SPDZ Forge
Malicious-secure arithmetic MPC · Beaver triples · MACs
Three parties multiply secret-shared numbers they cannot see — and when you, playing one of them, lie about your share, the arithmetic itself catches it.
What is this?
Secure multi-party computation (MPC) lets several parties compute an answer from inputs they keep secret from each other. Most classroom MPC — Shamir sharing, Yao's garbled circuits — assumes every party follows the protocol and merely tries to peek. SPDZ (Damgård–Pastro–Smart–Zakarias, 2012) drops that assumption: every secret share carries a tiny algebraic tag (a MAC) under a key nobody holds, so a party who submits a wrong share produces a tag that doesn't check out — and the honest parties abort rather than accept a wrong answer.
Everything on this page is real arithmetic in the prime field Fp with p = 2⁶¹ − 1, running in your browser. Every share is inspectable. This is a teaching demo, not production crypto: the three "parties" are one JavaScript page, and the preprocessing dealer is trusted (both stated where they matter below).
New to the jargon? Three terms carry this whole page
Secret sharing: splitting a number x into random-looking pieces
("shares") that only reveal x when combined. Here, three shares that sum to x mod p.
Semi-honest ("honest-but-curious"): a security model where corrupted
parties follow the protocol but analyze everything they see, hoping to learn secrets.
Malicious: a model where corrupted parties can deviate arbitrarily —
send wrong values, lie about results. SPDZ is secure here, even if all but one party
cheats (dishonest majority): the honest party keeps its privacy, and cheating on
correctness is detected with overwhelming probability.
Addition is free
Shares of x plus shares of y are shares of x + y — each party just adds the two numbers it already holds. No messages, no cost, done.
Multiplication needs a trick: the Beaver triple
x·y is a product of two numbers nobody knows — no local sum produces it. The fix is bought in advance: a preprocessed random triple (a, b, c) with c = a·b, dealt as shares. Step through a real multiplication and watch what crosses the wire.
Cheat, and let the MAC check catch you
Every share travels with a share of α·x — an information-theoretic MAC under the global key α that no party holds. Play the malicious party: edit your share, open the value in both protocols, and compare what each one does about it.
Offline vs online: why SPDZ is deployable
Three hospitals compute a variance
For the cryptographers
The exact construction on this page
Field: Fp, p = 2⁶¹ − 1 (Mersenne; the same field MP-SPDZ's Mersenne61 backend uses), BigInt arithmetic, uniform sampling by rejection from the platform CSPRNG. Sharing: x ↦ (x₀, x₁, x₂) additive, with γ(x)ᵢ additive shares of α·x; α itself additively shared at setup. The MAC check on an opened y computes σᵢ = γ(y)ᵢ − αᵢ·y and requires Σσᵢ = 0. Multiplication is Beaver's: open d = x − a, e = y − b, set [z] = [c] + d·[b] + e·[a] + d·e, with MACs carried through the same linear map. Every protocol opening is authenticated, including d and e — a lie in an opening produces an authenticated wrong product (z′ = xy + δy with a valid MAC), so the final check alone cannot catch it; the second Beaver break-it demonstrates exactly this. The check-share exchange is order-bound by commit-then-open (real SHA-256 over random nonces); the MAC panel's advanced break-it shows the adaptive cancellation that succeeds without it. A cheater whose messages are fixed before reveals passes with probability exactly 1/p ≈ 4.3×10⁻¹⁹.
Modeled/simplified relative to the paper: triples (and all shares) come from a trusted dealer — no SHE/ZK offline phase; opened values are checked individually rather than batched with a random linear combination (the paper draws the batch coefficients after the opened values are fixed); and all three parties run in one browser tab, so the commitment round models message ordering rather than a real network. None of these change the algebra being taught.
Threat-model matrix: what this lab does vs a real SPDZ deployment
| Property | This lab | Full SPDZ-family deployment |
|---|---|---|
| Field / share / MAC algebra | Implemented (BigInt, CSPRNG) | Implemented |
| Corruption threshold | The SPDZ theorem allows up to n−1 corruptions; this page executes one designated cheater at a time | Up to n−1, depending on the family variant and setup |
| Input protocol | Trusted dealer shares inputs | Authenticated input procedure |
| Triple generation | Trusted dealer | SHE- or OT-based preprocessing with sacrifice checks |
| Opening authentication | Implemented for every opening, incl. d and e | Required |
| MAC-check ordering | Commit-then-open (SHA-256), single tab models the network order | Network protocol with commitments |
| Batched checking | Single-value checks (pedagogical case) | Random linear combination, amortized |
| Network, scheduling, replay | Not modeled (one browser tab) | Required |
| Fairness / guaranteed output | Not provided — abort only | Generally abort, not guaranteed output |
| Identifiable abort | Not provided (named, not built) | Separate stronger variants |
Primary sources
- Damgård, Pastro, Smart, Zakarias — Multiparty Computation from Somewhat Homomorphic Encryption (SPDZ, 2012) — the protocol, MACs, offline/online split, dishonest-majority claim.
- Beaver — Efficient Multiparty Protocols Using Circuit Randomization (CRYPTO '91) — the multiplication triple.
- Keller, Orsini, Scholl — MASCOT (2016) — OT-based triple generation (named, not built here).
- Keller, Pastro, Rotaru — Overdrive (2018) — faster SHE preprocessing (named, not built here).
- MP-SPDZ — the framework whose Mersenne61 backend uses this exact field; its MAC_Check implements the commit-then-open, batched check this page teaches the single-value case of.
- SCALE-MAMBA — another SPDZ-family implementation.
What this isn't
Not a garbled-circuits lab — Yao is two-party boolean; this is n-party arithmetic (see garbled-gate). Not a Shamir lab — polynomial sharing with an honest majority lives in shamir-gate and silent-tally. Not an oblivious-transfer lab (ot-gate). It does not build triple generation (SHE or MASCOT/Overdrive) — triples are dealt by a trusted dealer here — and it does not build identifiable abort: when SPDZ aborts, you learn that someone cheated, not who.