We’re sorry, something doesn't seem to be working properly.

Please try refreshing the page. If that doesn't work, please contact support so we can address the problem.


Efficient Constant-Round Multi-party Computation Combining BMR and SPDZ


Recently, there has been huge progress in the field of concretely efficient secure computation, even while providing security in the presence of malicious adversaries. This is especially the case in the two-party setting, where constant-round protocols exist that remain fast even over slow networks. However, in the multi-party setting, all concretely efficient fully secure protocols, such as SPDZ, require many rounds of communication. In this paper, we present a constant-round multi-party secure computation protocol that is fully secure in the presence of malicious adversaries and for any number of corrupted parties. Our construction is based on the constant-round protocol of Beaver et al. (the BMR protocol) and is the first version of that protocol that is concretely efficient for the dishonest majority case. Our protocol includes an online phase that is extremely fast and mainly consists of each party locally evaluating a garbled circuit. For the offline phase, we present both a generic construction (using any underlying MPC protocol) and a highly efficient instantiation based on the SPDZ protocol. Our estimates show the protocol to be considerably more efficient than previous fully secure multi-party protocols.

This is a preview of subscription content, log in to check access.

Access options

Buy single article

Instant unlimited access to the full article PDF.

US$ 39.95

Price includes VAT for USA

Fig. 1


  1. 1.

    In our construction, we use a pseudorandom function as opposed to a pseudorandom generator used in the original BMR [1].

  2. 2.

    Their original work also offers a version against a malicious adversary; however, it requires an honest majority and is not concretely efficient.

  3. 3.

    We assume that the parties interact over a point-to-point network.

  4. 4.

    The external values (as denoted in [2]) are the signals (as denoted in [1]) observable by the parties when evaluating the circuit in the online phase.

  5. 5.

    Recall that we write our protocol assuming a broadcast channel. Thus, even though we write that in the output stage all parties receive output if \(i=0\), when instantiating the broadcast channel with the simple echo-broadcast described in Sect. 2, some of the honest parties may receive the output and some may abort.

  6. 6.

    Multiplication (Beaver) triples are a standard part of the implementation of the SPDZ protocol; we assume familiarity with this method in this paper.

  7. 7.

    By “MPC Engine,” we refer to the underlying secure computation, the SPDZ functionality in this case.

  8. 8.

    This analysis refers to the complexity of the circuit that the parties garble in the offline phase, not the circuit that the parties wish to compute over their private inputs (i.e., \(C_f\)).

  9. 9.

    These Random calls are followed immediately with an Open to a party. However, in SPDZ Random followed by Open has roughly the same cost as Random alone.

  10. 10.

    Note that unlike [29] and other Yao-based techniques we cannot process XOR gates for free. On the other hand, we are not restricted to only two parties.

  11. 11.

    In this section, we actually refer to the execution in the hybrid model where the parties have access to the underlying MPC functionality. We denote it as real execution for convenience.

  12. 12.

    Note that the correctness property has shown earlier holds for every input of the honest parties \(x_J\); thus, in order to decide whether to instruct the trusted party to “halt” or “continue” \(\mathcal {S'_{{\text {OUR}}}}\) can just use some fake input \(x_J=0^{|J|}\).

  13. 13.

    The decision whether to abort or not is not based on whether the adversary cheated or not, but is rather based on the actual evaluation of the circuit because there might be cases where the adversary cheats and influences only the corrupted parties, for example, when cheating in ith PRF values used in a garbled gate of some gate whose output wire is a circuit-output wire (where \(i\in I\)).


  1. 1.

    D. Beaver, S. Micali, P. Rogaway, The round complexity of secure protocols, in 22nd STOC, pp. 503–513, 1990

  2. 2.

    A. Ben-David, N. Nisan, B. Pinkas, M. P. Fairplay, A system for secure multi-party computation, in ACM CCS, pp. 257–266, 2008

  3. 3.

    A. Ben-Efraim, Y. Lindell, E. Omri, Optimizing semi-honest secure multiparty computation for the internet, in ACM CCS, pp. 578–590, 2016

  4. 4.

    A. Ben-Efraim, Y. Lindell, E. Omri, Efficient scalable constant-round MPC via garbled circuits, in ASIACRYPT, pp. 471–498, 2017

  5. 5.

    M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation, in 20th STOC, pp. 1–10, 1988

  6. 6.

    D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols, in 20th STOC, pp. 11–19, 1988

  7. 7.

    S. G. Choi, J. Katz, A. J. Malozemoff, V. Zikas, Efficient three-party computation from cut-and-choose, in CRYPTO, pp. 513–530, 2014

  8. 8.

    R. Cleve, Limits on the security of coin flips when half the processors are faulty (extended abstract), in 18th STOC, pp. 364–369, 1986

  9. 9.

    I. Damgård, Y. Ishai, Constant-round multiparty computation using a black-box pseudorandom generator, in CRYPTO, pp. 378–394, 2005

  10. 10.

    I. Damgård, M. Keller, E. Larraia, C. Miles, N. P. Smart, Implementing AES via an actively/covertly secure dishonest-majority MPC protocol, in SCN, pp. 241–263, 2012

  11. 11.

    I. Damgård, M. Keller, E. Larraia, V. Pastro, P. Scholl, N. P. Smart, Practical covertly secure MPC for dishonest majority—or: Breaking the SPDZ limits, in ESORICS, pp. 1–18, 2013

  12. 12.

    I. Damgård, V. Pastro, N. P. Smart, S. Zakarias, Multiparty computation from somewhat homomorphic encryption, in CRYPTO, pp. 643–662, 2012

  13. 13.

    P. Feldman, S. Micali, An optimal probabilistic protocol for synchronous byzantine agreement. SIAM Journal on Computing 26(4), 873–933 (1997)

  14. 14.

    O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or A completeness theorem for protocols with honest majority, in 19th STOC, pp. 218–229, 1987

  15. 15.

    S. Goldwasser, Y. Lindell, Secure computation without agreement, in DISC, pp. 17–32, 2002

  16. 16.

    C. Hazay, P. Scholl, E. Soria-Vazquez, Low cost constant round MPC combining BMR and oblivious transfer, in ASIACRYPT, pp. 598–628, 2017

  17. 17.

    Y. Ishai, M. Prabhakaran, A. Sahai, Founding cryptography on oblivious transfer—efficiently, in CRYPTO, pp. 572–591, 2008

  18. 18.

    J. Katz, R. Ostrovsky, A. D. Smith, Round efficiency of multi-party computation with a dishonest majority, in EUROCRYPT, pp. 578–595, 2003

  19. 19.

    M. Keller, E. Orsini, P. Scholl, MASCOT: faster malicious arithmetic secure computation with oblivious transfer, in ACM CCS, 2016, pp. 830–842, 2016

  20. 20.

    M. Keller, P. Scholl, N. P. Smart, An architecture for practical actively secure MPC with dishonest majority, in ACM CCS, pp. 549–560, 2013

  21. 21.

    M. Keller, A. Yanai, Efficient maliciously secure multiparty computation for RAM, in EUROCRYPT, 2018, pp. 91–124, 2018

  22. 22.

    E. Larraia, E. Orsini, N. P. Smart, Dishonest majority multi-party computation for binary circuits, in CRYPTO, 2014, pp. 495–512, 2014

  23. 23.

    Y. Lindell, Fast cut-and-choose based protocols for malicious and covert adversaries, in CRYPTO, pp. 1–17, 2013

  24. 24.

    Y. Lindell, B. Riva, Cut-and-choose yao-based secure computation in the online/offline and batch settings, in CRYPTO, pp. 476–494, 2014

  25. 25.

    Y. Lindell, N. P. Smart, E. Soria-Vazquez, More efficient constant-round multi-party computation from BMR and SHE, in 14th TCC 2016-B, pp. 554–581, 2016

  26. 26.

    J. B. Nielsen, P. S. Nordholt, C. Orlandi, S. S. Burra, A new approach to practical active-secure two-party computation, in CRYPTO, pp. 681–700, 2012

  27. 27.

    R. Pass, Bounded-concurrent secure multi-party computation with a dishonest majority, in 36th STOC, pp. 232–241, 2004

  28. 28.

    M. C. Pease, R. E. Shostak, L. Lamport, Reaching agreement in the presence of faults. Journal of ACM 27(2), 228–234 (1980)

  29. 29.

    B. Pinkas, T. Schneider, N. P. Smart, S. C. Williams, Secure two-party computation is practical, in ASIACRYPT, pp. 250–267, 2009

  30. 30.

    T. Rabin, M. Ben-Or, Verifiable secret sharing and multiparty protocols with honest majority, in 21st STOC, pp. 73–85, 1989

  31. 31.

    P. Rogaway, The round complexity of secure protocols. PhD thesis, Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 1991

  32. 32.

    A. C. Yao, Protocols for secure computations, in 23rd FOCS, pp. 160–164, 1982

Download references


The first and fourth authors were supported in part by the European Research Council under the European Union’s Seventh Framework Programme (FP/2007-2013)/ERC consolidators grant agreement no. 615172 (HIPS). The second author was supported under the European Union’s Seventh Framework Program (FP7/2007-2013) grant agreement no. 609611 (PRACTICE), and by a grant from the Israel Ministry of Science, Technology and Space (grant 3-10883). The third author was supported in part by ERC Advanced Grant ERC-2010-AdG-267188-CRIPTO, by EPSRC via grant EP/I03126X and by ERC Advanced Grant ERC-2015-AdGIMPaCT. The first and third authors were also supported by an award from EPSRC (grant EP/M012824), from the Ministry of Science, Technology and Space, Israel, and the UK Research Initiative in Cyber Security. The first, second and fourth authors were supported by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Directorate in the Prime Minister’s Office.

Author information

Correspondence to Benny Pinkas.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

An extended abstract of this paper appeared at CRYPTO 2015; this is the full version.

Communicated by Jonathan Katz.

Appendix: A Generic Protocol to Implement \(\mathcal {F}_{\mathsf {offline}}\)

Appendix: A Generic Protocol to Implement \(\mathcal {F}_{\mathsf {offline}}\)

In this appendix, we give a generic protocol \(\Pi _{\mathsf {offline}}\) which implements \(\mathcal {F}_{\mathsf {offline}}\) using any protocol which implements the generic MPC functionality \(\mathcal {F}_{\mathsf {MPC}}\). The protocol is very similar to the protocol in the main body which is based on the SPDZ protocol; however, this generic functionality requires more rounds of communication (but still requires constant rounds). Phase Two is implemented exactly as in Sect. 4, so the only change we need is to alter the implementation of Phase One, which is implemented as follows:

  1. 1.

    Initialize the MPC Engine: Call Initialize on the functionality \(\mathcal {F}_{\mathsf {MPC}}\) with input p, a prime with \(2^\kappa<p < 2^{\kappa +1}\).

  2. 2.

    Generate wire masks: For every circuit wire w, we need to generate a sharing of the (secret) masking values \(\lambda _{w}\). Thus, for all wires w the players execute the following commands

    • Player i calls InputData on the functionality \(\mathcal {F}_{\mathsf {MPC}}\) for a random value \(\lambda ^{i}_{w}\) of his choosing.

    • The players compute

      $$\begin{aligned}{}[\mu _w]&= \prod _{i=1}^n [\lambda ^{i}_{w}], \\ [\lambda _{w}]&= \frac{[\mu _w]+1}{2}, \\ [\tau _w]&= [\mu _w] \cdot [\mu _w]-1. \end{aligned}$$
    • The players open \([\tau _w]\) and if \(\tau _w \ne 0\) for any wire w they abort.

  3. 3.

    Generate garbled wire values: For every wire w, each party \(i \in [1,\ldots ,n]\) and for \(j \in \{0,1\}\), player i generates a random value \(k^{i}_{w,j} \in {\mathbb {F}}_p\) and call InputData on the functionality \(\mathcal {F}_{\mathsf {MPC}}\) so as to obtain \([k^{i}_{w,j}]\). The vector of shares \([k^{i}_{w,j}]_{i=1}^n\) we shall denote by \([\mathbf{k}_{w,j}]\).

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Lindell, Y., Pinkas, B., Smart, N.P. et al. Efficient Constant-Round Multi-party Computation Combining BMR and SPDZ. J Cryptol 32, 1026–1069 (2019). https://doi.org/10.1007/s00145-019-09322-2

Download citation


  • Secure multiparty computation (MPC)
  • Garbled circuits
  • Concrete efficiency
  • BMR
  • SPDZ