The changelog explains changes pulled through from the private development repository. Bug fixes and small enhancements are committed between releases and not documented here.
- More extensive benchmarking outputs
- Replace MPIR by GMP
- Secure reading of edaBits from files
- Semi-honest client communication
- Back-propagation for average pooling
- Parallelized convolution
- Probabilistic truncation as in ABY3
- More balanced communication in Shamir secret sharing
- Avoid unnecessary communication in Dealer protocol
- Linear solver using Cholesky decomposition
- Accept .py files for compilation
- Fixed security bug: proper accounting for random elements
- Easier-to-use machine learning interface
- Integrated compilation-execution facility
- Import/export sequential models and parameters from/to PyTorch
- Binary-format input files
- Less aggressive round optimization for faster compilation by default
- Multithreading with client interface
- Functionality to protect order of specific memory accesses
- Oblivious transfer works again on older (pre-2011) x86 CPUs
- clang is used by default
- Decision tree learning
- Optimized oblivious shuffle in Rep3
- Optimized daBit generation in Rep3 and semi-honest HE-based 2PC
- Optimized element-vector AND in SemiBin
- Optimized input protocol in Shamir-based protocols
- Square-root ORAM (@Quitlox)
- Improved ORAM in binary circuits
- UTF-8 outputs
- Use SoftSpokenOT to avoid unclear security of KOS OT extension candidate
- Fix security bug in MAC check when using multithreading
- Fix security bug to prevent selective failure attack by checking earlier
- Fix security bug in Mama: insufficient sacrifice.
- Inverse permutation (@Quitlox)
- Easier direct compilation (@eriktaubeneck)
- Generally allow element-vector operations
- Increase maximum register size to 2^54
- Client example in Python
- Uniform base OTs across platforms
- Multithreaded base OT computation
- Faster random bit generation in two-player Semi(2k)
- Secure shuffling
- O(n log n) radix sorting
- Documented BGV encryption interface
- Optimized matrix multiplication in dealer protocol
- Fixed security bug in homomorphic encryption parameter generation
- Fixed security bug in Temi matrix multiplication
- Protocol in dealer model
- Command-line option for security parameter
- Fixed security bug in SPDZ2k (see Section 3.4 of the updated paper)
- Ability to run high-level (Python) code from C++
- More memory capacity due to 64-bit addressing
- Homomorphic encryption for more fields of characteristic two
- Docker container
- Semi-honest computation based on threshold semi-homomorphic encryption
- Batch normalization backward propagation
- AlexNet for CIFAR-10
- Specific private output protocols
- Semi-honest additive secret sharing without communication
- Sending of personal values
- Allow overwriting of persistence files
- Protocol signature in persistence files
- Disassembler
- Run-time parameter for probabilistic truncation error
- Probabilistic truncation for some protocols computing modulo a prime
- Simplified C++ interface
- Comparison as in ACCO
- More general scalar-vector multiplication
- Complete memory support for clear bits
- Extended clear bit functionality with Yao's garbled circuits
- Allow preprocessing information to be supplied via named pipes
- In-place operations for containers
- Tested on Apple laptop with ARM chip
- Restore trusted client interface
- Directly accessible softmax function
- Signature in preprocessing files to reduce confusing errors
- Improved error messages for connection issues
- Documentation of low-level share types and protocol pairs
- Optimized matrix multiplication in Hemi
- Improved client communication
- Private integer division as per Veugen and Abspoel
- Compiler option to translate some Python control flow instructions to run-time instructions
- Functionality to break out of run-time loops
- Run-time range check of data structure accesses
- Improved documentation of network infrastructure
- ATLAS
- Keras-like interface
- Iterative linear solution approximation
- Binary output
- HighGear/LowGear key generation for wider range of parameters by default
- Dabit generation for smaller primes and malicious security
- More consistent type model
- Improved local computation
- Optimized GF(2^8) for CCD
- NTL only needed for computation with GF(2^40)
- Virtual machines suggest compile-time optimizations
- Improved documentation of types
- Training of convolutional neural networks
- Bit decomposition using edaBits
- Ability to force MAC checks from high-level code
- Ability to close client connection from high-level code
- Binary operators for comparison results
- Faster compilation for emulation
- More documentation
- Fixed bug in dense layer back-propagation
- Fixed security bug: insufficient LowGear secret key randomness
- Fixed security bug: skewed random bit generation
- ARM support
- Base OTs optionally without SimpleOT/AVX
- Use OpenSSL instead of Crypto++ for elliptic curves
- Post-sacrifice binary computation with replicated secret sharing similar to Araki et al.
- More flexible multithreading
- Distributed key generation for homomorphic encryption with active security similar to Rotaru et al.
- Homomorphic encryption parameters more similar to SCALE-MAMBA
- Fixed security bug: all-zero secret keys in homomorphic encryption
- Fixed security bug: missing check in binary Rep4
- Fixed security bug: insufficient "blaming" (covert security) in CowGear and ChaiGear due to low default security parameter
- Infrastructure for random element generation
- Programs generating as much preprocessing data as required by a particular high-level program
- Smaller binaries
- Cleaning up code
- Removing unused virtual machine instructions
- Fixed security bug: wrong MAC check in SPDZ2k input tuple generation
- Virtual machines automatically use the modulus used during compilation
- Non-linear computation modulo a prime without large gap in bit length
- Fewer communication rounds in several protocols
- Rep4: honest-majority four-party computation with malicious security
- SY/SPDZ-wise: honest-majority computation with malicious security based on replicated or Shamir secret sharing
- Training with a sequence of dense layers
- Training and inference for multi-class classification
- Local share conversion for semi-honest protocols based on additive secret sharing modulo a power of two
- edaBit generation based on local share conversion
- Optimize exponentiation with local share conversion
- Optimize Shamir pseudo-random secret sharing using a hyper-invertible matrix
- Mathematical functions (exponentiation, logarithm, square root, and trigonometric functions) with binary circuits
- Direct construction of fixed-point values from any type, breaking
sfix(x)
wherex
is the integer representation of a fixed-point number. Usesfix._new(x)
instead. - Optimized dot product for
sfix
- Matrix multiplication via operator overloading uses VM-optimized multiplication.
- Fake preprocessing for daBits and edaBits
- Fixed security bug: insufficient randomness in SemiBin random bit generation.
- Fixed security bug: insufficient randomization of FKOS15 inputs.
- Fixed security bug in binary computation with SPDZ(2k).
- Streamline inputs to binary circuits
- Improved private output
- Emulator for arithmetic circuits
- Efficient dot product with Shamir's secret sharing
- Lower memory usage for TensorFlow inference
- This version breaks bytecode compatibility.
- Half-gate garbling
- Native 2D convolution
- Inference with some TensorFlow graphs
- MASCOT with several MACs to increase security
- Possibility of using global keyword in loops instead of MemValue
- IEEE754 floating-point functionality using Bristol Fashion circuits
- Bristol Fashion circuits
- Semi-honest computation with somewhat homomorphic encryption
- Use SSL for client connections
- Client facilities for all arithmetic protocols
- Faster conversion between arithmetic and binary secret sharing using extended daBits
- Optimized daBits
- Optimized logistic regression
- Faster compilation of repetitive code (compiler option
-C
) - ChaiGear: HighGear with covert key generation
- TopGear zero-knowledge proofs
- Binary computation based on Shamir secret sharing
- Fixed security bug: Prove correctness of ciphertexts in input tuple generation
- Fixed security bug: Missing check in MASCOT bit generation and various binary computations
- Mixed circuit computation with secret sharing
- Binary computation for dishonest majority using secret sharing as in FKOS15
- Fixed security bug: insufficient OT correlation check in SPDZ2k
- This version breaks bytecode compatibility.
- Python 3
- Semi-honest computation based on semi-homomorphic encryption
- Access to player information in high-level language
- Machine learning capabilities used for MobileNets inference and the iDASH submission
- Binary computation for dishonest majority using secret sharing
- Mathematical functions from SCALE-MAMBA
- Fixed security bug: CowGear would reuse triples.
- ECDSA
- Loop unrolling with budget as in HyCC
- Malicious replicated secret sharing for binary circuits
- New variants of malicious replicated secret over rings in Use your Brain!
- MASCOT for any prime larger than 2^64
- Private fixed- and floating-point inputs
- CowGear protocol (LowGear with covert security)
- Protocols that sacrifice after than before
- More protocols for replicated secret sharing over rings
- Fixed security bug: Some protocols with supposed malicious security wouldn't check players' inputs when generating random bits.
- Complete BMR for all GF(2^n) protocols
- Use your Brain!
- Semi/Semi2k for semi-honest OT-based computation
- Branching on revealed values in garbled circuits
- Fixed security bug: Potentially revealing too much information when opening linear combinations of private inputs in MASCOT and SPDZ2k with more than two parties
- SPDZ2k
- Integration of MASCOT and SPDZ2k preprocessing
- Integer division
- Simplified installation on macOS
- Optimized matrix multiplication
- Data type for quantization
- Shamir secret sharing
- More three-party replicated secret sharing
- Encrypted communication for replicated secret sharing
- Added BMR, Yao's garbled circuits, and semi-honest 3-party replicated secret sharing for arithmetic and binary circuits.
- Use inline assembly instead of MPIR for arithmetic modulo primes up length up to 128 bit.
- Added a secure multiplication instruction to the instruction set in order to accommodate protocols that don't use Beaver randomization.
- Added offline phases based on homomorphic encryption, used in the SPDZ-2 paper and the Overdrive paper.
- On macOS, the minimum requirement is now Sierra.
- Compilation with LLVM/clang is now possible (tested with 3.8).
See the ExternalIO directory for more details and examples.
Note that libsodium is now a dependency on the SPDZ build.
Added compiler instructions:
- LISTEN
- ACCEPTCLIENTCONNECTION
- CONNECTIPV4
- WRITESOCKETSHARE
- WRITESOCKETINT
Removed instructions:
- OPENSOCKET
- CLOSESOCKET
Modified instructions:
- READSOCKETC
- READSOCKETS
- READSOCKETINT
- WRITESOCKETC
- WRITESOCKETS
Support secure external client input and output with new instructions:
- READCLIENTPUBLICKEY
- INITSECURESOCKET
- RESPSECURESOCKET
Added compiler instructions:
- READFILESHARE
- WRITEFILESHARE
Added compiler instructions:
- DIGESTC - Clear truncated hash computation
- PRINTINT - Print register value
- See
README.md
andtutorial.md
.