Skip to content

MPC (Multi Party Computation) explained

Partisia Platform allows its users to perform Multi-Party Computation (MPC). MPC is a cryptographical technique which allows multiple parties to jointly compute on data while preserving the confidentiality of that data. By using secret sharing, MPC ensures that no single party needs to be trusted to uphold data confidentiality in any MPC computation.

Secret sharing

Secret sharing works by splitting up the data into unintelligible parts and submitting each part to a different party for them to perform computations on these unintelligible parts. Thus even if sensitive data like health data or financial information is inputted, no single party can reconstruct the original data from the share that it has.

Different secret sharing schemes offer different levels of protection. Depending on the specific protocol used, the proportion of secret shares required to reveal the secret differ, this is called the security threshold.

Example of creating secret sharing

Bob needs a way to store his passcode, 983019231011, securely. He needs to be able to access it whenever he needs to, but stop others from accessing it, since learning the passcode would give full access to Bob's computer. Bob can store his passcode securely as secret shares on the multiple servers, using an additive secret sharing protocol.

Storing passcode with secret sharing 1/2

First, Bob must choose a random number, which will be used as the first secret share, for example 823348934992.

Next, to obtain the second share of the secret Bob computes the sum of the password and the random number.

983019231011 + 823348934992 = 1806368166003

The second secret share is 1806368166003.

At this point, Bob has two secret shares which can be used to reconstruct his passcode: 1806368166003 and 823348934992.

Storing passcode with secret sharing 2/2

To keep his passcode secure he stores the secret shares on two trusted servers and sends one secret share to each. One advantage of splitting the secrets in this way is that even if an attacker obtains one secret share, they cannot reconstruct Bob's passcode. Bob can fetch the secret shares from the servers, whenever he needs his passcode. He can reconstruct his passcode by computing the absolute value of the subtraction of the two secret shares. The only way to obtain the passcode is to get hold of the two secret shares. The security threshold of the scheme is 1, which means that one share can be obtained without revealing the secret.

Why this approach is secure

  1. Access to one server would not reveal the passcode. Since both secret shares are needed for revealing the passcode, even if one server was compromised, an attacker could not reconstruct the passcode from a single share.
  2. Bob can always recover his passcode. Whenever he needs it, Bob can retrieve both secret shares and recombine the shares to recover his passcode. Recombining the shares is done by taking the absolute values of the subtraction of the two shares. | 1806368166003 − 823348934992 | = 983019231011
  3. At least two secret shares are required to recover Bob's passcode, meaning a single compromised server with a secret share reveals nothing.

Secret shares as inputs to a computation

Any function can be computed with MPC: computing a sum, filtering data points, finding the maximum/minimum, checking equality, etc. The functions can have any number of inputs, where all the inputs would be secret shared in a similar manner to the example above.

The computation result can then be revealed in three different ways:

  1. To a chosen set of people - only specific participants can see the result
  2. Publicly available - The result is accessible to anyone.
  3. Stored privately by nodes – The result remains hidden but can be used in future computations.

Now let's imagine a case with four inputs: A, B, C and D. We use a secret sharing protocol that produces four secret shares instead of two. The secret shares would look as follows:

A = { A_1, A_2, A_3, A_4 }
B = { B_1, B_2, B_3, B_4 }
C = { C_1, C_2, C_3, C_4 }
D = { D_1, D_2, D_3, D_4 }

Although a single secret share reveals no information about the original input, shares from multiple inputs can be used to compute functions of those inputs, without ever reconstructing the original values.

These secret shares are then sent to the same number of nodes, as the number of secret shares for each input. In this case, there would be four servers, S_1, S_2, S_3, S_4, where the secret shares would be sent to.

Each server receives a unique secret share from each input, determined by its assigned index. For example, The sender of input A would send A_1 to S_1, A_2 to S_2, A_3 to S_3 and A_4 to S_4. Similarly, for the other inputs:

S_1 = { A_1, B_1, C_1, D_1 }
S_2 = { A_2, B_2, C_2, D_2 }
S_3 = { A_3, B_3, C_3, D_3 }
S_4 = { A_4, B_4, C_4, D_4 }

The servers are now ready to compute any function on the secret shares they have received. Let's say we would like to compute the following function on the inputs:

f(A, B, C, D) = (( A - B ) * C ) + D

Each of the servers would then compute the function, but using the secret shares as the arguments to the function. The results of the computation of the function will be their share of the result. For instance, Server S_1 would compute R_1 = (( A_1 - B_1 ) * C_1 ) + D_1. And similarly, for the other servers:

R_1 = (( A_1 - B_1 ) * C_1 ) + D_1
R_2 = (( A_2 - B_2 ) * C_2 ) + D_2
R_3 = (( A_3 - B_3 ) * C_3 ) + D_3
R_4 = (( A_4 - B_4 ) * C_4 ) + D_4

Some operations, like addition, can be done locally without further interaction, but others—especially multiplication—require additional rounds of communication between servers. This need for coordination increases computational overhead, as servers must securely exchange intermediate values to ensure correctness while preserving privacy.

The resulting secret shares can be recombined to get the result of the computation. The recombination of shares depends on the secret sharing used. Just like Bob, could get his password back, in the example above, by subtracting the shares. The Partisia Platform uses Shamir secret sharing, which has a different method for recombining the shares.

We can compute any function on the share, i.e. the sum of all the inputs, which input is the largest or the smallest, are any of the inputs equal to each other. While this example gives the impression that each server is simply performing its computations locally, the reality is that data is constantly being exchanged between the servers throughout the process. MPC is an interactive protocol, meaning that servers don’t just compute on their own shares in isolation. They must securely communicate with each other to jointly compute the final result while keeping individual inputs hidden. The ability to perform secure computations without revealing sensitive data is what makes MPC a powerful tool for privacy-preserving applications.

Considerations when defining your MPC computation

To perform a secret computation in the Partisia Platform you must define the computation using an MPC smart contract. When defining your secret computation, there are several decisions you must make. For instance:

  • What are you trying to compute?
  • Who can input to the computation?
  • Who can start the computation?
  • Who should have access to the output of the computation?

A problem solved by MPC

In many situations, individuals or organizations need to compute a result based on private data without revealing their individual inputs. Traditional methods either require trusting a third party or exposing sensitive information, both of which can lead to privacy concerns and potential manipulation. Multi-Party Computation (MPC) solves this problem by allowing multiple participants to jointly compute a function on their data while keeping their inputs completely confidential.

Imagine the employees of a company, who would like to know what the average salary in the company is. Since their salary is a piece of information that most employees would wish to keep private, they could not use an open and public mechanism to compute the average of their salaries. Now, the company already knows the salary of all employees, so they could in principle simply perform the computation secretly and inform the employees about the result. However, the employees would have reason not to trust a number given by the company, since it has a clear incentive to provide a false lower figure: this might discourage employees making less than average from asking for a raise.

MPC would allow employees to compute the average salary without making their salaries public and without relying on a single third-party to be truthful about the result. However, with this setup employees could lie when they input their salary. They too have a clear incentive to do so: a high salary could artificially inflate the average making it easier to justify a request for a raise. Thus, the company could reasonably ask to participate in the MPC process to confirm that the salaries, inputted by the employees are correct.

With this information we could answer the questions raised before:

  • Who can input to the computation? Employees and the company management would be allowed to input values.
  • What are we trying to compute? The average salary of the employees. But first, we must verify that the inputs from the employees are the same than the inputs from management. Both computations can be done using MCP.
  • Who can start the computation? Management can start the computation when all employees have entered their salary as an input.
  • Who should have access to the output of the computation afterwards? The output of the computation is revealed to all employees and management.