Application-Scale Secure Multiparty Computation

Secure multiparty computation (MPC) permits a collection of parties to compute a collaborative result without any of the parties or compute servers gaining any knowledge about the inputs provided by other parties, except what can be determined from the output of the computation. In the form of MPC known as linear (or additive) sharing, computation proceeds on data that appears entirely random. Operations such as addition or logical-XOR can be performed purely locally, but operations such as multiplication or logical-AND require a network communication between the parties. Consequently, the computational overhead of MPC is large, and the cost is still measured in orders of magnitude slowdown with respect to computing in the clear. However, e ciency improvements over the last few years have shifted the potential applicability of MPC from just micro benchmarks to user-level applications. To assess how close MPC is to real world use we implement and assess two very di↵erent MPC-based applications—secure email filtering and secure teleconference VoIP. Because the computation cost model is very di↵erent from traditional machines, the implementations required a significantly di↵erent set of algorithmic and compiler techniques. We describe a collection of the techniques we found to be important, including SAT-based circuit optimization and an optimized table lookup primitive.