-
Notifications
You must be signed in to change notification settings - Fork 270
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Online cost of Crypto 2020 (edabits) #1405
Comments
I'm getting slightly different figures, namely 1 integer open, 1 bit open, and 118 ANDs. The integer open costs 128 bits per party because SPDZ2k operates on 128 bits, the bit open costs 1 bit per party, and an AND costs 2 bits per party. Overall, I'm getting |
Thanks for the prompt response! I have two follow ups:
|
|
Thank you so much! I will look up the reference to understand the cost of OT/ANDs. |
In case this is useful, the difference in your bitwise LT circuit costs ( This is a circuit which in the literature is usually stated to cost |
Thanks @waamm for the helpful pointer! @mkskeller I have some more questions (or clarifications), this time about implementing
|
|
Thanks!
Do you have the exact/entire protocol for comparison written down somewhere? The paper only says that it's similar to truncation but doesn't provide any details |
Not in the paper but the relevant code in MP-SPDZ is here: https://github.com/data61/MP-SPDZ/blob/a44132e5095f84ed5fda3e27c100bf2d6e462243/Compiler/comparison.py#L98C1-L106C68 |
I wish to calculate the experimental and theoretical online communication of the protocol for comparison from the "Improved Primitives for MPC over Mixed Arithmetic-Binary Circuits" paper.
Experimental Cost: I ran the code provided in Code for Crypto 2020 paper (edaBits) #1391 for 2^16, 2^15 and 2^14 comparisons, using
-F
flag andspdz2k
. I get around 766 bits of communication (total communication, both side)Theoretical cost: I understand that the protocol requires 2 opens and 2m = 126 online ANDs (for LT circuit). Roughly, if we consider just semi-honest security, we 2* 2* 64 (for opens) + 126 * 4 = 760 bits. But this is just semi-honest security.
I wish to understand what's wrong with above analysis. How is the implementation achieving malicious security at the cost of semi-honest protocol?
The text was updated successfully, but these errors were encountered: