Choosing the best ring … for MPC!

Posted on April 21, 2025 by Wilson Nguyen in Uncategorized // 0 Comments

In this post, we’ll discuss how Galois rings (a recent algebraic structure) improve the communication complexity of dishonest multiparty computation (MPC) protocols.

Before we dive into MPC, I’ll take a brief detour to discuss how computation is usually modeled in cryptography. When cryptographers think about computation, they often think about circuits comprised of addition and multiplication gates. You may think ah so like boolean circuits? Nope, cryptographers love circuits over HUGE fields; in fact, the bigger the better! Fields are convenient to work with as 1) every element except for zero is invertible and 2) low-degree, non-zero polynomials have few roots. As such, we can often tie the security of cryptographic protocols directly to the size of the field (as we’ll see shortly). However, deep down, cryptographers really just want to work with circuits over the integers mod 2^k (\mathbb{Z}/2^{k}\mathbb{Z}), think 32/64-bit unsigned integers. For ease of notation, we will use \mathbb{Z}_{2^k}:= \mathbb{Z}/2^{k}\mathbb{Z}. Integer arithmetic (i.e. \mathbb{Z}_{2^k}) is exactly the arithmetic we already have on our cpus. Just think about how much modern software we could directly capture… but, OOF, \mathbb{Z}_{2^k} is a pain to work with! Half of the elements are not invertible, and low-degree, non-zero polynomials can have TONs of roots (like 2^{k-1}X). If only we had a ring with similar properties to fields that could also capture \mathbb{Z}_{2^k} arithmetic. In fact, we do. GALOIS RINGS!

A Galois ring is a quotient ring \mathsf{GR}:=\mathbb{Z}_{2^k}[X]/(h(X)) for which h(X) is a monic polynomial of degree d such that \overline{h}(X):= h(X)\ (\mathrm{mod\ 2}) is an irreducible polynomial in \mathbb{Z}_2[X]\cong\mathbb{F}_2[X]. Here, we use 2^k, but Galois rings are described generally for p^k for any prime p. Informally, you can view the elements of \mathsf{GR} as degree <d polynomials whose coefficients belong to \mathbb{Z}_{2^k} and operations are performed \mathrm{mod}\ h(X). Galois rings have several nice properties:

1) (1-1/2^d) fraction of elements are invertible [Wan03].
2) \mathsf{GR}\ (\mathrm{mod}\ 2) is isomorphic to \mathbb{F}_{2^d} [Wan03].
3) A non-zero polynomial f(Y)\in\mathsf{GR}[Y] with \deg(f)\leq r has at most r\cdot 2^{(k-1)\, d} roots [ACDEY19].
4) There exists \mathbb{Z}_{2^k}-linear maps (\phi: \mathbb{Z}_{2^k}^m\to\mathsf{GR},\ \psi: \mathsf{GR}\to \mathbb{Z}_{2^k}^m) called reverse multiplication friendly embeddings or RMFEs [EHLXY23].

Property 3) gives us a nice analog of the Schwartz-Zippel lemma, but over Galois rings instead (which are not integral domains)! Namely, \Pr_{\alpha}[f(\alpha)=0] \leq r\cdot 2^{(k-1)\, d} / |\mathsf{GR}| =r\cdot 2^{(k-1)\, d}/2^{kd} =r/2^d. As we will see later, property 3) can help us catch cheaters and 4) will naturally embed \mathbb{Z}_{2^k} arithmetic into \mathsf{GR} arithmetic.


With that aside over, we now have enough to discuss MPC. Let R be some ring (like \mathbb{F}_p, \mathbb{Z}_{2^k}, \mathsf{GR}). Multiparty computation [BGW88, CCD88, GMW87, Yao86] is an interactive protocol between multiple parties, P_1, \dots, P_n, who each have their own private inputs x_1, \dots, x_n\in R, respectively. They want to compute the output of some public circuit C(x_1, \dots, x_n)\to \mathsf{out} on their inputs. The catch is that no party should learn anything about the other parties private inputs, besides what is revealed by \mathsf{out}. Ideally, the amount of information the parties can learn is identical to as if they had just asked a trusted third party to do the computation. When all parties follow the protocol honestly, we know of simple MPC protocols (semi-honest MPC) where this trusted third party can be replaced purely with interaction between parties.


Unfortunately, it’s unrealistic to expect that all parties behave honestly. Some malicious parties could arbitrarily deviate from the protocol in an attempt to learn more information about the other parties’ private inputs. So, we need a way to catch when malicious parties misbehave and abort the whole protocol before information is leaked! There are two prevailing paradigms for constructing dishonest MPC:

1) Authenticated secret sharing [DPSZ12, DKLPSS13, KOS16, KPR18]
2) Fully Linear Interactive Oracle Proofs (zk-FLIOPs) [BBCGI19, BGIN19,BGIN20, BGIN21]

We will focus on authenticated secret sharing in this post, and what goes wrong when working over \mathbb{Z}/2^k\mathbb{Z}. Consider an arbitrary element x\in R. An additive secret sharing of x is a collection of uniformly sampled elements

[x]:=\big([x]_1,\, [x]_2,\,\dots,\, [x]_n\overset{r}{\gets}R\big)\,\text{ such that }\,x = \textstyle\sum_{i=1}^n [x]_i

For example, I can share my password x (private input) with friends (parties P_1, \dots, P_n possessing [x]_1, \dots, [x]_n, respectively) in such a way that they can recover my password if all of them work together, but without this quorum, they locally can only see uniformly random nonsense. Additive secret shares are also linearly homomorphic; given shares [x] and [y], parties can derive a share to [c\cdot x + y] by locally computing [c\cdot x+y]_i = c\cdot[x]_i+[y]_i for any constant c\in R. This property is essential for constructing semi-honest MPC.

However, if a friend, P_2, is malicious, they may try to mess up recovery by introducing some additive error \delta\neq 0 to their share [x]_2' = [x]_2+\delta such that together the parties recover y = \textstyle\sum_{i\neq 2} [x]_i + [x]_2' = x+\delta, which is not the correct value. The security of dishonest MPC protocols essentially boils down to catching when malicious parties introduce these additive errors to secret shares. But, how do we actually catch cheaters? During a setup phase, Parties P_1, \dots, P_n will receive an additive secret sharing [\alpha] of an element \alpha\overset{r}{\gets}R, sampled uniformly from the ring, which is unknown to all parties. An authenticated secret share of x is a pair of additive secret shares [[x]] := \big([x],\ [\alpha\cdot x]\big) of both x and \alpha\cdot x. Intuitively, we can think of this additional share [\alpha\cdot x] as an MAC (message authenticated code) and \alpha as a MAC key. To see why, let’s go over the recovery (opening) procedure. As before, let P_2 be a malicious party who wants to shift the opening by an additive error \delta\neq 0.

1) Parties broadcast their shares [x]_1,\ [x]_2+\delta,\ \dots,\ [x]_n.
2) Parties locally compute claimed opening y=(x{+\delta})=\textstyle\sum_i[x]_i +\delta.
3) Honest parties locally compute [z]_i = [\alpha x]_i - y\cdot[\alpha]_i. Dishonest party locally computes {[z]_2} = [\alpha x]_2 - y\cdot[\alpha]_2 + \Delta for some \Delta\in R of their choice.
4) Parties broadcast their shares [z]_i and locally check \textstyle\sum_i [z]_i \overset{?}{=}0. If not, abort!

For a malicious party to succeed, they must guess \delta\neq 0,\ \Delta\in R such that \textstyle\sum_i [z]_i = 0\ \Longleftrightarrow\ \delta\cdot \alpha + \Delta=0. If R=\mathbb{F}_p is a field, we can trivially solve for \alpha = -\Delta \cdot \delta^{-1}. Thus, the malicious party must be able to guess \alpha! Since \alpha is uniformly random and unknown to any party, we can bound the probability the malicious party succeeds with \leq 1/|\mathbb{F}_p|. With a large field (say |\mathbb{F}_p|\approx 2^{80}), this chance is vanishingly small. However, things go terribly wrong when we choose R=\mathbb{Z}_{2^k}. Notably, there’s an explicit attack that has a 1/2 chance of succeeding! The malicious party samples a random bit b\overset{r}{\gets}{0,1} and choose \delta=2^{k-1},\ \Delta=2^{k-1}b. Observe \delta\cdot \alpha + \Delta=2^{k-1}(\alpha_0 + b) where \alpha_0 is the 0-th bit of \alpha. This is zero with probability 1/2!

Prior works [CDE+18, BBH+22] avoid this issue with \mathbb{Z}_{2^k} by working over a larger ring \mathbb{Z}_{2^\ell} where \ell := k{+d}. In this setting, and authenticated share for x\in\mathbb{Z}_{2^k} (over the smaller ring) consists of additive shares ([x], [\alpha\cdot x]) where \alpha\in\mathbb{Z}_{2^\ell} belongs to the larger ring. Now, the malicious party must guess \delta\not\equiv_{k} 0,\ \Delta\in \mathbb{Z}_{2^\ell} such that \delta\cdot \alpha + \Delta\equiv_\ell 0. Let 2^v be the largest power of two that divides \delta. We have that \alpha \equiv_{\ell - v} -(\Delta/2^v) \cdot (\delta/2^v)^{-1}, which means the malicious party must guess at least d-bits of the secret \alpha. Therefore, we can bound the probability of success by 1/2^{d}. Unfortunately, this technique sacrifices share size for better security! In particular, higher security requires higher communication overhead (only k out of (k+d)-bits are used meaningfully). Shoot…if only there was a better ring… [Insert heroic entrance!]

[EXY22, LXY24] avoid this tradeoff by setting the underlying ring R:=\mathbb{Z}_{2^k}[X]/(h(X)) to be a Galois ring \mathsf{GR}. Leading to a protocol where communication does not scale with the level of security! Let’s perform similar analysis, but now over \mathsf{GR}. Since \delta\neq 0, we have \delta\cdot Y + \Delta\in\mathsf{GR}[Y] is a non-zero, degree-1 polynomial. Thus, by property 3), we have \Pr_{\alpha}[\delta\cdot \alpha + \Delta=0]\leq1/2^{d}. Yay! We have a security when \deg(h)=d is large enough. An astute reader might ask: didn’t we want to capture computation over \mathbb{Z}_{2^k} and not this weird ring \mathsf{GR}? And, they would be right!

Recall, informally, that we can think of \mathsf{GR} as a set of degree <d polynomials with coefficients in \mathbb{Z}_{2^k}. Maybe we can embed an x\in \mathbb{Z}_{2^k} into \mathsf{GR} by treating it as a constant polynomial? Now, when we compute a circuit over \mathsf{GR}, the constant terms in \mathbb{Z}_{2^k} get added and multiplied together as needed. In fact, this strategy will work and is secure, but we just dug ourselves into a deeper hole! Since \alpha\in\mathsf{GR} (a random degree <d polynomial), we have that the authenticated secret share size |([x],\,[\alpha\cdot x])| scales with d, which itself scales with our security! SHOOT, the rate is terrible. Instead of d more bits per share (as in the prior strategy over \mathbb{Z}_{2^\ell}), we have a d\times multiplicative factor in communication! But all hope is not lost. [Insert second heroic entrance!]

Reverse multiplication friendly embeddings (RMFEs) (their theory was unified in EHLXY23) are maps (\phi: \mathbb{Z}_{2^k}^m\to\mathsf{GR},\ \psi: \mathsf{GR}\to \mathbb{Z}_{2^k}^m) with several amazing properties (among many others):

1) (Good rate) Let \mathsf{GR}:=\mathbb{Z}_{2^k}[X]/(h(X)). There exists families of RMFEs such that \deg(h)/m is a constant (\approx 2\,\text{-}\,5).
2) (Linearity) Both maps are \mathbb{Z}_{2^k}-linear. In other words, for all c\in\mathbb{Z}_{2^k},\, \vec{x}, \vec{y}\in\mathbb{Z}_{2^k}^m,\, x,y\in\mathsf{GR}, we have c\cdot\phi(\vec{x}+\vec{y})=c\cdot\phi(\vec{x})+\phi(\vec{y}) and c\cdot\psi(x+y)=c\cdot\psi(x)+\psi(y).
3) (Multiplication Friendliness) For all \vec{x},\, \vec{y}\in\mathbb{Z}_{2^k}^m, we have \psi\big(\phi(\vec{x})\cdot\phi(\vec{y})\big)=\vec{x}\circ\vec{y} (where \cdot is \mathsf{GR} multiplication and \circ is element-wise product).
4) \phi is injective, \psi is surjective, \phi(\vec{1})=1, \psi(\phi(\vec{x}))=\vec{x} for all \vec{x}\in\mathbb{Z}_{2^k}^m, and \mathsf{GR}=\mathrm{img}(\phi)\oplus \mathrm{ker}(\psi) (internal direct sum).

Let’s break down why these properties enable communication to be independent of security. First off, the good rate of RMFEs helps us pack \Theta(d) integers from \mathbb{Z}_{2^k} into a single ring element in \mathsf{GR}. Thus, now each ring element in \mathsf{GR} can be thought of as \Theta(d) integers (avoiding that d\,\times blowup from the constant embedding). With linearity, additions over the ring naturally simulate additions over the vector space \mathbb{Z}_{2^k}^m. In particular, if we embed two vectors x:=\phi(\vec{x}),\, y:=\phi(\vec{y}) into the ring, then the ring addition x+y=\phi(x)+\phi(y)=\phi(x+y) simulates the vector addition. Finally, multiplication friendliness similarly allows us to naturally simulate element-wise multiplication with multiplication over the Galois ring. Therefore, despite each ring element being d\,\times the size, we do d\,\times the work per element! Beyond the theoretical independence, [EXY22, LXY24] concretely show roughly 2\,\text{-}\,3\,\times less communication over prior work for high security applications (think 40\,\text{-}\,80-bits of statistical security).

In conclusion, we discussed what cryptographers like about different rings (fields, integers mod 2^k, and Galois rings), the relationship between MPC and authenticated secret sharing, how different rings affect the security and communication of MPC protocols, and how choosing Galois rings can avoid communication blowups by packing more work into each element. Of course, I skipped over many details including, but not limited to, how to construct MPC from authenticated secret sharing, why security reduces to catching bad openings, why Galois rings have such few roots, and how RMFEs are constructed. I suggest readers who are interested to refer to the works referenced!

Acknowledgements: I wrote this blog post as a part of my qualifying exam. Thank you to Mary Wootters, Dan Boneh, and Clark Barrett for being on my quals committee and occasional chats about algebraic geometry. Special thanks to the Applied Crypto group for their continual support during my quals prep.

zk-FLIOP references: [BBCGI19, BGIN19,BGIN20, BGIN21]

Wilson Nguyen's avatar
About Wilson Nguyen (1 Article)
Applied Crypto Group

Leave a comment

Copyright © 2025 Create a website or blog at WordPress.com