A Secret-Sharing Based MPC Protocol for Boolean Circuits with Good Amortized Complexity

We present a new secure multiparty computation protocol in the preprocessing model that allows for the evaluation of a number of instances of a boolean circuit in parallel, with a small online communication complexity per instance of 10 bits per party and multiplication gate. Our protocol is secure against an active dishonest majority, and can also be transformed, via existing techniques, into a protocol for the evaluation of a single “well-formed” boolean circuit with the same complexity per multiplication gate at the cost of some overhead that depends on the topology of the circuit. Our protocol uses an approach introduced recently in the setting of honest majority and information-theoretical security which, using an algebraic notion called reverse multiplication friendly embeddings, essentially transforms a batch of evaluations of an arithmetic circuit over a small ﬁeld into one evaluation of another arithmetic circuit over a larger ﬁeld. To obtain security against a dishonest majority we combine this approach with the well-known SPDZ protocol that operates over a large ﬁeld. Structurally our protocol is most similar to MiniMAC, a protocol which bases its security on the use of error-correcting codes, but our protocol has a communication complexity which is half of that of MiniMAC when the best available binary codes are used. With respect to certain variant of MiniMAC that utilizes codes over larger ﬁelds, our communication complexity is slightly worse; however, that variant of MiniMAC needs a much larger preprocessing than ours. We also show that our protocol also has smaller amortized communication complexity than Committed MPC, a protocol for general ﬁelds based on homomorphic commitments, if we use the best available constructions for those commitments. Finally, we construct a preprocessing phase from oblivious transfer based on ideas from MASCOT and Committed MPC.


Introduction
The area of secure multiparty computation (MPC) studies how to design protocols that allow for a number of parties to jointly perform computations on private Jaron Skovsted Gundersen wants to acknowledge the SECURE project at Aalborg University.Furthermore, he wants to thank IMDEA Software Institute for hosting a visit to Ignacio Cascudo in connection to this paper.
inputs in such a way that each party learns a private output, but nothing else than that.In the last decade efficient MPC protocols have been developed that can be used in practical applications.
In this work we focus on secret-sharing based MPC protocols, which are among the most used in practice.In secret-sharing based MPC, the target computation is represented as an arithmetic circuit consisting of sum and multiplication gates over some algebraic ring; each party initially shares her input among the set of parties, and the protocol proceeds gate by gate, where at every gate a sharing of the output of the gate is created; in this manner eventually parties obtain shares of the output of the computation, which can then be reconstructed.
A common practice is to use the preprocessing model, where the computation is divided in two stages: a preprocessing phase, that is completely independent from the inputs and whose purpose is to distribute some correlated randomness among the parties; and an online phase, where the actual computation is performed with the help of the preprocessing data.This approach allows for pushing much of the complexity of the protocol into the preprocessing phase and having very efficient online computations in return.
Some secret sharing based MPC protocols obtain security against any static adversary which actively corrupts all but one of the parties in the computation, assuming that the adversary is computationally bounded.Since in the active setting corrupted parties can arbitrarily deviate from the protocol, some kind of mechanism is needed to detect such malicious behaviour, and one possibility is the use of information-theoretic MACs to authenticate the secret shared data, which is used in protocols such as BeDOZa [3] and SPDZ [13].
In SPDZ this works as follows: the computation to be performed is given by an arithmetic circuit over a large finite field F. There is a global key α ∈ F which is secret shared among the parties.Then for every value x ∈ F in the computation, parties obtain not only additive shares for that value, but also for the product α • x which acts as a MAC for x.The idea is that if a set of corrupt parties change their shares and pretend that this value is x + e, for some nonzero error e, then they would also need to guess the correction value α • e for the MAC, which amounts to guessing α since F is a field.In turn this happens with probability 1/|F| which is small when the field is large.
The problem is that over small fields the cheating success probability 1/|F| is large.While one can take a large enough extension field L of F (e.g. if F = F 2 , then L could be the field of 2 s elements) and embed the whole computation into L, this looks wasteful as communication is blown up by a factor of s.
An alternative was proposed in MiniMAC [14].MiniMAC uses a batch authentication idea: if we are willing to simultaneously compute k instances of the same arithmetic circuit over a small field at once, we can bundle these computations together and see them as a computation of an arithmetic circuit over the ring F k , where the sum and multiplication operations are considered coordinatewise.Note the same authentication technique as in SPDZ does not directly work over this ring (if |F| is small): if we define the MAC of a data vector x in F k to be α * x where the key α is now also a vector in F k and * is the coordinate-wise product, the adversary can introduce an error in a single coordinate with probability 1/|F|.Instead, MiniMAC first encodes every vector x as a larger vector C(x) by means of a linear error-correcting code C with large minimum distance d, and then defines the MAC as α * C(x).Now introducing an error requires to change at least d coordinates of C(x) and the MAC can be fooled with probability only 1/|F| d .However, when processing multiplication gates, the minimum distance d * of the so-called Schur square code C * also needs to be large.These requirements on the minimum distance of these two codes have an effect on the communication overhead of the protocol, because the larger d and d * are, the worse the relation between the length of messages and the length of the encoding.
This same article shows how to adapt this technique for computing a single boolean "well-formed" circuit while retaining the efficiency advantages of the batch simultaneous computation of k circuits.The idea is that if the target boolean circuit is structured into layers of addition and multiplication gates, where each layer has a large number of gates and its inputs are outputs of previous layers, then we can organize them into blocks of k gates of the same type, which can be computed using the above method.We then need an additional step that directs each block of outputs of a layer into the right block of inputs of next layers; this uses some additional preprocessed random sharings, and some openings, which slightly increases the communication complexity of the protocol.
In this paper, we explore an alternative to the error-correcting codes approach from MiniMAC, using an idea recently introduced in the honest majority, information-theoretically secure setting [8].The point is that we can embed the ring F k q in some extension field of F q in such a way that we can make the operations of both algebraic structures, and in particular the products (in one case the coordinatewise product, in the other the product in the extension field), "somewhat compatible": i.e., we map F k q into a slightly larger field F q m with some dedicated linear "embedding" map φ, that satisfies that for any two vectors x, y in F k q the field product φ(x) • φ(y) contains all information about x * y, in fact there exists a "recovery" linear map ψ such that x * y = ψ(φ(x) • φ(y)).The pair (φ, ψ) is called a (k, m)-reverse multiplication friendly embedding (RMFE) and was introduced in [5,8].With such tool, [8] embeds k evaluations of a circuit over F q (i.e. an evaluation of an arithmetic circuit over F k q with coordinatewise operations) into one evaluation of a related circuit over F q m , which is securely computed via an information-theoretically secure MPC protocol for arithmetic circuits over that larger field (more precisely the Beerliova-Hirt protocol [2]).The use of that MPC protocol over F q m is not black-box, however, as there are a number of modifications that need to be done at multiplication and input gates, for which certain additional correlated information has to be created in the preprocessing phase.Note that the reason for introducing this technique was that Beerliova-Hirt uses Shamir secret sharing schemes and hyperinvertible matrices, two tools that are only available over large finite fields (larger than the number of parties in the protocol).

Our contributions
In this paper we construct a new secure computation protocol in the dishonest majority setting that allows to compute several instances of a boolean circuit at an amortized cost. 3We do this by combining the embedding techniques from [8] with the SPDZ methodology.As opposed to [8], where one of the points of the embedding was precisely to use Shamir secret sharing, in our construction vectors x ∈ F k 2 are still additively shared in F k 2 , and it is only the MACs which are constructed and shared in the field F 2 m : the MAC of x will be α • φ(x) where φ is the embedding map from the RMFE.Only when processing a multiplication gate, authenticated sharings where the data are shared as elements in F 2 m are temporarily used.MACs are checked in a batched fashion at the output gate, at which point the protocol aborts if discrepancies are found.
By this method we obtain a very efficient online phase where processing multiplication gates need each party to communicate around 10 bits4 per evaluation of the circuit, for statistical security parameters like s = 64, 128 (meaning the adversary can successfully cheat with probability at most 2 −s , for which in our protocols we need to set m ≥ s).
Our protocol can also be adapted to evaluating a single instance of a boolean circuit by quite directly adapting the ideas in MiniMAC that we mentioned above, based on organizing the circuit in layers, partitioning the layers in blocks of gates and adding some preprocessing that allows to map each block into the appropriate one in the next layer.The reason is that the maps used between layers of gates are F 2 -linear, and essentially all we need to use is the F 2 -linearity of the map φ from the RMFE.The actual complexity added by this transformation is quite dependent on the topology of the circuit.Under some general assumptions one can expect to add 2 bits of communication per gate.
Our online phase follows a similar pattern to MiniMAC in the sense that, up to the output phase, every partial opening of a value in F k 2 takes place when a partial opening of a C-encoding occurs in MiniMAC.Respectively, we need to open values in F 2 m whenever MiniMAC opens C * -encodings.At every multiplication gate, both protocols need to apply "re-encoding functions" to convert encodings back to the base authentication scheme, which requires a preprocessed pair of authenticated sharings of random correlated elements.
However, the encoding via RMFE we are using is more compact than the one in MiniMAC; the comparison boils down to comparing the "expansion factor" m/k of RMFEs with the ratio k * /k between the dimensions of C * and C for the best binary codes with good distances of C * [7].We cut the communication cost of multiplication gates by about half with respect to MiniMAC where those binary codes are used.We achieve even better savings in the case of the output gates since in this case MiniMAC needs to communicate full vectors of the same length as the code, while the input and addition gates have the same cost.
We also compare the results with a modified version of MiniMAC proposed by Damgård, Lauritsen and Toft [12], that allows to save communication cost of multiplication gates, by essentially using MiniMAC over the field of 256 elements, at the cost of a much larger amount of preprocessing that essentially provides authenticated sharings of bit decompositions of the F 256 -coordinates of the elements in a triple, so that parties can compute bitwise operations.This version achieves a communication complexity that is around 80% of that of our protocol, due to the fact that this construction can make use of Reed-Solomon codes.However, it requires to have created authenticated sharings of 19 elements, while ours need 5 and as far as we know there is no explicit preprocessing protocol that has been proposed for this version of MiniMAC.
Finally we compare the results with Committed MPC [15], a secret-sharing based protocol which uses (UC-secure) homomorphic commitments for authentication, rather than information-theoretical MACs.In particular, this protocol can also be used for boolean circuits, given that efficient constructions of homomorphic commitments [16,10,9] over F 2 have been proposed.These constructions of homomorphic commitments also use error-correcting codes.We find that, again, the smaller expansion m/k of RMFE compared to the relations between the parameters for binary error-correcting codes provides an improvement in the communication complexity of a factor ∼ 3 for security parameters s = 64, 128.
We also provide a preprocessing phase producing all authenticated sharings of random correlated data that we need.The preprocessing follows the steps of MASCOT [19] (see also [17]) based on OT extension, with some modifications due to the slightly different authentication mechanisms we have and the different format of our preprocessing.All these modifications are easily to carry out based on the fact that φ and ψ are linear maps over F 2 .Nevertheless, using the "triple sacrificing steps" from MASCOT that assure that preprocessed triples are not malformed presents problems in our case for technical reasons.Instead, we use the techniques from Committed MPC [15] in that part of the triple generation.

Related Work
The use of information-theoretical MACs in secret-sharing based multiparty computation dates back to BeDOZa (Bendlin et al., [3]), where such MACs where established between every pair of players.Later SPDZ (Damgård et al., [13]) introduced the strategy consisting of a global MAC for every element of which every party has a share, and whose key is likewise shared among parties.Tiny OT (Nielsen et al., [21]), a 2-party protocol for binary circuits, introduced the idea of using OT extension in the preprocessing phase.Larraia et al., [20] extended these ideas to a multi-party protocol by using the SPDZ global shared MAC approach.MiniMAC (Damgård and Zakarias, [14]), as explained above, used error-correcting codes in order to authenticate vectors of bits, allowing for efficient parallel computation of several evaluations of the same binary circuits on possibly different inputs.Damgård et al., [12] proposed several improvements for the implementation of MiniMAC, among them the use of an error correcting code over an extension field, trading smaller communication complexity for a larger amount of preprocessing.Frederiksen et al., [17] gave new protocols for the construction of preprocessed multiplication triples in fields of characteristic two, based on OT extension, and in particular provided the first preprocessing phase for MiniMAC.MASCOT (Keller et al., [19]) built on some of these ideas to create preprocessing protocols for SPDZ based on OT extension.Committed MPC (Frederiksen et al., [15]) is a secret-sharing based secure computation protocol that relies on UC-secure homomorphic commitments instead of homomorphic MACs for authentication, but other than that, it follows a similar pattern to the protocols above.Efficient constructions of UC-secure homomorphic commitments from OT have been proposed by Frederiksen et al., [16] and Cascudo et al., [10] based on error correcting codes.Later, in [9] a modified construction from extractable commitments, still using error-correcting codes, was proposed that presents an important advantage for its use in Committed MPC, namely the commitment schemes are multi-verifier.
The notion of reverse multiplication friendly embedding was first explicitly defined and studied in the context of secure computation by Cascudo et al. in [8] and independently by Block et al. in [5].The former work is in the context of information-theoretically secure protocols, while the latter studied 2-party protocols over small fields where the assumed resource is OLE over an extension field.This is partially based on a previous work also by Block et al.,[4] where (asymptotically less efficient) constructions of RMFEs were implicitly used.

Preliminaries
Let F q denote a finite fields with q elements.Vectors are denoted with bold letters as x = (x 1 , x 2 , . . ., x n ) and componentwise products of two vectors are denoted by x * y = (x 1 •y 1 , x 2 •y 2 , . . ., x n •y n ).Fixing an irreducible polynomial f of degree m in F q [X], elements in the field F q m with q m elements can be represented as polynomials in where α i ∈ F q .The sums and products of elements are defined modulo f .
In our protocols we will assume a network of n parties who communicate by secure point-to-point channels, and an static adversary who can actively corrupt up to n − 1 of these parties.Our proofs will be in the universal composable security model [6] (see Appendix C for a brief description of that model).
We recall the notion of reverse multiplication friendly embeddings from [8].
Definition 1.Let k, m ∈ Z + .A pair of F q -linear maps (φ, ψ), where φ : F k q → F q m and ψ : In other words, this tool allows to multiply coordinatewise two vectors over F q by first embedding them in a larger field with φ, multiplying the resulting images and mapping the result back to a vector over F q with the other map ψ.
Several results about the existence of such pairs can be found in [8], both in the asymptotic and concrete settings.For our results we will only need the following construction, which can be obtained via simple interpolation techniques: Theorem 1 ( [8]).For all r ≤ 33, there exists a (3r, 10r − 5) 2 -RMFE.
For completion we describe how to construct these RMFE in Appendix B.1.
However, we remark that for implementations, it might be more useful to consider the following constructions of RMFEs which can also be deduced from the general framework in [8] (also based on polynomial interpolation).They have worse rate k/m than those in Theorem 1, but they have the advantage that their image can be in a field of degree a power of two, e.g.F q m = F 2 64 or F 2 128 .Theorem 2. For any r ≤ 16, there exists a (2r, 8r) 2 -RMFE. 5or our numerical comparisons we will mainly consider the constructions with better rate in Theorem 1 and point out that, should one want to use Theorem 2 instead, then some small overhead in communication is introduced.
It is important to understand some properties and limitations of the RMFEs.Because φ and ψ are F q -linear then holds for all x, y ∈ F k q and x, y ∈ F q m .However, for example in general.Likewise we will need to take into account that the composition φ • ψ : F q m → F q m is a linear map over F q but not over F q m .Therefore for α, x ∈ F q m in general (it does hold when α ∈ F q , but this is not too relevant).These limitations on the algebra of φ and ψ posed certain obstacles in the information-theoretical setting [8], since processing multiplication gates required to compute gates given by the map φ • ψ, and this cannot be treated as a simple linear gate over F q m .The additivity of φ • ψ combined with certain involved preprocessing techniques saved the day there.For completion (and comparison to our paper) we sum up some of the main details of [8] in Appendix B.2.In our case, we will again encounter problems caused by these limitations as we explain next, but can solve them in a different way.

The online phase
In this section we present our protocol for computing simultaneously k instances of a boolean circuit in parallel, which we can see as computing one instance of an arithmetic circuit over the ring F k 2 of length k boolean vectors with coordinatewise sum and product.
Our strategy is to have mixed authenticated sharings: inputs and the rest of values in the computation x are additively shared as vectors over F k 2 (we refer to this as data shares), but their MACs are elements α • φ(x) in the larger field F 2 m , where α ∈ F 2 m is (as in SPDZ) a global key that is additively shared among the parties from the beginning (with α (i) denoting the share for party P i ), and parties hold additive shares of α • φ(x) also in the field F 2 m (the MAC shares).We will denote the authentication of x by x .That is x = (x (1) , x (2) , . . ., x (n) ), (m (1) where each party P i holds an additive share x (i) ∈ F k 2 and a MAC share The additivity of φ guarantees that additions can still be computed locally, and we can define x + y = x + y where every party just adds up their shares for both values.Moreover, given a public vector a and x , parties can also locally compute an authenticated sharing of a + x as a+ x = (x (1) +a,x (2) ,...,x (n) ),(α (1) •φ(a)+m (1) This allows to easily process addition with constants.Moreover, this also allows us to explain how inputs are shared in the first place.In the preprocessing phase parties have created for each input gate an authenticated random values r where r is known to the party that will provide the input x at that gate.This party can just broadcast the difference = x − r, and then parties simply add + r = x by the rule above.
As in SPDZ, parties in our protocol do not need to open any MAC until the output gate.At the output gate, the parties check MACs on random linear combinations of all values partially opened during the protocol, ensuring that parties have not cheated except with probability at most 2 −m (we need that m ≥ s if s is the statistical security parameter); then, they open the result of the computation and also check that the MAC of the result is correct.
A harder question, as usual, is how to process multiplication gates; given x , y parties need to compute x * y which implies not only obtaining an additive sharing of x * y but also of its MAC α • φ(x * y).If we try to apply directly the well-known Beaver's technique [1] we encounter the following problem.Suppose we have obtained a random triple a , b , a * b from the preprocessing phase and, proceeding as usual, parties partially open the values = x−a, δ = y−b (a partially opening is an opening of the shares but not the MAC shares).From here, computing data shares for x * y is easy; however, the obstacle lies in computing and the two terms in the middle present a problem: for example for α • φ(a * δ) we have by the properties of the RMFE However, φ • ψ is only F 2 -linear, and not F 2 m -linear, so we cannot just "take α inside the argument" and use the additive sharing of α • φ(a) given in a to compute a sharing of the expression above.Instead, we use a two-step process to compute multiplication gates, for which we need to introduce regular SPDZ sharings on elements x ∈ F 2 m .I.e. both x and its MAC α•x are additively shared in F 2 m .We denote these by [x], that is where P i will hold x (i) and m To carry out the multiplication we need to preprocess a triple ( a , b , c ) where c = a * b, and a pair of the form ( ψ(r) ,[r]) where r is a random element in F 2 m .In the first step of the multiplication we compute and partially open This can be computed from the and δ described above (details will be given later).In the second step, we create x * y from (1) by using the properties of the RMFE; namely, We still need to explain how to construct [σ].For this we introduce some algebraic operations on the two types of authenticated sharings and public values.First given a public vector a and a shared vector x we define: Note that the data shares are shares of φ(a) • φ(x), which is an element of F 2 m , and the MAC shares also correspond to additive shares of α•φ(a)•φ(x).However, the data shares are not distributed uniformly in F 2 m because φ is not surjective, so one cannot say this equals [φ(a) where the sum on the left is defined by just local addition of the data and MAC shares.We also define x + [y] = (φ(x (1) ) + y (1) ,...,φ(x where the latter equality can be seen by developing the expressions for and δ, and using the additivity of φ.The obtained sharing is the [σ] we needed above .Summing up, the whole multiplication gate costs 2 openings of sharings of vectors in F k 2 and one opening of a share of an element in F 2 m .Every multiplication gate requires fresh preprocessed correlated authenticated sharings ( a , b , a * b ) and ( ψ(r) ,[r]) for random a,b,r.
We present formally the online protocol we just explained, the functionality it implements, and the functionalities needed from preprocessing.The functionality constructing the required preprocessed randomness is given in Figure 2, and relies on the authentication functionality in Figure 1.The latter augments the one in MASCOT [19] allowing to also authenticate vectors and to compute linear combinations involving the two different types of authenticated values and which can be realized by means of the [•]-and • -sharings.
The functionality for our MPC protocol is in Figure 3 and the protocol implementing the online phase is in Figure 4.
Proof.The correctness follows from the explanation above.For more details we refer Appendix A.1, but we also note that the online phase from this protocol is similar to the online phases of protocols such as [13,14,15,19], except that in every multiplication we additionally need to use the pair ( ψ(r) , [r]) in order to transform a [•]-sharing into x * y .However, since r is uniformly random in the field F 2 m , the opened value σ masks any information on x, y.

Comparison with MiniMAC and Committed MPC
We compare the communication complexity of our online phase with that of MiniMAC [14] and Committed MPC [15], two secret-sharing based MPC protocols which are well-suited for simultaneously evaluating k instances of the same boolean circuit.We will count broadcasting a message of M bits as communicating M (n − 1) bits (M bits to each other party).This can be achieved using point-to-point channels as described in the full version of [13].
Communication complexity of our protocol.Partially opening a • -authenticated secret involves 2k(n − 1) bits of communication, since we have one selected party receive the share of each other party and broadcast the reconstructed value.Likewise, partially opening a [•]-authenticated value communicates 2m(n − 1) bits.In our online phase, every input gate requires k(n − 1)

Functionality F Auth
The functionality maintains two dictionaries Val and ValField, to keep track of authenticated values.We remark that we can store elements from F k 2 in Val and elements from F2m in ValField.Entries in the dictionaries cannot be changed.(resp C * ), and describing such codewords require k bits (resp.k * bits) 6 the total communication complexity is (4k + 2k * )(n − 1), so the difference with our protocol depends on the difference between the achievable parameters for their k * and our m, compared below.Input gates require k(n − 1) bits, as in our case, and for output gates, since MAC shares are arbitrary vectors in F 2 , a total of 2k(n − 1) + 2 n bits are sent.See Appendix B.3 for more details on this.
Committed MPC.Committed MPC [15] is a secret-sharing based MPC protocol that relies on UC-secure additively homomorphic commitments for authentication, rather than on MACs.Efficient commitments of this type have been proposed in works such as [16,10,9] where the main ingredient7 is again a linear error correcting code C with parameters [ ,k,d].In committed MPC, for every x ∈ F k 2 , each party P i holds an additive share x i ∈ F k 2 to which she commits towards every other party P j (in the multi-receiver commitment from [9], this can be accomplished by only one commitment).During most of the online phase there are only partial openings of values and only at output gates the commitments are checked.Multiplication is done through Beaver's technique.In this case only two values , δ are partially opened.In exchange, parties need to communicate in order to compute commitments to δ * a (resp.* b) given δ, and commitments to a (resp.and commitments to b) at least with current constructions for UC-secure homomorphic commitments.[15, full version, fig. 16] provides a protocol where each of these products with known constant vectors requires to communicate one full vector of length and two vectors of k * components (again is the length of C and k * is the dimension of C * ).In total the communication complexity of a multiplication is (4k + 2k * + )(n − 1) bits.Output gates require to open all the commitments to the shares of the output.Since opening commitments in [16,10,9] requires to send two vectors of length to every other party, which has a total complexity of 2 (n − 1)n.Input gates have the same cost as the other two protocols.
Concrete parameters.Summing up we compare the communication costs of multiplication and output gates in Table 1 since these are the gates where the communication differs.

MiniMAC
Committed MPC Our protocol Table 1.Total number of bits communicated in the different gates in the online phases, when computing k instances of a boolean circuit in parallel.Communication per party is obtained dividing by n.
The key quantities are the relation between m/k (in our case) and k * /k and /k in the other two protocols.While the possible parameters ,k,d of linear codes have been studied exhaustively in the theory of error-correcting codes, relations between those parameters and k * , d * are much less studied, at least in the case of binary codes.As far as we know, the only concrete non-asymptotic results are given in [7,11].In particular, the parameters in   On the other hand, the parameters for our protocol depend on parameters achievable by RMFEs.By Theorem 1 for all 1 ≤ r ≤ 33, there exists a RMFE with k = 3r and m = 10r − 5. Some specific values are shown in Table 3.
This leads to the communication complexities per computed instance of the boolean circuit for security parameters s = 64 and s = 128 given in Table 4.For larger security parameter, the comparison becomes more favourable to our technique, since the "expansion factor" m/k degrades less than the one for known constructions of squares of error correcting codes.
If instead we want to use Theorem 2, so that we can define the MACs over a field of degree a power of two, then the last column would have complexities 12 • (n − 1) and 8 • n + 2(n − 1) in both the cases s = 64 and s = 128.
Comparison with an online communication-efficient version of Min-iMAC.In [12] 256 , the protocol needs to be modified in order to allow for bitwise operations instead.The modified version requires the opening of two C * -encodings at every multiplication gate and a more complicated and much larger preprocessing, where in addition to creating certain type of multiplication triple, the preprocessing phase needs to provide authenticated sharings of 16 other vectors created from the bit decompositions of the coordinates of the two "factor" vectors in the triple.As far as we know, no preprocessing phase that creates these authenticated elements has been proposed.
The amortized communication complexity of that protocol is of 8(n − 1) bits per multiplication gate, per instance of the circuit, which is slightly less than 80% of ours.On the other hand, we estimate that the complexity of the preprocessing would be at least 4 times as that of our protocol and possibly larger, based on the number of preprocessed elements and their correlation.
Computation and storage.In terms of storage, each authenticated share of a k-bit vector is m + k bits, which is slightly over 4 bits per data bit.MiniMAC and Committed MPC require a larger storage of + k bits because the MAC shares/commitments are in F 2 .In [12] shares are also 4 bits per data bit because of using RS codes, but the amount of preprocessed data is much larger.In terms of computation, while our protocol does slightly better for additions (again because of the shorter shares, and since the addition in F 2 m is as in F m 2 ), and the same happens with additions required by multiplication gates, computing the terms * y , δ * x , φ( ) • φ(δ) requires in total 5 multiplications in F 2 m which, being field multiplications, are more expensive than the coordinatewise ones required by MiniMAC, even if some of them are in a larger space F 2 .

From batch computations to single circuit computations
We explain now how to adapt our protocol, which was presented as a protocol for the simultaneous secure evaluation of k instances of the same boolean circuit, into a protocol that computes a single evaluation of a boolean circuit with little overhead, as long as the circuit is sufficiently "well-formed".This is a quite straightforward adaptation of the ideas presented in [14].The technique can be used in general for any boolean circuit but it works better when the circuit satisfies a number of features, which we can loosely sum up as follows: -The circuit is organized in layers, each layer consisting of the same type of gate (either additive or multiplicative).We number the layers in increasing order from the input layer (layer 0) to the output layer.-For most layers, the number of gates u is either a multiple of k or large enough so that the overhead caused by the need to add u dummy gates to obtain a multiple of k and compute the gates in batches of k is negligible.-For most pairs of layers i and j, where i < j, the number of output bits from layer i that are used as inputs in layer j is either 0 or sufficiently large so that we do not incur in much overhead by adding dummy outputs or inputs (again to achive blocks of size exactly k).The idea from [14] is that given a layer of u gates, where we can assume u = t • k we organize the inputs of the layers in t blocks of k gates, and we will compute each block by using the corresponding subroutine in our protocol.
For that we need to have authenticated shared blocks of inputs x , y where the i-th coordinates x i ,y i are the inputs of the i-th gate in the block.This assumes gates are of fan-in 2. For the case of addition gates, we can also support of course arbitrary fan-in gates, but then we want to have the same fan-in in every gate in the same block, again to avoid overheads where we need to introduce dummy 0 inputs.In any case at the end of the computation of this layer we obtain t authenticated sharings z .
The question is how to now transition to another layer j.Let us assume that layer j takes inputs from l blocks x 1 ,..., x l of k bits each coming from some previous layer.Of course the issue is that we are not guaranteed that we can use these as input blocks for the layer j.We will likely need to reorganize the bits in blocks, we may need to use some of the bits more than once, and we may not need to use some of the bits of some output blocks.At first sight this reorganization may look challenging, because note that the bits of each x i can be "quite intertwined" in the MAC α • φ(x i ).
However in all generality, we can define l functions F 1 ,...,F l : such that if we write X = (x 1 ,x 2 ,...,x l ) the concatenation of the output blocks, then F 1 (X),...,F l (X) are the input blocks we need.These maps are F 2 -linear; in fact, each of the coordinates of each F i are either a projection to one coordinate of the input or the 0-map.We assume that all these reorganizing functions can be obtained from the description of the function and therefore they are known and agreed upon by all parties.Calling F = (F 1 ,F 2 ,...,F l ), suppose we can obtain by preprocessing where R = (r 1 ,r 2 ,...,r l ) is again the concatenation in F kl 2 .To ease the notation we will write ( R , F (R) ) and call this a reorganizing pair.
Then, reorganizing is done in the following way.The parties compute x j − r j and open these values for j = 1,2,...,l.Afterwards, they compute F j (x 1 − r 1 ,...,x l − r l ) + F j (r 1 ,...,r l ) = F j (x 1 ,...,x l ) which holds by the linearity of F j .
We can add this property to our setup above by including the supplements in Figure 5 to F Prep , F MPC , and Π Online .Apart from this we also need to point out that at the input layer, a party may need to add dummy inputs so that her input consists of a number of blocks of k bits.
Functionality F MPC (supplement) Protocol Π Online (supplement) 6. Reorganize: To reorganize between the layers, take a corresponding reorganizing pair ( R , F (R) ).Of course, it looks as though we have moved the problem to the preprocessing phase, as we still need to construct the reorganizing random pairs ( R , F (R) ).But this will be easy because of the F 2 -linearity of the maps φ and F .
The communication complexity of each reorganizing round is that of opening l vectors in F k 2 , therefore 2lk(n − 1) bits of communication.Therefore, the efficiency of this technique clearly depends much on the topology of the circuit.For example if all the output bits of a given layer are used in the next layer and only there, then we can say that this technique adds roughly 2 bits of communication per party per gate.

Preprocessing
In this section, we present how to obtain the preprocessed correlated information we need in our online protocols.The implementation of authentication and construction of multiplication triples is adapted in a relatively straightforward way from MASCOT.This is because MASCOT is based on bit-OT extension, and working bit-by-bit is well suited for our situation because of the maps φ,ψ being F 2 -linear.For the preprocessing of multiplication triples we do need to introduce some auxiliary protocols with respect to MASCOT: one is the preprocessing of reencoding pairs ( ψ(r) ,[r]) that we anyway need for the online protocol; another one creates [r] for a random r in the kernel of ψ, which we need in order to avoid some information leakage in the sacrifice step.Both types of preprocessing can be easily constructed based on the F 2 -linearity of ψ.Finally, we use the sacrifice step in Committed MPC, rather than the one in MASCOT, because of some technical issues regarding the fact that the image of φ is not the entire F 2 m which creates problems when opening certain sharings.Aside from the aforementioned multiplication triples ( a , b , c ) where c = a * b, for the online phase we also need to generate input pairs (r, r ), reencoding pairs of the form ( ψ(r) ,[r]), and (in case we want to use the techniques in Section 4) layer reorganizing pairs ( R , F (R) ).
To obtain an overview of the way the functionalities presented in this section are dependent on each consider Figure 6.We use the following basic ideal functionalities: parties can generate uniform random elements in a finite set using the functionality F Rand (for the sake of notational simplicity we omit referring to F Rand in protocols).Moreover, parties have access to a commitment functionality F Comm , see Figure 7.We will also make use of a functionality F n,k ROT that implements n 1-out-of-2 oblivious transfers of k-bit strings (Figure 8).
We adapt the correlated oblivious product evaluation functionality F COPEe defined in MASCOT [19].We recall how this functionality works: we again see the field as a F 2 -vector space.The functionality as described in [19] takes an input α ∈ F 2 m from one of the parties P B in the initialization phase; then there is an arbitrary number of extend phases where on input x ∈ F 2 m from P A , the functionality creates additive sharings of α • x for the two parties.However, if P A is corrupted it may instead decide to input a vector of elements (x 0 ,x 1 ,...,x m−1 ) ∈ (F 2 m ) m , and in that case the functionality outputs a sharing of m−1 i=0 x i • α i • X i (where α i are the coordinates of α in the Functionality F Rand 1. Upon receiving (Rand,S) from all parties, where S is a finite set, choose a uniform random number r ∈ S and send it to all parties.
Functionality F Comm 1. Upon receiving (Comm,x,Pi) from Pi and (Comm,Pi) from all other parties the functionality stores x.When receiving an opening command from all parties, the functionality sends x to all parties.above basis).The honest case would correspond to all x i being equal to x.This functionality from MASCOT corresponds to the steps Initialize and ExtendField in our version Figure 10.We augment this by adding the step ExtendVector, where party P A can input a vector x ∈ F k 2 and the functionality outputs an additive sharing of α In that case the functionality outputs an additive sharing of and note that this is more restrictive for the corrupted adversary than ExtendField since the values φ(x i ) are not free in F 2 m but confined to the image of φ.We define the functionality F COPEe in Figure 9 and present a protocol implementing the functionality in Figure 10.
OT -hybrid model.Proof.The commands Initialize and ExtendField are as in [19] (the latter being called Extend there).The proof for our ExtendVector command is analogous to the one for the ExtendField except, as explained, because the ideal functionality restricts the choice by a corrupt P A of the element that is secret shared.We briefly show the simulation of ExtendVector together with Initialize.
If P B is corrupted, the simulator receives (α 0 ,...,α m−1 ) from the adversary, and simulates the initialization phase by sampling the seeds at random, and sending the corresponding one to the adversary.It simulates the ExtendVector phase by choosing u i uniformly at random in the corresponding domain, computes q as an honest P B would do and inputs this to the functionality.Indistinguishability holds by the pseudorandomness of F , as shown in [19].
If P A is corrupted then the simulator receives the seeds from the adversary in the Initialize phase, and from there it computes all the t i b in the ExtendVector phase.Then when the adversary sends u i , the simulators extract In this case all outputs are computed as in the real world and indistinguishability follows.

Functionality F COPEe
This functionality runs with two parties PA and PB and an adversary A. The Initialize phase is run once first.The ExtendVector and ExtendField may be run an arbitrary number of times, in arbitrary order.
1. Initialize: On input α ∈ F2m from PB the functionality stores this value.We identify α by the vector (α0,α1,...,αm−1) 2 ) m from A, where the numbers indicate that xi might be different from x. Then compute q such that q If both parties are honest sample t ∈ F2m at random and compute q such that q + t = α • φ(x).(c) If only PB is corrupt then receive q ∈ F2m from A and compute t such that q + t = α • φ(x).(d) Output t to PA and q to PB.Then compute q such that q If both parties are honest sample t ∈ F2m at random and compute q such that q + t = α • x.(c) If only PB is corrupt then receive q ∈ F2m from A and compute t s.t.q+t = α•x.(d) Output t to PA and q to PB.
In the initialize phase each pair of parties (P i ,P j ) call the initialize phase from F COPEe where P i inputs a MAC key.Afterwards P j can create authenticated sharings to the desired values, both of boolean vectors and of elements in the larger field: namely P j constructs additive random sharings of the individual values and uses the appropriate extend phase of F COPEe to obtain additive sharings of the MACs.At last, a random linear combination of the values chosen by P j is checked.Here privacy is achieved by letting P j include a dummy input x t+1 to mask the other inputs.Proposition 2. Π Auth securely implements F Auth in the (F COPEe ,F Rand ,F Comm )-hybrid model Proof.Since the proof is similar to the proof of security for Π [[•]] in [19], we point out the differences and argue why it does not have an impact on the security.
First of all note that our functionality, in contrary to Π [[•]] , has an Add command and a LinComb command.This is because we reserve the LinComb command for linear combinations which output [•]-sharings, while Add outputs a • -sharing.In any case, the Add and LinComb command consist of local

Protocol Π COPEe
The protocol is a two party protocol with parties PA and PB that uses PRFs F : {0,1} λ × {0,1} λ → F k 2 and F Field : {0,1} λ × {0,1} λ → F2m , has access to the ideal functionality F m,λ ROT , and maintains a global counter j := 0. The Initialize phase is run once first, and then the ExtendVector and ExtendField may be run an arbitrary number of times, in arbitrary order.
1. Initialize: On input α ∈ F2m from PB: (a) The parties engage in F m,λ ROT where PB inputs (α0,α1,...,αm−1) computations so it is trivial to argue their security.The Initialize command only invokes the Initialize command from the ideal functionality F COPEe , which is exactly the same as in [19].Since the Open command lets the adversary choose what to open to there is not much to discuss here either.
Therefore, what we need to discuss is the Input and Check commands.The idea is that if the check in the input phase is passed and the adversary opens to incorrect values later on, then the probability to pass a check later on will be negligible.In comparison to [19], we have both values in F 2 m and vectors in F k 2 , but we can still use the same arguments there, because the check in the Input phase and all further checks are in F 2 m and therefore the simulation and indistinguishability is following by the exact same arguments as in [19].

Input, reencoding, and reorganizing pairs
The two functionalities F COPEe and F Auth are the building blocks for the preprocessing.They are very similar in shape to the MASCOT functionalities but with some few corrections to include that sharings can be of vectors instead of field elements in F 2 m .With these building blocks we can produce the randomness This protocol additively shares and authenticates elements in F k 2 or F2m , and allows linear operations and openings to be carried out on these shares.Note that the Initialize procedure only needs to be called once, to set up the MAC key.We assume access to the ideal functionalities F Rand , FComm, and FCOPEe.
1. Initialize: Each party Pi samples a MAC key share α (i) ∈ F2m .Each pair of parties (Pi,Pj) for i = j calls F COPEe.Initialize where Pi inputs α (i) .
We also need to construct pairs to re-encode [•]-sharings to • -sharings after a multiplication.A protocol Π ReEncodePair for producing the pairs ( ψ(r) ,[r]) for random r ∈ F 2 m is shown in Figure 15.
Protocol Π Auth -Part 2 3. Add: On input (Add, īd,id,a) the parties do the following.If a is an index of Val they retrieve shares and MAC shares x (i) ,y (i) ,m (i) (x),m (i) (y) where x corresponds to id and y corresponds to the index a in Val.Pi computes and stores these under īd.If a is a vector, i.e. a = a, they retrieve the share and MAC share x (i) ,m (i) (x) where x corresponds to id in Val.Pi computes and stores these under Val[ īd]. 4. LinComb: On input (LinComb, īd,(id1,id2,...ids),(id 1 ,id 2 ,...id t ),c1,c2,...,cs+t,c) where t ≥ 1, the Pi retrieves its shares and MAC shares x and stores these under īd in ValField.Proof.First notice that at least one of the parties is honest and hence r j = n i=1 r (i) j is random because one of the terms is.Suppose that at the end of the Combine phase parties have created ( s j ,[r j ]), where possibly s j = ψ(r j ).
Let j = s j − ψ(r j ) for all j.
Hence if all j = 0, the check passes for all i.While if there is some j = 0, j = 1,...,t, then for every i the probability that t+s j=1 a ij j = 0 is at most 1/2.Since the checks are independent we obtain that if some j = 0, j = 1,...,t then the protocol will abort except with probability at most 2 −s .Note also that b i = r t+i + t j=1 a ij r j , so opening the b i reveals no information about the output values r 1 ,...,r t .
Finally, a protocol for producing reorganizing pairs is given in Figure 16.

Protocol Π InputPair
The protocol generates (r, r ) where r ∈ F k 2 is chosen randomly by Pi, the party calling the protocol.The proof of this proposition is similar to that of Proposition 4.

Multiplication triples
Our protocol Π Triple for constructing triples is given in Figure 18.We note that c = a * b = i,j a (i) * b (j) and hence sharings of c can be obtained by adding sharings of the summands, where each of the summands only require two parties P i and P j to interact.Again, the construction step is much like the construction step from the protocol Π Triple in [19].where we have modified the protocol such that it produces triples ( a , b , c ) instead of ([a],[b],[c]).

Protocol Π TripleConstruct
The protocol produces N multiplication triples.
1. Construction: (a) Pi samples a iii.Pj sends u and Pj sets c , and c  ρ, so that they can later verify that s opens to 0. Since the second triple will be disregarded, and s • a − â completely masks a since â is uniformly random, no information is revealed about a.In our case we would have triples ( a , b , c ) and ( â , b , ĉ ) and sample a random s ∈ F 2 m , it would not be the case that φ(â) would act as a proper one-time pad for s • φ(a) 8 .A similar problem would arise for adapting the combine step in [19].Therefore, we proceed as in [15]: in the protocol Π Triple we start by constructing additive sharings of N = τ 1 + τ 1 • τ 2 2 • T triples.Then some of these triples are opened and it is checked that they are correct.This guarantees that most of the remaining triples are correct.The remaining triples are then organized in buckets and for each bucket all but one of the triples are sacrified in order to guarantee that the remaining triple is correct with very high probability.In order to be able to open proper sharings in the sacrifice step we need to add authenticated sharings of an element in the kernel of ψ.We present a functionality serving that purpose in Figure 19 and a protocol implementing it in Figure 20.Proposition 6. Π RanKer securely implements F RanKer in the (F Auth ,F Rand )hybrid model with statistical security parameter s.
F Auth.Input .The main cost of authentication is the call to Π COPEe where the parties needs to send mk(n − 1) bits for each vector authenticated.In the case where a field element is authenticated instead they need to send m 2 (n − 1) bits.Furthermore, the party who is authenticating needs to send the shares of the vector authenticating but this has only a cost of k(n − 1) bits.At last, the check is carried out but we assume that the parties authenticate several vectors/values in a batch and hence this cost is amortized away.
For the re-encoding pairs we assume that t is much larger than s.This means that in order to obtain a single pair the parties need to authenticate n field elements and n vectors.Once again we assume that the check is amortized away, so this gives a total cost of sending (m 2 + mk)n(n − 1) bits.
The same assumption, that t is much larger than s, is made for the reorganizing pairs and the random elements in the kernel of ψ.This means that the amortized cost of producing a reorganizing pair is (l+l )n vector-authentications and to obtain [r] for r ∈ ker(ψ) costs n authentication amortized.
Regarding the communication for obtaining a single multiplication triple we ignore the vectors sent in the construction since the authentication is much more expensive.Besides authentication we make τ 1 τ 2 2 n(n − 1) calls to F k,1 ROT .We authenticate 3τ 1 τ 2 2 n vectors in the construction.Furthermore, we need (τ 2 −1)τ 2 2 elements from F RanKer and 2 reencoding pairs for the construction of the triple.The cost of the remaining steps is not close to be as costly, so we ignore these.
In [15] it is suggested to use τ 1 = τ 2 = 3.The cost of preparing a multiplication gate using these parameters is that of producing 3 reencoding pairs (2 for the preprocessing and 1 for the online phase), 18 authenticated elements in the kernel of ψ and the multiplication triple which yields 27 calls to F k,1 ROT and 3 • 27 authentication of vectors.Thus using m = 3.1k from Table 3 in order to obtain security s ≥ 64 and ignoring the calls to F k,1 ROT the communication becomes Similarly, in order to obtain s ≥ 128 we use m = 3.21k from Table 3 and the communication becomes 486.03 • k 2 n(n − 1) bits.

A Proofs
A.1 Proof of Theorem 3 Proof.The initialization phase is just communication with F Prep .For simulating an input by a party P i , if the party who inputs the value is not corrupted, then the simulator samples and broadcasts a random .If it is corrupted, then when the adversary broadcasts , then the simulator extracts x = + r and inputs (Input,id,x,P i ) to F MPC .Additions consist of local computations and are trivial to simulate.For every multiplication, the simulator generates uniformly random vectors and δ and a uniformly random field element σ.The simulator sends these values to the (internal copy of the) adversary who opens ( ,δ ,σ ).If for some multiplication, the tuple ( ,δ ,σ ) is different from the one sent by the simulator, the simulator will abort when simulating the first check in the output phase.If not, the simulator receives the output z from F MPC.Output and sends this to the adversary.If the adversary replies with a value z which is different from z then the simulator aborts at the second check.

A.2 Proof of Proposition 7
Proof.The proof uses similar arguments as the one from [15].
Denote by a we see that we end up with where the adversary controls e We call the triple malformed if b l + e auth,l = 0. We now discuss that the bucketing technique in [15] guarantees that after the cut-and-choose and sacrifice steps, if the protocol does not abort then the surviving triples are not malformed with very large probability.This is based in the following lemma.
Lemma 1 ([15], [18]).Let N = τ 1 +τ 1 •τ 2 2 •T be the number of constructed triples where the statistical security parameter satisfies s < log 2 If τ 1 random triples are opened and all are correct, splitting the remaining τ 1 •τ 2 2 •T into buckets of size τ 1 will ensure that except with probability 2 −s either all buckets consist of correct triples or there will be at least one bucket with both correct and malformed triples.
The lemma states that if the cut-and-choose step passes, we will be in one of the two situations described with large probability.Notice that in the first case the sacrifice step will pass and we end up with τ 2 2 • T correct triples.In the second case there will be some bucket where the protocol aborts in the sacrifice step.To see that the sacrifice step aborts notice that if there is a pair of triples where one is malformed and the other is not, then there exists an index l such that either the first or the l-th triple, but not both, is malformed.Then when opening and taking ψ on this we obtain since ψ(r l ) = 0 due to F RanKer .However, if one of the triples is malformed we have ψ(σ l ) = 0. Furthermore notice that if both triples are correct σ l is simply a random element from the kernel of ψ.
However, after the cut-and-choose and sacrifice phases passes, the adversary may now have information about some of the triplets.This is because of the following selective failure attacks.
Assume that the adversary has chosen e  The argument generalizes to the case where the adversary chooses e (i) a l = 0 for several i's.
A similar argument holds when the adversary chooses e b l = 0.In this way, the adversary can be lucky to introduce some errors which cancel out and cause the triples to be correct, and this fact will give the adversary information about some parts of a and b, when the protocol does not abort when opening values in the sacrifice step.To make sure that this leakage is cleaned, we execute a combine step in order to re-establish the randomness.
We call the l-th triple leaky if the adversary has introduced some errors, i.e. if e (j,i) a l or e (j,i) b l is nonzero, but the resulting triple is correct (not malformed).With very high probability, at most s triples will be leaky if the sacrifice phase has succeeded.
In order to remove the leakage we apply the Combine steps.For this we need to ensure that after the sacrifice step there is at least one non-leaky triple in each bucket.This is ensured by the following lemma.

Lemma 2 ([15]
). Inputting at least τ 2 −1 (s•e) τ 2 •2 s τ2 triples to the combine step where at most s of them are leaky in the component being combined on, we have that every bucket of τ 2 triples contains at least one non-leaky triple (in the component) with overwhelming probability in s.
Notice that if a bucket contains at least one non-leaky triple in the component being combined on the outputted triple cannot be leaky in that component and hence a and b are random in F k 2 after the combine steps.
B Results and techniques from [14] and [8] B.1 Reverse Multiplication Friendly Embeddings (RMFE) [8] In this section we describe how to construct the RMFEs presented in Theorem 1.The resulting RMFEs are concatenations of two RMFEs each coming from the following lemma (Lemma 4 in [8]).
In first place remember that the extension field F q m can be represented as F q m = F q [X]/(h(X)) that is polynomials in F q [X] modulo an irreducible polynomial h.Let us call β = X mod h(X).We can write F q m = F q (β) in the sense that all elements in F q m can be seen as polynomials of degree at most m − 1 in β, where we apply the rule h(β) = 0 when multiplying.
Moreover, recall that if we have m = m 1 • m 2 we can also see the field is irreducible of degree m 1 (we do remark however that despite being the same field, the representations we obtain are not the same, so if we work with both representations we need to find an isomorphism that takes one representation into the other).Lemma 3.For all 1 ≤ k ≤ q + 1 there exists a (k,2k − 1) q -RMFE Proof.The proof is constructive.Let F q [X] ≤k−1 denote the set of polynomials over F q with degree ≤ k − 1. Choose k different elements in F q ∪ {∞ k−1 }, (x 1 ,x 2 ,...,x k ), where ∞ r is a formal symbol which gives the coefficient of X r if we evaluate f ∈ F q [X] ≤r .Let F q 2k−1 = F q (β) and define the following maps, where , Using the fact that ) for all f,g ∈ F q [X] ≤k−1 the property for RMFE holds.
How to concatenate the RMFEs is described in the following lemma (Lemma 5 in [8]) Furthermore, the composition of F q -linear maps are linear, implying that (φ,ψ) is a (k 1 k 2 ,m 1 m 2 ) q -RMFE.

B.2 The MPC embedding technique in [8]
The protocol in [8] works in the information-theoretical setting.The idea is to embed an evaluation of k instances of a boolean circuit C into one evaluation of an associated arithmetic circuit C over the extension field F 2 m using the RMFE, meaning that we will take the inputs of C, map them into F 2 m using the map φ from the RMFE and evaluate C on them.Replacing (coordinatewise) sum and product gates in F k 2 by sum and products gates in F 2 m would fall short, since the multiplication property of the RMFE only works for products of exactly two elements, so in general x * y * z = ψ(φ(x) • φ(y) • φ(z)) (and this naturally extends to more factors).Moreover, generally x = ψ(φ(x)).
The solution to this problem is to replace every multiplication gate in F k 2 by a "multiplication gadget" that consists of the concatenation of a multiplication gate in F 2 m , followed by a "refreshing" gate computing the concatenation map φ • ψ : F 2 m → F 2 m .The addition gates over F k 2 are simply replaced by addition gates over F 2 m .This constitutes our new arithmetic circuit C.
The evaluation strategy is then as follows: the inputs (as well as the constant all-one vectors) are mapped from F k 2 into F 2 m with φ.We evaluate the circuit C over F 2 m described above, and in the last step we apply φ −1 .The rationale is that, in such an evaluation, every wire of this circuit over F 2 m (consisting of additive gates and multiplication gadgets) contains a value of the form φ(x) where x is the value that would travel in that wire for the corresponding evaluation of the circuit C over F k 2 .The justification for this invariant is that in the case of additive gates this holds by linearity of φ, and in the case of multiplication gadgets, φ(x * y) = φ(ψ(φ(x) • φ(y))) = (φ • ψ)(φ(x) • φ(y)), the first equality being a consequence of the RMFE definition.
Applying a secure computation protocol for an arithmetic circuit over F 2 m presents two obstacles, as discussed in [8]: one is computing the map φ • ψ from the multiplication gadgets, because this map is only linear over F 2 , and not over F 2 m ; the other is that parties need to prove that they have embedded their inputs correctly in F 2 m using φ, as a standard MPC protocol over F 2 m is oblivious to whether the inputs are in a particular subset of the field (in this case the image of φ).Both issues can be solved efficiently by use of an involved preprocessing step with generates randomness in F 2 -linear subspaces of F 2 m , which involves the combination of hyperinvertible matrices [2] and tensoring of vector spaces.

B.3 MiniMAC
In this section, we describe the online phase of MiniMAC.
We use the notation π k in this section to denote the projection map onto F k 2 .Hence, for a vector x ∈ F k * 2 where k * ≥ k let π k (x) be the vector consisting of the first k entries of x.
The MACs make use of an [ ,k,d] linear code C and its square C * with parameters [ ,k * ,d * ].The code C * is defined as 2 we use the notation x to denote that x is secretly shared along with MACs.I.e.
We now describe the online phase of the MiniMAC protocol.The protocol is also presented in Figure 21.For an input gate corresponding to an input from P i , the party takes a preprocessed pair (r, r ) and broadcasts = x − r.All the parties can by local computations compute + r = x .Parties do linear operations locally according to the following rules: x + y = (x (1) + y (1) ,...,x (n) + y (n) ), (m (1) (x) + m (1) (y),...,m (n) (x) + m (n) (y)) = x + y , a + x = (x (1) + a,x (2) ,...,x (n) ), (α (1)  * C(a) + m (1)  2 which is encoded to y.Notice that this also describes how the parties locally can compute an addition gate and furthermore, it shows that when multiplying by a constant vector we end up with a • * -sharing.This is what happens in the multiply step, where we end up with ρ * .Notice that π k (ρ) = x * y.However, we need to transform it back to a • -sharing and this is what we need the preprocessed re-encode pair for.To see that the steps in the protocol make this transformation correctly notice that π k (σ) + r = π k (ρ) − π k (s) + r = x * y − r + r = x * y.
We will not go into details about the MAC check for MiniMAC but we will mention that they do a batch check where they check random F 2 -linear combinations of the encodings of all opened vectors.For more information about the check see [14].
In addition to these two worlds, the UC-composability framework also considers a G-hybrid model, where the real protocol π makes use of one or more calls to an ideal functionality G.We can extend the definition above and say that π UC-securely implements F if for any adversary for that protocol there is a simulator in the ideal world that can produce the same view for any environment.Then the fundamental result in the UC-framework asserts that if there is another protocol ρ that UC-securely implements G, we can replace the calls in π to the functionality G by calls to ρ without affecting the security.

4 .
Open: On input (Open,Dict,id,S) from all parties, where S is a non-empty subset of parties.If Dict = Val and Val[id] = ⊥ wait for an x from the adversary and send x to the honest parties in S. If Dict = ValField and ValField[id] = ⊥ wait for an x from the adversary and send x to the parties in S. 5. Check: On input (Check,(id1,id2,...,ids),(id 1 ,id 2 ,...,id t ),(x1,x2,...,xs),(x1,x2,...,xt)) from every party wait for an input from the adversary.If they input OK, Val[idj] = xj for j = 1,2,...,s and ValField[id j ] = xj for j = 1,2,...,t return OK to all parties.Otherwise abort.Notation: We will use the notation x to refer to a value x ∈ F k 2 stored in Val, and the notation [x] to refer to a value x ∈ F 2 m stored in ValField.

Figure 6 .
Figure 6.Overview of dependency of the protocols needed for the preprocessing.

Figure 10 .
Figure 10.Correlated oblivious product evaluation with errors.

1 .
Construct: (a) Pi chooses r ∈ F k 2 uniformly at random.(b) Pi calls F Auth.Input to obtain r and output this authenticated share.
Parties compute a l = n i=1 a (i) l and similarly to obtain b l and c l .
sent by a corrupt party to an honest party where it should have sent a as the "input" for some specific instance (for example lowest index of honest party i) and define the errors e the set of corrupt parties by A, we define e (i) b l = j∈A e (j,i) b l and e (i) a l = j∈A e (j,i) a l .Summing up the shares c (i) l b l .Additionally, the adversary can add an extra error by authenticating to another value.That is, the adversary can introduce an error e auth,l such that l = 0 for single i.If the adversary is able to guess the entries in b nonzero entries in e (i) a l it can still obtain c l = a l * b l .The probability of this happens is 2 −|supp(e (i) a l )| .
(i) ) = α * C(x),where C(x (i) ) is the encoding of x (i) in C.
Table 2 are achievable.

Table 4 .
, a version of MiniMAC is proposed which uses linear codes over Output 24.22 • n + 2(n − 1) 24.22 • (n − 1)n 6.42 • n + 2(n − 1) Total number of bits sent per instance at multiplication and output gates the extension field F 256 .The larger field enables to use a Reed-Solomon code, for which k * = 2k − 1.However, because this only gives coordinatewise operations in F k