Skip to content

SPDZ Forge

Malicious-secure arithmetic MPC · Beaver triples · MACs

Three parties multiply secret-shared numbers they cannot see — and when you, playing one of them, lie about your share, the arithmetic itself catches it.

What is this?

Secure multi-party computation (MPC) lets several parties compute an answer from inputs they keep secret from each other. Most classroom MPC — Shamir sharing, Yao's garbled circuits — assumes every party follows the protocol and merely tries to peek. SPDZ (Damgård–Pastro–Smart–Zakarias, 2012) drops that assumption: every secret share carries a tiny algebraic tag (a MAC) under a key nobody holds, so a party who submits a wrong share produces a tag that doesn't check out — and the honest parties abort rather than accept a wrong answer.

Everything on this page is real arithmetic in the prime field Fp with p = 2⁶¹ − 1, running in your browser. Every share is inspectable. This is a teaching demo, not production crypto: the three "parties" are one JavaScript page, and the preprocessing dealer is trusted (both stated where they matter below).

New to the jargon? Three terms carry this whole page

Secret sharing: splitting a number x into random-looking pieces ("shares") that only reveal x when combined. Here, three shares that sum to x mod p.
Semi-honest ("honest-but-curious"): a security model where corrupted parties follow the protocol but analyze everything they see, hoping to learn secrets.
Malicious: a model where corrupted parties can deviate arbitrarily — send wrong values, lie about results. SPDZ is secure here, even if all but one party cheats (dishonest majority): the honest party keeps its privacy, and cheating on correctness is detected with overwhelming probability.

STEP 1 · THE FREE PART

Addition is free

Shares of x plus shares of y are shares of x + y — each party just adds the two numbers it already holds. No messages, no cost, done.

STEP 2 · HEADLINE MECHANISM

Multiplication needs a trick: the Beaver triple

x·y is a product of two numbers nobody knows — no local sum produces it. The fix is bought in advance: a preprocessed random triple (a, b, c) with c = a·b, dealt as shares. Step through a real multiplication and watch what crosses the wire.

STEP 3 · THE REASON THIS LAB EXISTS

Cheat, and let the MAC check catch you

Every share travels with a share of α·x — an information-theoretic MAC under the global key α that no party holds. Play the malicious party: edit your share, open the value in both protocols, and compare what each one does about it.

STEP 4 · THE ARCHITECTURE

Offline vs online: why SPDZ is deployable

STEP 5 · A REAL COMPUTATION

Three hospitals compute a variance

For the cryptographers

The exact construction on this page

Field: Fp, p = 2⁶¹ − 1 (Mersenne; the same field MP-SPDZ's Mersenne61 backend uses), BigInt arithmetic, uniform sampling by rejection from the platform CSPRNG. Sharing: x ↦ (x₀, x₁, x₂) additive, with γ(x)ᵢ additive shares of α·x; α itself additively shared at setup. The MAC check on an opened y computes σᵢ = γ(y)ᵢ − αᵢ·y and requires Σσᵢ = 0. Multiplication is Beaver's: open d = x − a, e = y − b, set [z] = [c] + d·[b] + e·[a] + d·e, with MACs carried through the same linear map. Every protocol opening is authenticated, including d and e — a lie in an opening produces an authenticated wrong product (z′ = xy + δy with a valid MAC), so the final check alone cannot catch it; the second Beaver break-it demonstrates exactly this. The check-share exchange is order-bound by commit-then-open (real SHA-256 over random nonces); the MAC panel's advanced break-it shows the adaptive cancellation that succeeds without it. A cheater whose messages are fixed before reveals passes with probability exactly 1/p ≈ 4.3×10⁻¹⁹.

Modeled/simplified relative to the paper: triples (and all shares) come from a trusted dealer — no SHE/ZK offline phase; opened values are checked individually rather than batched with a random linear combination (the paper draws the batch coefficients after the opened values are fixed); and all three parties run in one browser tab, so the commitment round models message ordering rather than a real network. None of these change the algebra being taught.

Threat-model matrix: what this lab does vs a real SPDZ deployment
Primary sources

What this isn't

Not a garbled-circuits lab — Yao is two-party boolean; this is n-party arithmetic (see garbled-gate). Not a Shamir lab — polynomial sharing with an honest majority lives in shamir-gate and silent-tally. Not an oblivious-transfer lab (ot-gate). It does not build triple generation (SHE or MASCOT/Overdrive) — triples are dealt by a trusted dealer here — and it does not build identifiable abort: when SPDZ aborts, you learn that someone cheated, not who.