I Introduction
Multiparty computation protocols allow multiple users to compute some function of their combined secret inputs without revealing any additional information about their inputs other than the output of the function. FMPC is a secretsharing based protocol for arithmetic circuits [6]; it operates in a setting where users wish to compute a function over some secrets by submitting the computation to a set of nodes, and is only suitable for circuits with a low number of multiplications. The users first secretshare their inputs by breaking them into multiple shares, and provide each node with one each. The nodes then perform additions and multiplications on these shares by local computations, and finally output the result of the computation. FMPC focuses on the computation of multiplication of secrets, and assumes that additions can be performed using traditional algebra as described by SPDZ [6].
As previous secretsharing based protocols [6, 5, 9], FMPC divides execution into an offline phase and an online phase. The offline phase is performed ahead of time and does not involve any users secret input; the output of the computation is then evaluated during the online phase. Traditional secretsharing based protocols are efficient to compute additions of secrets, but computing multiplication is expensive [6]; these are based on the algebra introduced by Donald Beaver [2] relying on the existence of some additional secretshared values called triples, that are generated during the offline phase. Each node then broadcasts their shares of secrets blinded with these triples value. This causes high communication complexity during the online phase, especially for computations requiring many multiplications; their latency increases with the number of multiplications to evaluate.
FMPC is a novel secretsharing technique to compute multiplication of secrets without requiring nodes to communicate with each other at all during the online phase; FMPC thus enjoys constant (and low) online communication latency in the size of the circuit. This is achieved through the application of Fourier series to Parseval’s identity. On the downside, FMPC cannot compose operations and is therefore only suitable to evaluate circuits with a small number of multiplications (see Section VIII). FMPC relies on established preprocessing techniques for the offline phase, and makes the following contributions to the online phase:

Section IV presents the mathematical construction behind FMPC by taking the example of a twouser computation.

Section V provides a concrete instantiation of FMPC and shows a practical protocol execution.

Section VI introduces the first generalization of Parseval’s identity for Fourier series applicable to an arbitrary number of inputs, and uses it to extend the twouser computation scheme presented in Section IV to a scheme supporting an arbitrary number of users. At the best of our knowledge, this is the first secretsharing multiparty computation protocol scaling to an arbitrary number of inputs that enables multiplication of secrets with no online communication.
FMPC is a first of its kind attempt to analytically model MPC and aims to trigger further debates towards a working system.
Ii Threat Model and Goals
The following actors participate in a FMPC computation:

Users: Enduser devices submit a computation over some secret inputs to a set of nodes; they wish to publish the output of a computation without revealing their secret inputs to anybody. Without loss of generality, we assume that each user hold one secret input.

Nodes: Infrastructure executing the computation submitted by the users.
We model the offline phase as executed by a trusted authority responsible to generate some scheme parameters and communicate them to the users; this offline phase can be distributed using traditional techniques introduced by SPDZ [6] (see Section IVB). FMPC assumes passive adversaries who follow the protocol specification but try to learn more than allowed about the users secret inputs^{1}^{1}1We leave the extension of FMPC to active adversaries as future work; potentially adapting the MACbased approach introduced by SPDZ [6].. Nodes can collude with each other as long as there is at least one honest noncolluding node. Under the above threat model, FMPC achieves the following design goals:

Private Computation  Parties only learn the output of the computation.

NonInteractivity  Nodes do not communicate with each other during the online phase to perform computations.
Iii Background
We recall the theory of Fourier series and Parseval’s identity, and the expression of some useful convergent sums analytically; Appendix A shows how to compute them numerically using finite fields.
Iiia Convolution of Fourier Series
We recall the Fourier series of the convolution between two functions and periodic on (). Assuming that and (i.e., and are squareintegrable in the interval []), their respective Fourier series representations read:
(1)  
where the Fourier coefficients and (for are given below:
(2)  
The convolution function between and is defined as
(3) 
By inserting Equation 1 into Equation 3, and by taking into account the following identities
(4)  
where denotes Kronecker’s delta, we obtain the Fourier series of the convolution between two functions:
(5) 
where
We also recall that the convolution operation satisfies commutativity and associativity; these properties are used in Section VI to scale FMPC to an arbitrary number of inputs.
IiiB Parseval’s Identity
Let’s assume two functions and as defined in Equation 1
; defining the four vectors
, , and (for as below,(6)  
Parseval’s identity [8] holds for and :
(7)  
Parseval’s identity only applies to two functions; Section VIA presents our generalization of Parseval’s identity that applies to an arbitrary number of functions used to extend FMPC to an arbitrary number of inputs.
IiiC Convergent Sums
FMPC requires the computation of scalar products of vectors with infinite components. It is therefore crucial that the infinite series produced by these scalar products are convergent, and that the results of these series can be computed efficiently and exactly (i.e., analytically). For example, in case of two users, FMPC requires the evaluation of the following convergent sums (see Section V):
(8) 
These expressions can be easily calculated from the following wellknown identity [8]
(9) 
as below:
Section V illustrates that a convenient choice of the mask functions allows evaluating the infinite series (i.e., the scalar products) analytically.
Iv Twousers FMPC Construction
We present the mathematical constructions behind FMPC by illustrating a twousers computation protocol; Section V provides a concrete instantiation of this construction.
Iva Mathematical Construction
Figure 1 presents a twousers FMPC computation. We consider two users, Alice holding a secret input and Bob holding a secret input , wishing to compute the product without revealing their secret inputs. The protocol operates on the public parameters and (with ); and on the two parametric functions whose parameters are generated by the trusted authority Trusty; we refer to those functions as mask functions. The protocol is divided in two phases: an offline phase consisting of precomputations that can be performed ahead of time as it is independent on the secret inputs, and an online phase producing the output .
Offline phase
We model the offline phase as executed by a trusted authority Trusty (Section IVB shows how to distribute the offline phase). Trusty generates at random and , and computes the normalization coefficient given by
(10) 
and computes the following normalized maskfunctions:
where indicates the set of parameters (➊). Contrarily to traditional secretsharing protocols like SPDZ [6], FMPC pushes the complexity at the edges by offloading the offline phase to the users.
Online phase
Trusty sends to Alice and to Bob, who respectively compute and :
(11) 
Alice computes the vectors and from , and Bob computes the vectors and from as defined by Equations 6 and 2 (➋). Alice sends to and to ; and Bob sends to and to . As a result, gathers the constant and cosine component of the Parseval’s identity, and gathers the sine component of the Parseval’s identity (➋). outputs , and outputs (➍); anyone can compute according to Equation 7. The intuition behind the scheme is to decompose the product into two components that are eventually added together to compute the final result; this reduces the problem of multiplication of secret to an addition, which is enabled by Parseval’s identity. Section V presents an endtoend example calculation, with practical choices of mask functions.
IvB Decentralization of the Offline Phase
We do not innovate on the offline phase, and rely on existing established solutions. The offline phase of FMPC randomly generates the parameters of the mask functions and computes the normalization coefficient. FMPC may employ the same technique used by SPDZ [6] to generate multiplicative triples, which relies on somewhat homomorphic encryption; despite the simplicity of this approach, it incurs expensive public key cryptography and may lead to high cost. Mascot [9] overcomes this limitation by using oblivious transfer to generate the triples values during the offline phase. Section VD shows how to use the offline phase of those protocols to instantiate a practical FMPC computation. Alternatively, FMPC may rely on a semitrusted authority to run the offline phase; the authority is then trusted to correctly generate those parameters and to not collude with the nodes, but never learns any information about the users inputs.
V Instantiation of Twousers FMPC Computation
We illustrate a practical example of FMPC computation considering the following maskfunctions:
(12)  
for parameters and . For simplicity, we set , and
(13) 
to obtain the following normalized maskfunctions:
(14)  
Va Protocol Execution
We show how the protocol illustrated in Figure 1 executes using the mask functions given by Equation 12.
Offline phase
Algorithm 1 illustrates the offline phase; Trusty generates at random ; computes the normalization coefficients ; and sends to Alice and to Bob (➊).
Online phase
Algorithm 2 illustrates the online phase; Alice computes , and Bob computes (➋). Alice sends to and to ; Bob sends to and to (➌). has all information it needs to compute and (see Equation 15 of Section VB)—those can be computed from the mere knowledge of and —and outputs . In practice, only evaluates and outputs (see Equation 17 of Section VB). Similarly, has all information to compute and (those can be computed from and ), and outputs ; in practice, simply outputs (see Equation 18 of Section VB). Anyone can compute , which follows from Equation 7 (➍).
All operations are performed over a finite field where is prime, is integer and ; addition, multiplication, and the modular inverse are implemented by modular arithmetic , that is .
VB Correctness of the Computation
We compute the normalization coefficients and the normalized mask functions according to Equation 10 and (IVA); and the functions and according to Equation 11. All computations are performed using Wolfram Mathematica^{2}^{2}2http://www.wolfram.com/mathematica/
11.2, we release our script as open source
^{3}^{3}3 https://gist.github.com/asonnino/7d3abd570736d13bddf61fa429692983 . The Fourier coefficients and are then given below (for :(15)  
where:
(16)  
We can easily check Parseval’s identity; computes
(17)  
and computes
(18)  
Equation 17 and Equation 18 are computed by evaluating the convergent sums given by Equation 8 of Section III. By adding Equation 17 to Equation 18, we finally get:
(19) 
VC Security Analysis
We show that no adversary can retrieve the secret inputs and from the knowledge of . We assume passive adversaries; i.e., they follow the protocol specification but try to learn more than allowed (see Section II). Informally, the adversary possesses five equations, i.e., the expressions of , and six unknown, i.e., . The adversary thus holds fewer equations than unknowns, which make it informationtheoretically impossible to recover any unknown value. Theorem 1 presents this result more formally.
Theorem 1.
The scheme presented in Section VA achieves perfect secrecy against a passive adversary holding ; i.e., for all distribution of and for all , we have and .
Proof.
Let us first consider the input . For any
we introduce the conditional probability
in terms of the joint probability(20) 
where the second equality is guaranteed by Bayes’ theorem. It is useful to compute
using the law of total probability. Conditioning over all
gives(21) 
Removing all constant and known factors from the expression of , we get
(22) 
where,
(23) 
which is independent of . Hence,
(24) 
Plugging Equation 22 and Equation 24 into Equation 20, we get . The same reasoning applies to the input . ∎
This implies that nodes are not able to recover the users inputs even if they collude (but multiple nodes are still required to handle additions of secrets, as in SPDZ [6]).
VD Discussion
We discuss convenient choice of mask functions, distribution of the offline phase, and extension to multiple nodes.
Convenient choice of mask functions
Even though FMPC applies to any kind of squareintegrable functions, a convenient choice of family of mask functions (in the case of two players) is {} where parameters are randomly chosen (with and users ). The parameters and (with ) are public, and it is convenient to set them to and (see Equation 14). The main advantage of this family of maskfunctions is that they forgo the need to resort to numerical calculations to compute the contributions of Parseval’s identity—calculating the numerical sums of the Parseval’s identity is never needed—users simply evaluate them using the analytic expressions provided in Section IIIC. We can easily observe that it is possible to select maskfunctions allowing to perform all calculations analytically even for a large number of users; mask functions composed of sums of sine and cosine ensures convergence, and can be evaluated using expressions similar to those given in Section IIIC.
Distribution of the offline phase
Established protocols like SPDZ require the generation of multiplicative triplets during the offline phase; i.e., they provide a functionality to generate three elements such that in a distributed manner. FMPC may execute twice this functionality to generate such that , and such that ; and then simply compute:
(25) 
Extension to an arbitrary number of nodes
Section VC shows that colluding nodes cannot retrieve the users inputs; multiple nodes are only required to handle addition of secrets. However, we can easily extend FMPC to an arbitrary number of nodes as we can always split the calculations of Parseval’s identity into an arbitrary number parts. This can be accomplished in many ways; for instance we may split the vectors A, B, , and in several contributions, by requiring each of the nodes to perform only a specific part of the scalar products, under the constraint that the sum of their output matches with the final values of the scalar products of Parseval’s identity. Note that for the example depicted in Equation 15 (Section VB), we can simply split the scalars and into shares in such a way that the sum of the contributions coincides with the final scalar products (by applying appropriate normalization).
Vi Extension to Multiple Players
We introduces the first generalization of Parseval’s identity for Fourier series applicable to an arbitrary number of inputs, and uses it to extend the twouser computation scheme presented in Section IV to an arbitrary number of users.
Via Generalization of Parseval’s Identity
We present the generalization of Parseval’s identity for Fourier series applicable to inputs. Parseval’s identity traditionally applies only to two functions; we overcome this drawback by using the convolution operation between two functions. We illustrate Parseval’s identity for three inputs, which can easily be generalized for an arbitrary number of inputs. Section VIB leverages these considerations to build the users FMPC protocol.
Firstly we observe that in the case of two users, Parseval’s identity may be cast into the following form
(26) 
Let’s now consider three inputs, , and with Fourier series representations given by Equation 1 and by
(27) 
respectively; the generalized Parseval’s identity reads:
(28)  
or
(29)  
Vectors , , , and and are respectively defined as
(30)  
and
(31) 
We simply include , , and in the lefthand side of the equation, and adapt the rightend side to match calculations. A mathematical formula for an arbitrary number of inputs can easily be obtained following the same logic.
ViB Mathematical Construction
We extend the twouser FMPC scheme presented in Section IV to a scheme supporting users.
Offline phase
Trusty generates at random the parameters of maskfunctions ; it then computes the normalization coefficients similarly to Equation 10, and uses them to compute the normalized maskfunctions as shown in Section IVA. This is analogue to the offline phase of the protocol presented in Section IVA, except that we now consider maskfunctions instead of two.
Online phase
Trusty sends a normalized mask function to each user; they compute using their secret inputs , and their Fourier coefficients according to Equation 11 and Equation 2. Similarly to Section IVA, users send the constant and cosine component of Parseval’s identity to , and the sine component to ; therefore the protocol can always be executed with two nodes. Each node then computes and outputs the scalar product of the users coefficients vector, and the product is computed by summing the output of each node according to the generalized Parseval’s identity presented in Section VIA.
Figure 2 shows an example of execution of FMPC for three users. Each user, Alice, Bob and Charlie receives a normalized maskfunction from Trusty. In this case the normalization coefficient is given by
(32) 
with
(33) 
and the three normalized maskfunctions read
where and are two positive real numbers subject to the condition . Alice locally computes and ; Bob computes and ; and Charlie computes and similarly to Equation 2 and Equation 6. Alice sends to and to ; Bob sends to and to ; and Charlie sends to and to . Finally, outputs , and outputs ; following Equation 28, anyone can compute .
Vii Related Works
There are two main constructions of multiparty protocols: circuit garbling and secretsharing. Circuit garbling involves encrypting keys in a specific order to simulate a circuit evaluation [1]; secretsharing based protocol as FMPC break the inputs among all nodes who use their shares to evaluate some function through local computations [3, 7, 11, 10].
SPDZ [6] is one of the most notorious secretsharing based multiparty computation protocol scaling to an arbitrary number of users; SPDZ is secure against active adversaries using MACs to verify the integrity of computations, and does not require any kind of trusted third parties; it requires however expensive somewhat homomorphic encryption (SHE) to generate the triples used to compute multiplication of secrets. SPDZ2 [5] offers various improvements of the offline phase of SPDZ, and allows the MACs to be checked without revealing its key, thus allowing the MAC to be reused after it is checked. Mascot [9] uses oblivious transfer rather than SHE to further improve performances of the offline phase and generate triples.
The literature following SPDZ mainly improves the offline phase, while FMPC innovates on the online phase. Most multiparty protocols for arithmetic circuits based on secretsharing that scale to an arbitrary number of users are based on the algebra introduced by Donald Beaver [2]. They thus require triples to compute multiplication of secrets and impose communication between nodes during the online phase; their online latency therefore increases with the number of multiplications to evaluate. FMPC comes with a different tradeoff: FMPC nodes do not communicate during the online phase and thus enjoy constant (and low) online latency in the size of the circuit, at the cost of not supporting composition of operations (see Section VIII) which makes FMPC only suitable to evaluate lowdepth circuits. Established secretsharing protocols face a tradeoff between security and online latency—adding nodes improves security but increases latency. FMPC forgoes this tradeoff since multiplications can always be performed by two nodes (see Section VI); however its security rely on the choice of the mask functions.
Viii Limitations and Future Work
FMPC has several limitations that are beyond the scope of this work, and deferred to future work. FMPC (i) does not support composition of operations. That is, while most established scheme [6, 5, 9] can evaluate expressions like with two additions and one multiplication, FMPC needs to distribute the operation and evaluate . This limitation is problematic for large computations and makes FMPC suitable only to evaluate circuits with a relatively small number of multiplications. Other limitations are (ii) that the security and efficiency of the scheme rely on the choice of the mask functions. We also defer as future work (iv) adapting our scheme to withstand active adversaries, potentially adapting the MACbased approach introduced by SPDZ [6].
Ix Conclusions
FMPC is a novel secretsharing multiparty computation protocol of arithmetic circuits that requires no online communication between nodes to compute multiplication of secrets; FMPC innovates on the online phase by applying Fourier series to Parseval’s identity. FMPC enjoys of constant latency in the size of the circuit, but is only suitable to evaluate lowdepth circuits. We introduce the first generalization of Parseval’s identity for Fourier series applicable to an arbitrary number of inputs, and use it to allow FMPC to operate on an arbitrary number of inputs. FMPC paves the way for new kind of multiparty computation protocols, hopefully encouraging discussions and spurring new directions to explore.
Acknowledgements
This work is supported by the EU H2020 DECODE project under grant agreement number 732546 as well as chainspace.io. We thank George Danezis for helpful suggestions on early manuscript and valuable advice, and Yiannis Psaras for comments and proofreading.
References
 [1] (2014) How to garble arithmetic circuits. SIAM Journal on Computing 43 (2), pp. 905–929. Cited by: §VII.
 [2] (1991) Efficient multiparty protocols using circuit randomization. In Annual International Cryptology Conference, pp. 420–432. Cited by: §I, §VII.
 [3] (2011) Semihomomorphic encryption and multiparty computation. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 169–188. Cited by: §VII.
 [4] (1965) An algorithm for the machine calculation of complex fourier series. Mathematics of computation 19 (90), pp. 297–301. Cited by: Appendix A.
 [5] (2013) Practical covertly secure mpc for dishonest majority–or: breaking the spdz limits. In European Symposium on Research in Computer Security, pp. 1–18. Cited by: §I, §VII, §VIII.
 [6] (2012) Multiparty computation from somewhat homomorphic encryption. In Advances in Cryptology–CRYPTO 2012, pp. 643–662. Cited by: §I, §I, §II, §IVA, §IVB, §VC, §VII, §VIII, footnote 1.
 [7] (2013) Constantoverhead secure computation of boolean circuits using preprocessing. In Theory of Cryptography, pp. 621–641. Cited by: §VII.
 [8] (2014) Table of integrals, series, and products. Academic press. Cited by: §IIIB, §IIIC.
 [9] (2016) MASCOT: faster malicious arithmetic secure computation with oblivious transfer. In ACM SIGSAC Conference on Computer and Communications Security, pp. 830–842. Cited by: §I, §IVB, §VII, §VIII.
 [10] (2015) Efficient constant round multiparty computation combining bmr and spdz. In Annual Cryptology Conference, pp. 319–338. Cited by: §VII.
 [11] (2012) A new approach to practical activesecure twoparty computation. In Advances in Cryptology–
Comments
There are no comments yet.