and let A be the real
among other parties. world malicious adversary and A H be the real world semi-honest
(4) For each 𝑖 ∈ {1, 2, . . . , 5}: adversary. S A is invoked by FVerify which sends it the corrupted
h i h i
– Parties locally convert [x𝑘 ] , [y𝑘 ] to x®ik , y®ik for each 𝑘 ∈
𝑚 and out ∈ {accept, reject} and
party’s shares of (x𝑘 , y𝑘 , z𝑘 )𝑘=1
{1, 2, . . . , 𝑚}. d𝑘 = z𝑘 − x𝑘 · y𝑘 for 𝑘 ∈ {1, 2, . . . , 𝑚}. Further, FVerify sends S A,H
    h i h i h i h i
– Parties define 𝑐 𝑖 = 𝜓 𝑖 , a®ik = 𝜃𝑘 · x®ik and b®ik = 𝜃𝑘 · y®ik .
the shares for 𝑃 H , which is the semi-honest party.
 h i h i 𝑚 Random 𝜃 1, . . . , 𝜃𝑚 ∈ F are generated. S A plays the role of
– Parties send 𝑐 𝑖 and a®ik , b®ik
 
to FCheatIdentify . FCheatIdentify and FminiMPC . Similar to the proof of Theorem F.1,
𝑘=1
– If parties receive reject, (𝑖, 𝑗 ) from FCheatIdentify , then they output S A chooses random shares for corrupted party for each 𝜓 𝑗 , where
it and halt. 𝑃 𝑗 is honest and hands these to A. Then, S A receives the honest
(5) If parties received accept from FCheatIdentify in all five invocations, parties’ shares for 𝜓 𝑖 , where 𝑃𝑖 is the maliciously corrupt party. If
they proceed to the next step.
Í Í5  𝑖 
the shares dealt by A are inconsistent, then the consistency check
(6) Parties locally compute [𝛽 ] = 𝑚 𝑘=1 𝜃 𝑘 · [z𝑘 ] − 𝑖=1 𝜓 . takes care of this. The presence of honest majority enables S A
(7) Parties robustly reconstruct 𝛽 by sending their shares via broad- to use the honest parties’ shares to compute 𝜓 𝑖 for the corrupt 𝑃𝑖
cast. and its shares. Thus, for each 𝑖 ∈ {1, 2, . . . , 5}, S A can simulate
– If parties see inconsistent shares, they output reject, (𝑖, 𝑗 ), where FCheatIdentify , handing accept or reject to A, accordingly. If the
𝑃𝑖 , 𝑃 𝑗 is the first pair of parties for which pair-wise inconsistency output is reject for any 𝑖 ∈ {1, 2, . . . , 5}, then A sends index of a
exists.
party 𝑃 𝑗 to S A , which together with 𝑃𝑖 forms a disputed pair of
– If 𝛽 = 0, parties output accept. parties. Then, S A sends reject, (𝑖, 𝑗) to FVerify , outputs whatever
– If 𝛽 ≠ 0, parties perform a fault localization procedure to identify A outputs and halts.
the first incorrect triple by running a binary search on the input
If the simulation has not ended with a reject, then it means
triples. For this search, parties run the above protocol on two Í
that all 𝜓 𝑖 ’s are correct. Thus, S A can compute 𝛽 = 𝑚 𝜃 ·
𝑘=1 𝑘
half-sized sets of input triples, and proceed as follows. Í𝑚
(z𝑘 − x𝑘 · y𝑘 ) = 𝑘=1 𝜃𝑘 · d𝑘 and choose random shares for the
- If parties output accept in both executions, they output accept
and halt.
honest parties, given the value of 𝛽 and the corrupted party’s shares
(known to S A ). Using these shares, S A simulates the reconstruc-
- If any execution ends with parties holding a pair of conflicting
parties (𝑖, 𝑗 ), parties output reject, (𝑖, 𝑗 ) and halt. tion procedure. Consider the following cases.
- If 𝛽 ≠ 0 in both the executions, they continue the search on – If A sent incorrect shares, causing the opening of 𝛽 to fail, then
one of the sets. S A takes the first pair of parties 𝑃𝑖 , 𝑃 𝑗 for which pair-wise inconsis-
- If 𝛽 ≠ 0 in one of the executions, they continue the search on tency occurred, and sends reject, (𝑖, 𝑗) to FVerify , outputs whatever
the set for which 𝛽 ≠ 0. A outputs and halts.
If parties didn’t receive any output, then they reach a triple 𝑘 for – If 𝛽 = 0: if out = reject (honest parties output accept in this case),
which z𝑘 ≠ x𝑘 · y𝑘 . Then, parties send their inputs, randomness S A outputs fail and halts; if out = accept, S A sends accept to
and view when computing z𝑘 to FminiMPC , which returns a pair FVerify , outputs whatever A outputs and halts.
of conflicting parties (𝑖, 𝑗 ) with conflicting views. Parties output
reject, (𝑖, 𝑗 ). – If 𝛽 ≠ 0, simulation proceeds to the binary search, where S A
simulates each steps as described so far. If a pair of disputed parties
Figure 33: Realizing FVerify is located, then it is sent to FVerify . If honest parties output accept,
In the worst case, there are log 𝑚 steps, and the total cost is then S A outputs fail (here it must hold that out = reject, since
otherwise the simulation would not have reached the binary search
log
∑︁𝑚 phase). If parties found an incorrect triple x𝑘¯ , y𝑘¯ , z𝑘¯ such that z𝑘¯ ≠
97 · log 𝑚 + 30 · log(𝑚/2 𝑗 ) x𝑘¯ · y𝑘¯ without identifying a disputed pair, then S A asks FVerify to
𝑗=1 find such a pair by sending it 𝑘. ¯ Upon receiving (𝑖, 𝑗) from FVerify ,
S A simulates FminiMPC , handing (𝑖, 𝑗) to A. Finally, S A outputs
whatever A outputs. Note that an event where the 𝑘¯ th triple is
Ílog 𝑚 √
Since 𝑗=1 log(𝑚/2 𝑗 ) ≤ log 𝑚 · log 𝑚, the total communication correct is not possible, because in this case 𝛽 must be equal to 0.
cost is A’s view consists of (i) random shares of 𝛽 𝑗 for each honest party
√ 𝑃 𝑗 , (ii) message sent by FCheatIdentify , (iii) the revealed 𝛽, and (iv)
97 · log 𝑚 + 30 · log 𝑚 · log 𝑚 elements. (6)
message from FminiMPC . The argument for identical distribution
Note that while working over extended rings, the cost gets multi- of A’s view in (i), (ii), (iii) follows from the proof of Theorem F.1.
plied by a factor 𝑑, which is the degree of the extension. For (iv), since S A receives a pair of parties with conflicting views
in the computation of the 𝑘¯ th triple from FVerify , it can simulate
26
PentaGOD: Stepping beyond Traditional GOD with Five Parties
 
Protocol ΠmulPre P, { [x𝑘 ] , [y𝑘 ] }𝑘=1
𝑚
the role of FminiMPC perfectly. Thus, the only difference between
the simulation and real-execution is the event where S A outputs (1) Parties generate [· ]-shares of random values r1 , r2 , . . . , r𝑚 , non-
fail. This happens when ∃𝑘 ∈ {1, 2, . . . , 𝑚} : d𝑘 ≠ 0 (which is why interactively using their shared key setup. They locally convert [·]-
shares to ⟨·⟩-shares.
out = reject) but the parties eventually output accept. This occurs
(2) Parties locally compute ⟨x𝑘 · y𝑘 − r𝑘 ⟩ = [x𝑘 ] ⋄ [y𝑘 ] − ⟨r𝑘 ⟩ for each
when 𝛽 = 0 in one of binary search steps. Since there are log 𝑚
log 𝑚 𝑘 ∈ {1, 2, . . . , 𝑚} and send it to 𝑃 1 .
steps and Pr[𝛽 = 0] = F1 in each step, we have that Pr[fail] ≤ F , (3) 𝑃 1 reconstructs x𝑘 · y𝑘 − r𝑘 for each 𝑘 ∈ {1, 2, . . . , 𝑚} and generates
which is the error in the simulation. [x𝑘 · y𝑘 − r𝑘 ] using ΠRSS−Sh (Fig. 11).
Following this, S A sends its view to S A,H to simulate the view (4) Parties compute [x𝑘 · y𝑘 ] = [x𝑘 · y𝑘 − r𝑘 ]+[r𝑘 ] for 𝑘 ∈ {1,
2, . . . , 𝑚}.
for A H . S A,H chooses random shares for corrupted party for (5) Parties invoke ΠVerify P, { ( [x𝑘 ] , [y𝑘 ] , [x𝑘 · y𝑘 ] ) }𝑚𝑘=1 to verify
each 𝜓 𝑗 , where 𝑃 𝑗 is honest and hands these to A H . Then, S A,H the correctness of the multiplication triples.
(6) If parties receive accept from ΠVerify , they proceed with the online
receives the honest parties’ shares for 𝜓 H , where 𝑃 H is the semi-
phase. Else, parties obtain a pair of parties (𝑃𝑖 , 𝑃 𝑗 ) to eliminate from
honest party. The presence of honest majority enables S A,H to use ΠVerify .
the honest parties’ shares to compute 𝜓 H for 𝑃 H and its shares.
Thus, for each 𝑖 ∈ {1, 2, . . . , 5}, S A simulates FCheatIdentify , handing Figure 35: (1, 1)-FaF secure protocol for 5PC preprocessing phase
accept or reject to A H according to S A ’s view. If the output is of multiplication
reject for any 𝑖 ∈ {1, 2, . . . , 5}, then S A,H sends reject, (𝑖, 𝑗) to
Communication cost. The communication cost follows from the
A H , as present in S A ’s view. S A,H simulates the reconstruction
cost of the semi-honest protocol and the cost of the verification
procedure for 𝛽 using shares received from A H . Now, depending
protocol. The semi-honest protocol requires communicating 6 ring
on the view received from S A , S A,H sends (𝑖, 𝑗) or accept to A H .
elements. The cost due to the verification phase can be amortized by
The argument for indisntinguishability of the views of A H in real
preprocessing a large number of multiplication triples. Concretely,
and ideal world follows similar to the argument for A. □
for verifying 225 multiplication triples, the cost for verification
Similar to Π CheatIdentify , the protocol Π Verify can also be ex- is only 0.003 ring elements for an extension degree 𝑑 = 46 (see
tended to work over the ring Z2ℓ (see F.0.1). Table 4 of full (eprint) version of [12]). Table 7 summarizes the
communication cost for various number of multiplication triples to
F.0.3 The main protocol. We now provide details of the main pro- be verified.
tocol for computing the multiplication triples in the preprocessing
phase. The ideal functionality for the same appears in Fig. 34. We 𝑚 Cost (per party per multiplication)
remark that operating in the preprocessing model, we can generate
210 22.1914
a large number of multiplication triples at the same time which also
helps in amortizing the cost due to verification. The main protocol 220 0.0696
begins with executing a semi-honest 5PC protocol, followed by a 225 0.0032
verification phase to check the correctness of the multiplication
230 0.0001
triples generated during the semi-honest execution. Verification
completes with it either being a success or outputting a pair of Table 7: Cost of verification in terms of the number of ring elements
conflicting parties (in which case a semi-honest 3PC is executed as communicated per party per multiplication, and 40 bits of statistical
described earlier). The protocol appears in Fig. 35. security. Here, 𝑚 - #multiplication triples to be verified and degree
of extension 𝑑 = 46 to achieve statistical security of 2 −40 .
Functionality FMulPre

Let SA be an ideal world malicious adversary and SA,H be the ideal

world semi-honest adversary.
Theorem F.3. Protocol Π Pre (Fig. 35) securely computes FPre over
(1) FMulPre interacts with the parties
 in P and the adversaries SA , SA,H . the field F or ring Z2ℓ in the (1, 1)-FaF model in the FVerify -hybrid
FMulPre receives [· ]-shares of (x𝑘 , y𝑘 ) 𝑚 𝑘=1 from honest parties.

𝑚 model in the 5PC setting.
(2) FMulPre receives [x𝑘 · y𝑘 ]𝑖 𝑘=1 from SA where 𝑃𝑖 is controlled
by SA . It also receives continue or (abort, 𝑗 ) from SA . If received Proof. Consider the case of a corrupt 𝑃1 . S A generates [·]-
abort, FMulPre sends (𝑖, 𝑗 ) to all. Else, it does the following. shares for {x𝑘 , y𝑘 , r𝑘 }𝑚 , and learns these values on clear. Step 3
𝑘=1
• FMulPre reconstructs x𝑘 , y𝑘 using the honest parties’ shares and of the protocol is simulated by sending random values to A. S A
computes x𝑘 · y𝑘 for 𝑘 ∈ {1, . . . , 𝑚}. also computes the secret x𝑘 · y𝑘 for 𝑘 ∈ {1, 2, . . . , 𝑚}. If inconsistent
• FMulPre generates [x𝑘 · y𝑘 ], for 𝑘 ∈ {1, 2, . . . , 𝑚}, using x𝑘 · y𝑘 shares are received in step 4 from A, then S A detects the inconsis-
and [x𝑘 · y𝑘 ]𝑖 received from SA . tency, and the simulation outputs a pair of conflicting parties. Else,
• FMulPre sends (Output, [x𝑘 · y𝑘 ]𝑠 ) to 𝑃𝑠 ∈ P. if the shares are consistent but the correct output is not received,
(3) SA sends its view to SA,H . S A computes the difference between these values and simulates
FVerify . If cheating took place, then it sens reject and d𝑘 ≠ 0 to A.
Figure 34: Ideal functionality for computing multiplication triples Then, it waits to receive from A either a pair of conflicting parties
in the preprocessing or a request to FVerify to find such a pair. In the latter case, S A finds
such a pair of conflicting parties by computing the messages that
should have been sent by the corrupted party and compares it with
27
 Nishat Koti, Varsha Bhat Kukkala, Arpita Patra, Bhavish Raj Gopal

what was received from A. Then, S A sends the obtained pair to A. S A sends its view to S A,H . Simulation by S A,H for a semi-honest
If no cheating took place, then S A sends accept to A. Following party follows trivially as there are no messages to simulate other
this, A can decide to reject, in which case a pair of conflicting than those from 𝑃1 which are already received as part of A’s view.
parties is sent as output. Observe that since A’s view consists of Cases where other parties are corrupt can be simulated trivially.
random shares in both the worlds, the views are identical. Then, Simulation for semi-honest 𝑃1 also follows. □

28