Secure multiparty computation
This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages)
(Learn how and when to remove this template message)

Secure multiparty computation (also known as secure computation, multiparty computation/MPC, or privacypreserving computation) is a subfield of cryptography with the goal of creating methods for parties to jointly compute a function over their inputs while keeping those inputs private. Unlike traditional cryptographic tasks, where the adversary is outside the system of participants (an eavesdropper on the sender and receiver), the adversary in this model controls actual participants. These types of tasks started in the late 1970s with the work on mental poker, cryptographic work that simulates game playing over distances without requiring a trusted third party.
Contents
History
Secure computation was formally introduced as secure twoparty computation (2PC) in 1982 (for the socalled Millionaires' Problem), and in generality in 1986 by Andrew Yao.^{[1]}^{[2]} The area is also referred to as Secure Function Evaluation (SFE). The two party case was followed by a generalization to the multiparty by Goldreich, Micali and Widgerson. The computation is based on secret sharing of all the inputs and zeroknowledge proofs for potentially malicious case, where majority of honest players in the malicious adversary case assure that bad behavior is detected and the computation continues with the dishonest person eliminated or his input revealed. This work suggested the very basic general scheme to be followed by essentially all future multi party protocols for secure computing.^{[3]} This work followed by a robust secure protocol which tolerates faulty behavior graciously without revealing anyone's output via a work which invented for this purpose the `share of shares idea' ^{[4]} and a protocol that allows one of the parties to hide its input unconditionally.^{[5]} The above results are in a model where the adversary is limited to polynomial time computations, and it observes all communications, and therefore the model is called the `computational model'. Further, the protocol of Oblivious transfer was shown to be complete for these tasks.^{[6]} The above results established that it is possible under the above variations to achieve secure computation when majority of users are honest. The next question to ask is the case of secure communication channels where the pointtopoint communication is not available to the adversary; in this case it was shown that solutions can be achieved with up to 1/3 of misbehaving malicious parties and the solutions apply no cryptographic tools (since secure communication is available) see:,^{[7]}^{[8]} where if both the pointtopoint secure channels are available and also a global broadcast channel it was shown how up to 1/2 of the parties can be corrupted.^{[9]} The area of multiparty protocols became a fertile area to investigate basic and general protocol issues properties on, such as Universal composability or Mobile Adversary.^{[10]}
Since the late 2000s, and certainly since 2010 and on, the domain has moved to deal with practical improvements of the protocols with applications in mind. Increasingly efficient protocols for MPC have been proposed, and MPC can be now considered as a practical solution to various reallife problems (especially ones that only require linear sharing of the secrets and mainly local operations on the shares with not much interactions among the parties), such as distributed voting, private bidding and auctions, sharing of signature or decryption functions and private information retrieval.^{[11]} The first largescale and practical application of multiparty computation (demonstrated on an actual auction problem) took place in Denmark in January 2008.^{[12]} Obviously, both theoretical notions and investigations and applied constructions are needed.
Definition and overview
In an MPC, a given number of participants, p_{1}, p_{2}, ..., p_{N}, each have private data, respectively d_{1}, d_{2}, ..., d_{N}. Participants want to compute the value of a public function on that private data: F(d_{1}, d_{2}, ..., d_{N}) while keeping their own inputs secret.
For example, suppose we have three parties Alice, Bob and Charlie, with respective inputs x, y and z denoting their salaries. They want to find out the highest of the three salaries, without revealing to each other how much each of them makes. Mathematically, this translates to them computing:
 F(x,y,z) = max(x,y,z)
If there were some trusted outside party (say, they had a mutual friend Tony who they knew could keep a secret), they could each tell their salary to Tony, he could compute the maximum, and tell that number to all of them. The goal of MPC is to design a protocol, where, by exchanging messages only with each other, Alice, Bob, and Charlie can still learn F(x, y, z) without revealing who makes what and without having to rely on Tony. They should learn no more by engaging in their protocol than they would learn by interacting with an incorruptible, perfectly trustworthy Tony.
In particular, all that the parties can learn is what they can learn from the output and their own input. So in the above example, if the output is z, then Charlie learns that his z is the maximum value, whereas Alice and Bob learn (if x, y and z are distinct), that their input is not equal to the maximum, and that the maximum held is equal to z. The basic scenario can be easily generalised to where the parties have several inputs and outputs, and the function outputs different values to different parties.
Informally speaking, the most basic properties that a multiparty computation protocol aims to ensure are:
 Input privacy: No information about the private data held by the parties can be inferred from the messages sent during the execution of the protocol. The only information that can be inferred about the private data is whatever could be inferred from seeing the output of the function alone.
 Correctness: Any proper subset of adversarial colluding parties willing to share information or deviate from the instructions during the protocol execution should not be able to force honest parties to output an incorrect result. This correctness goal comes in two flavours: either the honest parties are guaranteed to compute the correct output (a “robust” protocol), or they abort if they find an error (an MPC protocol “with abort”).
There are a wide range of practical applications, varying from simple tasks such as coin tossing to more complex ones like electronic auctions (e.g. compute the market clearing price), electronic voting, or privacypreserving data mining. A classical example is the Millionaires' Problem: two millionaires want to know who is richer, in such a way that neither of them learns the net worth of the other. A solution to this situation is essentially to securely evaluate the comparison function.
Security definitions
A multiparty computation protocol must be secure to be effective. In modern cryptography, the security of a protocol is related to a security proof. The security proof is a mathematical proof where the security of a protocol is reduced to that of the security of its underlying primitives. Nevertheless, it is not always possible to formalize the cryptographic protocol security verification based on the party knowledge and the protocol correctness. For MPC protocols, the environment in which the protocol operates is associated with the Real World/Ideal World Paradigm^{[13]}. The parties can't be said to learn nothing, since they need to learn the output of the operation, and the output depends on the inputs. In addition, the output correctness is not guaranteed, since the correctness of the output depends on the parties’ inputs, and the inputs have to be assumed to be corrupted.
The Real World/Ideal World Paradigm states two worlds: (i) In the idealworld model, there exists an incorruptible trusted party to whom each protocol participant sends its input. This trusted party computes the function on its own and sends back the appropriate output to each party. (ii) In contrast, in the realworld model, there is no trusted party and all the parties can do is to exchange messages with each other. A protocol is said to be secure if one can learn no more about each party's private inputs in the real world than one could learn in the ideal world. In the ideal world, no messages are exchanged between parties, so realworld exchanged messages cannot reveal any secret information.
The Real World/Ideal World Paradigm provides a simple abstraction of the complexities of MPC to allow the construction of an application under the pretense that the MPC protocol at its core is actually an ideal execution. If the application is secure in the ideal case, then it is also secure when a real protocol is run instead.
The security requirements on an MPC protocol are stringent. Nonetheless, in 1987 it was demonstrated that any function can be securely computed, with security for malicious adversaries.^{[7]}^{[8]} Despite these publications, MPC was not efficient enough to be used in practice at that time. Unconditionally or informationtheoretically secure MPC is closely related to the problem of secret sharing, and more specifically verifiable secret sharing (VSS), which many secure MPC protocols use against active adversaries.
Unlike traditional cryptographic applications, such as encryption or signature, one must assume that the adversary in an MPC protocol is one of the players engaged in the system. That corrupted party or parties may collude in order to breach the security of the protocol. Let be the number of parties in the protocol and the number of parties who can be adversarial. The protocols and solutions for the case of (i.e., when an honest majority is assumed) are different from those where no such assumption is made. This latter case includes the important case of twoparty computation where one of the participants may be corrupted, and the general case where an unlimited number of participants are corrupted and collude to attack the honest participants.
Adversaries faced by the different protocols can be categorized according to how willing they are to deviate from the protocol. There are essentially two types of adversaries, each giving rise to different forms of security:
 SemiHonest (Passive) Security: In this case, it is assumed that corrupted parties merely cooperate to gather information out of the protocol, but do not deviate from the protocol specification. This is a naive adversary model, yielding weak security in real situations. However, protocols achieving this level of security prevent inadvertent leakage of information between parties, and are thus useful if this is the only concern. In addition, protocols in the semihonest model are very efficient, and are often an important first step for achieving higher levels of security.
 Malicious (Active) Security: In this case, the adversary may arbitrarily deviate from the protocol execution in its attempt to cheat. Protocols that achieve security in this model provide a very high security guarantee. The only thing that an adversary can do in the case of dishonest majority is to cause the honest parties to “abort” having detected cheating. If the honest parties do obtain output, then they are guaranteed that it is correct. Their privacy is always preserved.
Security against active adversaries leads to a reduction in efficiency that leads to covert security^{[14]}, a relaxed form of active security. Covert security captures more realistic situations, where active adversaries are willing to cheat but only if they are not caught. For example, their reputation could be damaged, preventing future collaboration with other honest parties. Thus, protocols that are covertly secure provide mechanisms to ensure that, if some of the parties do not follow the instructions, then it will be noticed with high probability, say 75% or 90%. In a way, covert adversaries are active ones forced to act passively due to external noncryptographic (e.g. business) concerns. This mechanism sets a bridge between both models in the hope of finding protocols which are efficient and secure enough in practice.
Like many cryptographic protocols, the security of an MPC protocol can rely on different assumptions:
 It can be computational (i.e. based on some mathematical problem, like factoring) or unconditional (usually with some probability of error which can be made arbitrarily small).
 The model might assume that participants use a synchronized network, where a message sent at a "tick" always arrives at the next "tick", or that a secure and reliable broadcast channel exists, or that a secure communication channel exists between every pair of participants where an adversary cannot read, modify or generate messages in the channel, etc.
The set of honest parties that can execute a computational task is related to the concept of access structure. Adversary structures can be static, where the adversary chooses its victims before the start of the multiparty computation, or dynamic, where it chooses its victims during the course of execution of the multiparty computation making the defense harder. An adversary structure can be defined as a threshold structure or as a more complex structure. In a threshold structure the adversary can corrupt or read the memory of a number of participants up to some threshold. Meanwhile in a complex structure it can affect certain predefined subsets of participants, modeling different possible collusions.
Protocols used
There are major differences between the protocols proposed for two party computation (2PC) and multiparty computation (MPC).
Twoparty computation
The two party setting is particularly interesting, not only from an applications perspective but also because special techniques can be applied in the two party setting which do not apply in the multiparty case. Indeed, secure multiparty computation (in fact the restricted case of secure function evaluation, where only a single function is evaluated) was first presented in the twoparty setting. The original work is often cited as being from one of the two papers of Yao;^{[15]} although the papers do not actually contain what is now known as Yao's garbled circuit protocol.
Yao’s basic protocol is secure against semihonest adversaries and is extremely efficient in terms of number of rounds, which is constant, and independent of the target function being evaluated. The function is viewed as a Boolean circuit, with inputs in binary of fixed length. A Boolean circuit is a collection of gates connected with three different types of wires: circuitinput wires, circuitoutput wires and intermediate wires. Each gate receives two input wires and it has a single output wire which might be fanout (i.e. be passed to multiple gates at the next level). Plain evaluation of the circuit is done by evaluating each gate in turn; assuming the gates have been topologically ordered. The gate is represented as a truth table such that for each possible pair of bits (those coming from the input wires' gate) the table assigns a unique output bit; which is the value of the output wire of the gate. The results of the evaluation are the bits obtained in the circuitoutput wires.
Yao explained how to garble a circuit (hide its structure) so that two parties, sender and receiver, can learn the output of the circuit and nothing else. At a high level, the sender prepares the garbled circuit and sends it to the receiver, who obliviously evaluates the circuit, learning the encodings corresponding to both his and the sender's output. He then just sends back the sender's encodings, allowing the sender to compute his part of the output. The sender sends the mapping from the receivers output encodings to bits to the receiver, allowing the receiver to obtain their output.
In more detail, the garbled circuit is computed as follows. The main ingredient is a doublekeyed symmetric encryption scheme. Given a gate of the circuit, each possible value of its input wires (either 0 or 1) is encoded with a random number (label). The values resulting from the evaluation of the gate at each of the four possible pair of input bits are also replaced with random labels. The garbled truth table of the gate consists of encryptions of each output label using its inputs labels as keys. The position of these four encryptions in the truth table is randomized so no information on the gate is leaked.
To correctly evaluate each garbled gate the encryption scheme has the following two properties. Firstly, the ranges of the encryption function under any two distinct keys are disjoint (with overwhelming probability). The second property says that it can be checked efficiently whether a given ciphertext has been encrypted under a given key. With these two properties the receiver, after obtaining the labels for all circuitinput wires, can evaluate each gate by first finding out which of the four ciphertexts has been encrypted with his label keys, and then decrypting to obtain the label of the output wire. This is done obliviously as all the receiver learns during the evaluation are encodings of the bits.
The sender’s (i.e. circuit creators) input bits can be just sent as encodings to the evaluator; whereas the receiver’s (i.e. circuit evaluators) encodings corresponding to his input bits are obtained via a 1outof2 Oblivious Transfer (OT) protocol. A 1outof2 OT protocol, enables the sender, in possession of two values C1 and C2, to send the one requested by the receiver (b a value in {1,2}) in such a way that the sender does not know what value has been transferred, and the receiver only learns the queried value.
If one is considering malicious adversaries, further mechanisms to ensure correct behavior of both parties need to be provided. By construction it is easy to show security for the sender, as all the receiver can do is to evaluate a garbled circuit that would fail to reach the circuitoutput wires if he deviated from the instructions. The situation is very different on the sender's side. For example, he may send an incorrect garbled circuit that computes a function revealing the receiver's input. This would mean that privacy no longer holds, but since the circuit is garbled the receiver would not be able to detect this.
Multiparty protocols
Most MPC protocols, as opposed to 2PC protocols, make use of secret sharing. In the secret sharing based methods, the parties do not play special roles (as in Yao, of creator and evaluator). Instead, the data associated with each wire is shared amongst the parties, and a protocol is then used to evaluate each gate. The function is now defined as a “circuit” over a finite field, as opposed to the binary circuits used for Yao. Such a circuit is called an arithmetic circuit in the literature, and it consists of addition and multiplication “gates” where the values operated on are defined over a finite field.
Secret sharing allows one to distribute a secret among a number of parties by distributing shares to each party. Two types of secret sharing schemes are commonly used; Shamir secret sharing and additive secret sharing. In both cases the shares are random elements of a finite field that add up to the secret in the field; intuitively, security is achieved because any nonqualifying set of shares looks randomly distributed.
Secret sharing schemes can tolerate an adversary controlling up to t parties out of n total parties, where t varies based on the scheme, the adversary can be passive or active, and different assumptions are made on the power of the adversary. The Shamir secret sharing scheme is secure against a passive adversary when and an active adversary when while achieving informationtheoretic security, meaning that even if the adversary has unbounded computational power, they cannot learn any information about the secret underlying a share. The BGW protocol^{[16]}, which defines how to compute addition and multiplication on secret shares, is often used to compute functions with Shamir secret shares. Additive secret sharing schemes can tolerate the adversary controlling all but one party, that is , while maintaining security against a passive and active adversary with unbounded computational power. Some protocols require a setup phase, which may only be secure against a computationally bounded adversary.
A number of systems have implemented various forms of MPC with secret sharing schemes. The most popular is SPDZ^{[17]}, which implements MPC with additive secret shares and is secure against active adversaries.
Other protocols
Virtual Party Protocol is a protocol which uses virtual parties and complex mathematics to hide the identity of the parties.^{[18]}
Secure sum protocols allow multiple cooperating parties to compute sum function of their individual data without revealing the data to one another.^{[19]}^{[20]}
In 2014 a "model of fairness in secure computation in which an adversarial party that aborts on receiving output is forced to pay a mutually predefined monetary penalty" has been described for the Bitcoin network or for fair lottery.^{[21]}
Scalable MPC
Recently, several multiparty computation techniques have been proposed targeting resourceefficiency (in terms of bandwidth, computation, and latency) for large networks. Although much theoretical progress has been made to achieve scalability, practical progress is slower. In particular, most known schemes suffer from either poor or unknown communication and computation costs in practice.^{[22]} To overcome these limitations, some practical works achieve efficient and scalable implementations by employing specialized hardware^{[23]} or by enabling multiple groups of processors that operate on the same secrets simultaneously. ^{[24]}
Practical MPC systems
Many advances have been made on 2PC and MPC systems in recent years.
Yaobased protocols
One of the main issues when working with Yaobased protocols is that the function to be securely evaluated (which could be an arbitrary program) must be represented as a circuit, usually consisting of XOR and AND gates. Since most realworld programs contain loops and complex data structures, this is a highly nontrivial task. The Fairplay system^{[25]} was the first tool designed to tackle this problem. Fairplay comprises two main components. The first of these is a compiler enabling users to write programs in a simple highlevel language, and output these programs in a Boolean circuit representation. The second component can then garble the circuit and execute a protocol to securely evaluate the garbled circuit. As well as twoparty computation based on Yao's protocol, Fairplay can also carry out multiparty protocols. This is done using the BMR protocol,^{[25]} which extends Yao's passively secure protocol to the active case.
In the years following the introduction of Fairplay, many improvements to Yao's basic protocol have been created, in the form of both efficiency improvements and techniques for active security. These include techniques such as the free XOR method, which allows for much simpler evaluation of XOR gates, and garbled row reduction, reducing the size of garbled tables with two inputs by 25%.^{[26]}
The approach that so far seems to be the most fruitful in obtaining active security comes from a combination of the garbling technique and the “cutandchoose” paradigm. This combination seems to render more efficient constructions. To avoid the aforementioned problems with respect to dishonest behaviour, many garblings of the same circuit are sent from the constructor to the evaluator. Then around half of them (depending on the specific protocol) are opened to check consistency, and if so a vast majority of the unopened ones are correct with high probability. The output is the majority vote of all the evaluations. Note that here the majority output is needed. If there is disagreement on the outputs the receiver knows the sender is cheating, but he cannot complain as otherwise this would leak information on his input.
This approach for active security was initiated by Lindell and Pinkas.^{[27]} This technique was implemented by Pinkas et al. in 2009,^{[26]} This provided the first actively secure twoparty evaluation of the Advanced Encryption Standard (AES) circuit, regarded as a highly complex (consisting of around 30,000 AND and XOR gates), nontrivial function (also with some potential applications), taking around 20 minutes to compute and requiring 160 circuits to obtain a cheating probability.
As many circuits are evaluated, the parties (including the receiver) need to commit to their inputs to ensure that in all the iterations the same values are used. The experiments of Pinkas et al. reported^{[26]} show that the bottleneck of the protocol lies in the consistency checks. They had to send over the net about 6,553,600 commitments to various values to evaluate the AES circuit. In recent results^{[28]} the efficiency of actively secure Yaobased implementations was improved even further, requiring only 40 circuits, and much less commitments, to obtain cheating probability. The improvements come from new methodologies for performing cutandchoose on the transmitted circuits.
More recently, there has been a focus on highly parallel implementations based on garbled circuits, designed to be run on CPUs with many cores. Kreuter, et al.^{[29]} describe an implementation running on 512 cores of a powerful cluster computer. Using these resources they could evaluate the 4095bit edit distance function, whose circuit comprises almost 6 billion gates. To accomplish this they developed a custom, better optimized circuit compiler than Fairplay and several new optimizations such as pipelining, whereby transmission of the garbled circuit across the network begins while the rest of the circuit is still being generated. The time to compute AES was reduced to 1.4 seconds per block in the active case, using a 512node cluster machine, and 115 seconds using one node. Shelat and Shen^{[30]} improve this, using commodity hardware, to 0.52 seconds per block. The same paper reports on a throughput of 21 blocks per second, but with a latency of 48 seconds per block.
Meanwhile, another group of researchers has investigated using consumergrade GPUs to achieve similar levels of parallelism.^{[31]} They utilize OT extensions and some other novel techniques to design their GPUspecific protocol. This approach seems to achieve comparable efficiency to the cluster computing implementation, using a similar number of cores. However, the authors only report on an implementation of the AES circuit, which has around 50,000 gates. On the other hand, the hardware required here is far more accessible, as similar devices may already be found in many people's desktop computers or games consoles. The authors obtain a timing of 2.7 seconds per AES block on a standard desktop, with a standard GPU. If they allow security to decrease to something akin to covert security, they obtain a run time of 0.30 seconds per AES block.It should be noted that in the passive security case there are reports of processing of circuits with 250 million gates, and at a rate of 75 million gates per second.^{[32]}
See also
References
 ^ Andrew C. Yao, Protocols for secure computations (extended abstract)
 ^ Andrew ChiChih Yao:How to Generate and Exchange Secrets (Extended Abstract). FOCS 1986: 162167 [1]
 ^ Oded Goldreich, Silvio Micali, Avi Wigderson:How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority. STOC 1987: 218229 [2]
 ^ Zvi Galil, Stuart Haber, Moti Yung: Cryptographic Computation: Secure FaultTolerant Protocols and the PublicKey Model. CRYPTO 1987: 135155 [3]
 ^ David Chaum, Ivan Damgård, Jeroen van de Graaf: Multiparty Computations Ensuring Privacy of Each Party's Input and Correctness of the Result. 87119 [4]
 ^ Joe Kilian: Founding Cryptography on Oblivious Transfer. STOC 1988: 2031 [5]
 ^ ^{a} ^{b} D. Chaum, C. Crepeau & I. Damgard. "Multiparty unconditionally secure protocols". STOC 1987.
 ^ ^{a} ^{b} O. Goldreich, S. Micali & A. Wigderson. "How to play any mental game or a completeness theorem for protocols with honest majority". STOC 1987.
 ^ Tal Rabin, Michael BenOr: Verifiable Secret Sharing and Multiparty Protocols with Honest Majority (Extended Abstract). STOC 1989: 7385 [6]
 ^ Rafail Ostrovsky, Moti Yung: How to Withstand Mobile Virus Attacks. PODC 1991. pp. 5159 [7]
 ^ Claudio Orlandi: Is multiparty computation any good in practice?, ICASSP 2011
 ^ Peter Bogetoft, Dan Lund Christensen, Ivan Damgård, Martin Geisler, Thomas Jakobsen, Mikkel Krøigaard, Janus Dam Nielsen, Jesper Buus Nielsen, Kurt Nielse, Jakob Pagter, Michael Schwartzbach and Tomas Toft (2008). "Multiparty Computation Goes Live". Cryptology ePrint Archive (Report 2008/068).
 ^ Michael Backes, Birgit Pfitzmann, and Michael Waidner. "A general composition theorem for secure reactive systems." In Theory of Cryptography Conference, pp. 336354. Springer, Berlin, Heidelberg, 2004.
 ^ Y. Aumann & Y. Lindell. "Security against covert adversaries". TCC 2007.
 ^ Andrew C. Yao, "How to generate and exchange secrets," SFCS '86 Proceedings of the 27th Annual Symposium on Foundations of Computer Science, pp. 162167, 1986.
 ^ BenOr, Michael; Goldwasser, Shafi; Wigderson, Avi (19880101). "Completeness theorems for noncryptographic faulttolerant distributed computation". ACM: 1–10. doi:10.1145/62212.62213. ISBN 0897912640.
 ^ I. Damgård, V. Pastro, N. Smart and S. Zakarias, "Multiparty computation from somewhat homomorphic encryption," Crypto 2012, vol. Springer LNCS 7417, pp. 643662, 2012.
 ^ Pathak Rohit, Joshi Satyadhar, Advances in Information Security and Assurance, Springer Berlin / Heidelberg, ISSN 03029743 (Print) 16113349 (Online), ISBN 9783642026164, DOI 10.1007/9783642026171
 ^ Rashid Sheikh, Brijesh Kumar and Durgesh Kumar Mishra, Privacy Preserving ksecure sum protocols, International Journal of Computer Science and Information Security, ISSN 19475500 (Online),Vol.6, No.2, Nov. 2009
 ^ Taeho Jung, Junze Han, and XiangYang Li, Pda: Semantically secure timeseries data analytics with dynamic subgroups, IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 2, pp. 260274, MarchApril 1 2018.
 ^ Iddo Bentov, Ranjit Kumaresan (2014). "How to Use Bitcoin to Design Fair Protocols" (PDF). Cryptology e print. International Association for Cryptologic Research (IACR) (129): 1–38. Retrieved 9 October 2014.
 ^ Jared Saia and Mahdi Zamani. Recent Results in Scalable MultiParty Computation. SOFSEM 2015: Theory and Practice of Computer Science. Springer Berlin Heidelberg. Volume 8939. pp 24–44. 2015. ISBN 9783662460788
 ^ Bahmani, Raad, et al. "Secure Multiparty Computation from SGX." IACR Cryptology ePrint Archive 2016
 ^ Vasilios Mavroudis, Andrea Cerulli, Petr Svenda, Dan Cvrcek, Dusan Klinec, George Danezis. A Touch of Evil: HighAssurance Cryptographic Hardware from Untrusted Components. 24th ACM Conference on Computer and Communications Security, Dallas, TX, Oct 30thNov 3rd 2017.
 ^ ^{a} ^{b} A. BenDavid, N. Nisan and B. Pinkas, "FairplayMP: a system for secure multiparty computation," ACM CCS 2008, pp. 257–266, 2008.
 ^ ^{a} ^{b} ^{c} B. Pinkas, T. Schneider, N. Smart and S. Williams, "Secure twoparty computation is practical," Asiacrypt 2009, vol. Springer LNCS 5912, pp. 250–267, 2009.
 ^ Y. Lindell and B. Pinkas, "An efficient protocol for secure twoparty computation in the presence of malicious adversaries," Eurocrypt 2007, vol. Springer LNCS 4515, pp. 5278, 2007.
 ^ Y. Lindell, "Fast cutandchoose based protocols for malicious and covert adversaries," Crypto 2013, vol. Springer LNCS 8043, pp. 117, 2013.
 ^ B. Kreuter, a. shalet and C.H. Shen, "Billion gate secure computation with malicious adversaries," USENIX Security Symposium 2012, pp. 285–300, 2012.
 ^ A. Shelat and C.H. Shen, "Fast twoparty secure computation with minimal assumptions," ACM CCS 2013, pp. 523–534, 2013.
 ^ T. Frederiksen and J. Nielsen, "Fast and maliciously secure twoparty computation using the GPU, "ACNS 2013, vol. Springer LNCS 7954, pp. 339–356, 2013.
 ^ Y. Huang, J. Katz and D. Evans, "Efficient secure twoparty computation using symmetric cutandchoose.," CRYPTO, vol. Springer LNCS 8043, pp. 1835, 2013.
External links
 A simple description of the Millionaire Problem
 Helger Lipmaa's links about multiparty computation
 Nick Szabo, "The God Protocols" at the Wayback Machine (archived December 30, 2006)
 EMPtoolkit — Efficient MultiParty computation Toolkit. Includes implementation of basic MPC primitives as well as protocols with semihonest security and malicious security.
 Secure distributed CSP (DisCSP) solvers — a webapplication with an appletinterpreter to design and run your own fullfledged secure multiparty computation (based on the SMC declarative language). Uses secure arithmetic circuit evaluation and mixnets.
 VMCrypt A Java library for scalable secure computation. By Lior Malka.
 The Fairplay Project — Includes a software package for secure twoparty computation, where the function is defined using a highlevel function description language, and evaluated using Yao's protocol for secure evaluation of boolean circuits.
 The SIMAP project; Secure Information Management and Processing (SIMAP) is a project sponsored by the Danish National Research Agency aimed implementing Secure Multiparty Computation.
 Secure Multiparty Computation Language  project for development of a 'domain specific programming language for secure multiparty computation' and associated cryptographic runtime.
 VIFF: Virtual Ideal Functionality Framework — Framework for asynchronous multiparty computations (code available under the LGPL). Offers arithmetic with secret shared values including secure comparison.
 Sharemind: analyze confidential data without compromising privacy — A distributed virtual machine with the capability to run privacypreserving operations. Has a privacypreserving programming language for data mining tools. Includes developer tools.
 MPCLib: MultiParty Computation Library — A library written in C# and C++ that implements several building blocks required for implementing secure multiparty computation protocols. MPCLib has a discreteevent simulation engine that can be used for simulating MPC protocols in virtual networks.
 Virtual Parties in SMC A protocol for Virtual Parties in SMC (Secure Multi Party computation)
 MPC Javabased implementation A Javabased implementation of the MPC protocol based on Michael.B, Shafi.G and Avi.W's theorem ("Completeness theorems for noncryptographic faulttolerant distributed computation") with WelchBerlekamp error correcting code algorithm to BCH codes. Supports multiple players and identification of "cheaters" with Byzantine protocol. By Erez Alon, Doron Friedland & Yael Smith.
 SEPIA A java library for SMC using secret sharing. Basic operations are optimized for large numbers of parallel invocations (code available under the LGPL).
 Introduction to SMC on GitHub
 Myst Project  JavaCard Applet implementing Secure Multiparty Key Generation, Signing and Decryption.
 Essential bibliography Secure Multiparty Computation