MP-SPDZ/CHANGELOG.md

The changelog explains changes pulled through from the private development repository. Bug fixes and small enhancements are committed between releases and not documented here.

0.4.2 (Dec 24, 2025)

• Expected communication cost in compiler
• Semi-honest option of Rep4
• Reduced communication for preprocessing in Dealer protocol
• Option of choosing SoftSpoken parameter at run-time
• BERT functionality (@hiddely)
• Recommended reading list in documentation

0.4.1 (May 30, 2025)

• Add protocols with function-dependent preprocessing (https://eprint.iacr.org/2025/919)
• Parallelize shuffling (@vincent-ehrmanntraut)
• More efficient probabilistic truncation in Rep3
• More efficient binary to arithmetic conversion for one bit in Rep3
• Backend optimizations benefitting the most efficient protocols like Rep3
• Allow regint registers as argument in exported functions
• More efficient dot product for GF(2^n)
• File persistance for GF(2^n)
• Output of binary secrets
• SHA256
• Improved navigation by providing links to relevant papers (./compile.py --papers) and outputting which code is executed (./<protocol>-party.x --code-locations)
• Fixed security bug: remove MAC key in case of failure

0.4.0 (November 21, 2024)

• Functionality to call high-level code from C++
• Matrix triples from file for all appropriate protocols
• Exit with message on errors instead of uncaught exceptions
• Reduce memory usage for binary memory
• Optimized cint-regint conversion in Dealer protocol
• Fixed security bug: missing MAC check in probabilistic truncation

0.3.9 (July 9, 2024)

• Inference with non-sequential PyTorch networks
• SHA-3 for any input length (@hiddely)
• Improved client facilities
• Shuffling with malicious security for SPDZ-wise protocols by Asharov et al.
• More reusable bytecode via in-thread calling facility
• Recursive functions without return values
• Fewer rounds for parallel matrix multiplications (@vincent-ehrmanntraut)
• Optimized usage of SoftSpokenOT in semi-honest protocols
• More integrity checks on storage in MAC-based protocols
• Use C++17
• Use glibc 2.18 for the binaries
• Fixed security bugs: remotely caused buffer overflows (#1382)
• Fixed security bug: Missing randomization before revealing to client
• Fixed security bug: Bias in Rep3 secure shuffling

0.3.8 (December 14, 2023)

• Functionality for multiple nodes per party
• Functionality to use disk space for high-level data structures
• True division is always fixed-point division (similar to Python 3)
• Compiler option to optimize for specific protocol
• Cleartext permutation
• Faster compilation and lower bytecode size
• Functionality to output secret shares from high-level code
• Run-time command-line arguments accessible from high-level code
• Client connection setup specifies cleartext domain
• Compile-time parameter for connection timeout
• Prevent connections from timing out (@ParallelogramPal)
• More ECDSA examples
• More flexible multiplication instruction
• Dot product instruction supports several operations at once
• Example-based virtual machine explanation

0.3.7 (August 14, 2023)

• Path Oblivious Heap (@tskovlund)
• Adjust batch and bucket size to program
• Direct communication available in more protocols
• Option for seed in fake preprocessing (@strieflin)
• Lower memory usage due to improved register allocation
• New instructions to speed up CISC compilation
• Protocol implementation example
• Fixed security bug: missing MAC checks in multi-threaded programs
• Fixed security bug: race condition in MAC check
• Fixed security bug: missing shuffling check in PS mod 2^k and Brain
• Fixed security bug: insufficient drowning in pairwise protocols

0.3.6 (May 9, 2023)

• More extensive benchmarking outputs
• Replace MPIR by GMP
• Secure reading of edaBits from files
• Semi-honest client communication
• Back-propagation for average pooling
• Parallelized convolution
• Probabilistic truncation as in ABY3
• More balanced communication in Shamir secret sharing
• Avoid unnecessary communication in Dealer protocol
• Linear solver using Cholesky decomposition
• Accept .py files for compilation
• Fixed security bug: proper accounting for random elements

0.3.5 (Feb 16, 2023)

• Easier-to-use machine learning interface
• Integrated compilation-execution facility
• Import/export sequential models and parameters from/to PyTorch
• Binary-format input files
• Less aggressive round optimization for faster compilation by default
• Multithreading with client interface
• Functionality to protect order of specific memory accesses
• Oblivious transfer works again on older (pre-2011) x86 CPUs
• clang is used by default

0.3.4 (Nov 9, 2022)

• Decision tree learning
• Optimized oblivious shuffle in Rep3
• Optimized daBit generation in Rep3 and semi-honest HE-based 2PC
• Optimized element-vector AND in SemiBin
• Optimized input protocol in Shamir-based protocols
• Square-root ORAM (@Quitlox)
• Improved ORAM in binary circuits
• UTF-8 outputs

0.3.3 (Aug 25, 2022)

• Use SoftSpokenOT to avoid unclear security of KOS OT extension candidate
• Fix security bug in MAC check when using multithreading
• Fix security bug to prevent selective failure attack by checking earlier
• Fix security bug in Mama: insufficient sacrifice.
• Inverse permutation (@Quitlox)
• Easier direct compilation (@eriktaubeneck)
• Generally allow element-vector operations
• Increase maximum register size to 2^54
• Client example in Python
• Uniform base OTs across platforms
• Multithreaded base OT computation
• Faster random bit generation in two-player Semi(2k)

0.3.2 (May 27, 2022)

• Secure shuffling
• O(n log n) radix sorting
• Documented BGV encryption interface
• Optimized matrix multiplication in dealer protocol
• Fixed security bug in homomorphic encryption parameter generation
• Fixed security bug in Temi matrix multiplication

0.3.1 (Apr 19, 2022)

• Protocol in dealer model
• Command-line option for security parameter
• Fixed security bug in SPDZ2k (see Section 3.4 of the updated paper)
• Ability to run high-level (Python) code from C++
• More memory capacity due to 64-bit addressing
• Homomorphic encryption for more fields of characteristic two
• Docker container

0.3.0 (Feb 17, 2022)

• Semi-honest computation based on threshold semi-homomorphic encryption
• Batch normalization backward propagation
• AlexNet for CIFAR-10
• Specific private output protocols
• Semi-honest additive secret sharing without communication
• Sending of personal values
• Allow overwriting of persistence files
• Protocol signature in persistence files

0.2.9 (Jan 11, 2022)

• Disassembler
• Run-time parameter for probabilistic truncation error
• Probabilistic truncation for some protocols computing modulo a prime
• Simplified C++ interface
• Comparison as in ACCO
• More general scalar-vector multiplication
• Complete memory support for clear bits
• Extended clear bit functionality with Yao's garbled circuits
• Allow preprocessing information to be supplied via named pipes
• In-place operations for containers

0.2.8 (Nov 4, 2021)

• Tested on Apple laptop with ARM chip
• Restore trusted client interface
• Directly accessible softmax function
• Signature in preprocessing files to reduce confusing errors
• Improved error messages for connection issues
• Documentation of low-level share types and protocol pairs

0.2.7 (Sep 17, 2021)

• Optimized matrix multiplication in Hemi
• Improved client communication
• Private integer division as per Veugen and Abspoel
• Compiler option to translate some Python control flow instructions to run-time instructions
• Functionality to break out of run-time loops
• Run-time range check of data structure accesses
• Improved documentation of network infrastructure

0.2.6 (Aug 6, 2021)

• ATLAS
• Keras-like interface
• Iterative linear solution approximation
• Binary output
• HighGear/LowGear key generation for wider range of parameters by default
• Dabit generation for smaller primes and malicious security
• More consistent type model
• Improved local computation
• Optimized GF(2^8) for CCD
• NTL only needed for computation with GF(2^40)
• Virtual machines suggest compile-time optimizations
• Improved documentation of types

0.2.5 (Jul 2, 2021)

• Training of convolutional neural networks
• Bit decomposition using edaBits
• Ability to force MAC checks from high-level code
• Ability to close client connection from high-level code
• Binary operators for comparison results
• Faster compilation for emulation
• More documentation
• Fixed bug in dense layer back-propagation
• Fixed security bug: insufficient LowGear secret key randomness
• Fixed security bug: skewed random bit generation

0.2.4 (Apr 19, 2021)

• ARM support
• Base OTs optionally without SimpleOT/AVX
• Use OpenSSL instead of Crypto++ for elliptic curves
• Post-sacrifice binary computation with replicated secret sharing similar to Araki et al.
• More flexible multithreading

0.2.3 (Feb 23, 2021)

• Distributed key generation for homomorphic encryption with active security similar to Rotaru et al.
• Homomorphic encryption parameters more similar to SCALE-MAMBA
• Fixed security bug: all-zero secret keys in homomorphic encryption
• Fixed security bug: missing check in binary Rep4
• Fixed security bug: insufficient "blaming" (covert security) in CowGear and ChaiGear due to low default security parameter

0.2.2 (Jan 21, 2021)

• Infrastructure for random element generation
• Programs generating as much preprocessing data as required by a particular high-level program
• Smaller binaries
• Cleaning up code
• Removing unused virtual machine instructions
• Fixed security bug: wrong MAC check in SPDZ2k input tuple generation

0.2.1 (Dec 11, 2020)

• Virtual machines automatically use the modulus used during compilation
• Non-linear computation modulo a prime without large gap in bit length
• Fewer communication rounds in several protocols

0.2.0 (Oct 28, 2020)

• Rep4: honest-majority four-party computation with malicious security
• SY/SPDZ-wise: honest-majority computation with malicious security based on replicated or Shamir secret sharing
• Training with a sequence of dense layers
• Training and inference for multi-class classification
• Local share conversion for semi-honest protocols based on additive secret sharing modulo a power of two
• edaBit generation based on local share conversion
• Optimize exponentiation with local share conversion
• Optimize Shamir pseudo-random secret sharing using a hyper-invertible matrix
• Mathematical functions (exponentiation, logarithm, square root, and trigonometric functions) with binary circuits
• Direct construction of fixed-point values from any type, breaking sfix(x) where x is the integer representation of a fixed-point number. Use sfix._new(x) instead.
• Optimized dot product for sfix
• Matrix multiplication via operator overloading uses VM-optimized multiplication.
• Fake preprocessing for daBits and edaBits
• Fixed security bug: insufficient randomness in SemiBin random bit generation.
• Fixed security bug: insufficient randomization of FKOS15 inputs.
• Fixed security bug in binary computation with SPDZ(2k).

0.1.9 (Aug 24, 2020)

• Streamline inputs to binary circuits
• Improved private output
• Emulator for arithmetic circuits
• Efficient dot product with Shamir's secret sharing
• Lower memory usage for TensorFlow inference
• This version breaks bytecode compatibility.

0.1.8 (June 15, 2020)

• Half-gate garbling
• Native 2D convolution
• Inference with some TensorFlow graphs
• MASCOT with several MACs to increase security

0.1.7 (May 8, 2020)

• Possibility of using global keyword in loops instead of MemValue
• IEEE754 floating-point functionality using Bristol Fashion circuits

0.1.6 (Apr 2, 2020)

• Bristol Fashion circuits
• Semi-honest computation with somewhat homomorphic encryption
• Use SSL for client connections
• Client facilities for all arithmetic protocols

0.1.5 (Mar 20, 2020)

• Faster conversion between arithmetic and binary secret sharing using extended daBits
• Optimized daBits
• Optimized logistic regression
• Faster compilation of repetitive code (compiler option -C)
• ChaiGear: HighGear with covert key generation
• TopGear zero-knowledge proofs
• Binary computation based on Shamir secret sharing
• Fixed security bug: Prove correctness of ciphertexts in input tuple generation
• Fixed security bug: Missing check in MASCOT bit generation and various binary computations

0.1.4 (Dec 23, 2019)

• Mixed circuit computation with secret sharing
• Binary computation for dishonest majority using secret sharing as in FKOS15
• Fixed security bug: insufficient OT correlation check in SPDZ2k
• This version breaks bytecode compatibility.

0.1.3 (Nov 21, 2019)

• Python 3
• Semi-honest computation based on semi-homomorphic encryption
• Access to player information in high-level language

0.1.2 (Oct 11, 2019)

• Machine learning capabilities used for MobileNets inference and the iDASH submission
• Binary computation for dishonest majority using secret sharing
• Mathematical functions from SCALE-MAMBA
• Fixed security bug: CowGear would reuse triples.

0.1.1 (Aug 6, 2019)

• ECDSA
• Loop unrolling with budget as in HyCC
• Malicious replicated secret sharing for binary circuits
• New variants of malicious replicated secret over rings in Use your Brain!
• MASCOT for any prime larger than 2^64
• Private fixed- and floating-point inputs

0.1.0 (Jun 7, 2019)

• CowGear protocol (LowGear with covert security)
• Protocols that sacrifice after than before
• More protocols for replicated secret sharing over rings
• Fixed security bug: Some protocols with supposed malicious security wouldn't check players' inputs when generating random bits.

0.0.9 (Apr 30, 2019)

• Complete BMR for all GF(2^n) protocols
• Use your Brain!
• Semi/Semi2k for semi-honest OT-based computation
• Branching on revealed values in garbled circuits
• Fixed security bug: Potentially revealing too much information when opening linear combinations of private inputs in MASCOT and SPDZ2k with more than two parties

0.0.8 (Mar 28, 2019)

• SPDZ2k
• Integration of MASCOT and SPDZ2k preprocessing
• Integer division

0.0.7 (Feb 14, 2019)

• Simplified installation on macOS
• Optimized matrix multiplication
• Data type for quantization

0.0.6 (Jan 5, 2019)

• Shamir secret sharing

0.0.5 (Nov 5, 2018)

• More three-party replicated secret sharing
• Encrypted communication for replicated secret sharing

0.0.4 (Oct 11, 2018)

• Added BMR, Yao's garbled circuits, and semi-honest 3-party replicated secret sharing for arithmetic and binary circuits.
• Use inline assembly instead of MPIR for arithmetic modulo primes up length up to 128 bit.
• Added a secure multiplication instruction to the instruction set in order to accommodate protocols that don't use Beaver randomization.

0.0.3 (Mar 2, 2018)

• Added offline phases based on homomorphic encryption, used in the SPDZ-2 paper and the Overdrive paper.
• On macOS, the minimum requirement is now Sierra.
• Compilation with LLVM/clang is now possible (tested with 3.8).

0.0.2 (Sep 13, 2017)

Support sockets based external client input and output to a SPDZ MPC program.

See the ExternalIO directory for more details and examples.

Note that libsodium is now a dependency on the SPDZ build.

Added compiler instructions:

• LISTEN
• ACCEPTCLIENTCONNECTION
• CONNECTIPV4
• WRITESOCKETSHARE
• WRITESOCKETINT

Removed instructions:

• OPENSOCKET
• CLOSESOCKET

Modified instructions:

• READSOCKETC
• READSOCKETS
• READSOCKETINT
• WRITESOCKETC
• WRITESOCKETS

Support secure external client input and output with new instructions:

• READCLIENTPUBLICKEY
• INITSECURESOCKET
• RESPSECURESOCKET

Read/Write secret shares to disk to support persistence in a SPDZ MPC program.

Added compiler instructions:

• READFILESHARE
• WRITEFILESHARE

Other instructions

Added compiler instructions:

• DIGESTC - Clear truncated hash computation
• PRINTINT - Print register value

0.0.1 (Sep 2, 2016)

Initial Release

• See README.md and tutorial.md.