The Communication-Friendly Privacy-Preserving Machine Learning against Malicious Adversaries

Tianpei Lu, Bingsheng Zhang, Lichun Li, and Kui Ren T. Lu, B. Zhang and K. Ren are with The State Key Laboratory of Blockchain and Data Security, Zhejiang University, Zhejiang University, Hangzhou, China. E-mail: {lutianpei, bingsheng, kuiren}@zju.edu.cn. L. Li is with Ant group, Hangzhou, China. E-mali: [email protected]. B. Zhang is Corresponding Author.

Abstract

With the increasing emphasis on privacy regulations, such as GDPR, protecting individual privacy and ensuring compliance have become critical concerns for both individuals and organizations. Privacy-preserving machine learning (PPML) is an innovative approach that allows for secure data analysis while safeguarding sensitive information. It enables organizations to extract valuable insights from data without compromising privacy. Secure multi-party computation (MPC) is a key tool in PPML, as it allows multiple parties to jointly compute functions without revealing their private inputs, making it essential in multi-server environments. We address the performance overhead of existing maliciously secure protocols, particularly in finite rings like $\mathbb{Z}_{2^{\ell}}$ , by introducing an efficient protocol for secure linear function evaluation. We implement our maliciously secure MPC protocol on GPUs, significantly improving its efficiency and scalability. We extend the protocol to handle linear and non-linear layers, ensuring compatibility with a wide range of machine-learning models. Finally, we comprehensively evaluate machine learning models by integrating our protocol into the workflow, enabling secure and efficient inference across simple and complex models, such as convolutional neural networks (CNNs).

I Introduction

In the era of big data, privacy protection and compliance have become paramount concerns for both individuals and organizations. As various privacy regulations, such as GDPR, have emerged, the demand for effective privacy-preserving mechanisms has intensified significantly. Privacy-preserving machine learning (PPML) is an innovative technique that enhances privacy while enabling secure data mining and machine learning. It ensures that sensitive information remains confidential, allowing organizations to leverage data insights without compromising individual privacy.

Secure multi-party computation (MPC) [1, 2, 3] allows multiple parties to jointly evaluate functions without revealing their private inputs. This cryptographic tool plays a crucial role in realizing PPML in multi-server environments [4, 5, 6, 7, 8, 9]. Notably, this work focuses on 3-party MPC, referred to as 3-PC. Most existing protocols [10, 11] are designed for a semi-honest setting, where participants are assumed to adhere to the protocol and act honestly, albeit with the potential to glean additional information from the data they handle. However, in many scenarios, the importance of robust defenses against malicious actors becomes critical. Maliciously secure protocols are essential in these contexts, as they can detect adversarial behaviors and protect the integrity of the computation.

Despite the advancements, state-of-the-art maliciously secure PPML protocols face significant performance overhead. For instance, maliciously secure multiplication protocols can be at least twice as slow as their semi-honest counterparts [12, 13]. This performance gap raises concerns, especially given that PPML-friendly MPC protocols typically operate over finite rings like $\mathbb{Z}_{2^{\ell}}$ , which facilitate fixed-point arithmetic. Designing maliciously secure MPC over $\mathbb{Z}_{2^{\ell}}$ is inherently more complex than over prime-order finite fields $\mathbb{Z}_{p}$ .

Recently, several works [14, 15, 16] have successfully implemented efficient maliciously secure protocols over $\mathbb{Z}_{p}$ . However, techniques used to achieve malicious security in $\mathbb{Z}_{p}$ cannot be directly applied to $\mathbb{Z}_{2^{\ell}}$ due to the absence of inverses for certain elements. Attempts to adapt these techniques have resulted in protocols that incur a twofold communication overhead. Alternatively, some research efforts [5, 12, 13] aim to develop maliciously secure MPC over $\mathbb{Z}_{2^{\ell}}$ from the ground up. Nonetheless, these solutions often generate significantly higher communication overhead compared to semi-honest protocols. This performance loss is particularly troubling in today’s economic landscape, where communication costs on platforms like Amazon can far surpass computation costs, underscoring the urgent need for efficient, secure protocols that balance both privacy and performance.

Our results. In this work, we improve the performance of maliciously secure linear functions evaluation for enhanced PPML. Our protocols are based on 3-party MPC in the honest majority setting. The underlying share of our 3-PC protocol originates from a variant of the replicated secure sharing (RSS) [11]; that is, to share $x\in\mathbb{Z}_{2^{\ell}}$ , $P_{0}$ holds $(r_{1},r_{2})$ , $P_{1}$ holds $(m=x-r,r_{1})$ , and $P_{2}$ holds $(m=x-r,r_{2})$ where $r=r_{1}+r_{2}$ .

Analogously, for the malicious multiplication, the parties first invoke the semi-honest multiplication protocol and perform a batch verification at the end. Goyal et al. [14] proposes a technique that can transfer the verification of $N$ dimension inner product triple to the verification of $N/2$ dimension inner product with constant overhead. However, Goyal et al. [14] works on Shamir’s secret sharing, which is performed over a prime-order field, naively converting their protocol to the ring setting could cause the soundness issue. Also, as mentioned above, the techniques [17, 18, 19] to adopt the multiplication verification over the field to the ring are not suitable for the protocol proposed in [14]. To resolve the soundness issue, we extend the shared elements over $\mathbb{Z}_{2^{\ell}}$ to the quotient ring of polynomials $\mathbb{Z}_{2^{\ell}}[x]/f(x)$ [20, 21, 22], where $f(x)$ is a degree- $d$ irreducible polynomial over $\mathbb{Z}_{2^{\ell}}$ to apply the Lagrange interpolating based dimension reduction technique [14]. Consequently, the overall communication of our batch multiplication verification protocol is logarithmic to the number of multiplication gates.

Our protocols are compatible with mixed-circuit computation. Previous research [23, 24, 4, 25] has shown that computing non-linear functions, such as comparison, is more efficient in binary computation. This necessitates switching between arithmetic and binary computation, as arithmetic is superior for dot products. Rotaru and Wood introduced the concept of double-authenticated bits (daBits) [26], which are secret random bits shared across both arithmetic and binary. We observe that our protocol can be directly applied to daBits with minimal modifications. By utilizing daBits, we enable secure evaluation of any non-linear function under malicious security.

Finally, we integrated both linear and non-linear functions to systematically evaluate machine learning models.

TABLE I: Comparison of 3-PC based PPML. (

\ell

is the ring size,

n

is the size of the inner product.)

Operation	Protocol	Offline	Online		Malicious
Operation	Protocol	Communication (bits)	Rounds	Communication (bits)	Malicious
Mult	ABY3[4]	$12\ell$	$1$	$9\ell$	$\checkmark$
	BLAZE[5]	$3\ell$	$1$	$3\ell$	$\checkmark$
	SWIFT[12]	$3\ell$	$1$	$3\ell$	$\checkmark$
	Ours	$1\ell$	$1$	$2\ell$	$\checkmark$
Inner Product	ABY3[4]	$12n\ell$	$1$	$9n\ell$	$\checkmark$
	BLAZE[5]	$3n\ell$	$1$	$3\ell$	$\checkmark$
	SWIFT[12]	$3\ell$	$1$	$3\ell$	$\checkmark$
	Ours	$1\ell$	$1$	$2\ell$	$\checkmark$
Inner Product with Trunction	ABY3[4]	$12n\ell+84\ell$	$1$	$9n\ell+3\ell$	$\checkmark$
	BLAZE[5]	$3n\ell+2\ell$	$1$	$3\ell$	$\checkmark$
	SWIFT[12]	$15\ell$	$1$	$3\ell$	$\checkmark$
	Ours	$7\ell$	$1$	$2\ell$	$\checkmark$

Performance. Table I depicts the comparison between our protocols and SOTA 3PC maliciously secure protocol. As we can see, our protocols achieve a significant communication reduction.

Batch verification for multiplication over the ring. Compared with the prime-order finite field, constructing an MPC over ring $\mathbb{Z}_{2^{\ell}}$ against malicious adversaries typically incurs a higher overhead. In this work, we propose a new maliciously secure 3PC multiplication protocol over ring $\mathbb{Z}_{2^{\ell}}$ with a logarithmic communication overhead during batch verification. We conduct benchmarks on the overhead ratio of the verification step. By employing this technique, the amortized communication cost of our maliciously secure multiplication is merely $2$ ring elements in the online phase and $1$ ring element in the offline phase per operation.

Compared with SOTA maliciously secure MPC multiplication over ring proposed by Dalskov et al. [13], our protocol reduces the overall communication by 40%. Note that Dalskov et al. [13] achieves full security in the $\mathcal{Q}^{3}$ active adversary setting ( $t<n/3$ ), while our protocol achieves security with abort in the $\mathcal{Q}^{2}$ active adversary setting ( $t<n/2$ ), where $t$ is the number of corrupted parties and $n$ is the total number of participants. Compared with SOTA 3PC multiplication over ring [12], our protocol reduces the communication by 33% in the online phase and 67% in the offline phase, respectively. Similarly, the communication of our inner product protocols is also 50% of that in SWIFT [12].

Implementation with GPUs. Since our implementation requires converting secret sharing to an extended ring during the verification phase, this introduces significant computational overhead. However, the extended ring offers excellent concurrency, allowing us to implement our protocol on GPUs. In our specific experiments, compared to ABY3, our implementation achieved a threefold performance improvement, and when compared to Swift, we realized a twofold increase in performance.

Implementation of maliciously secure PPML framework. We built a comprehensive privacy-preserving machine learning application against malicious adversaries based on Piranha [27] framework. This includes the implementation of typical CNN models such as VGG and ResNet. Our framework delineates between semi-honest offline and online computation phases, as well as a separate multiplication gate (for both arithmetic and boolean) verification phase. Our experiments demonstrate that the time overhead of the verification phase is significantly lower than that of the online computation phase, indicating that the time introduced by malicious security is far less than the original cost of the semi-honest protocol.

Paper Organization. We first propose our maliciously secure 3PC in Sec. III. In Sec. IV, we realize the PPML framework based on our maliciously secure protocols for both linear and non-linear operation. In Sec. V, we benchmark the performance of our protocols and PPML framework.

II Preliminaries

Notation. Let $\mathcal{P}:=\{P_{0},P_{1},P_{2}\}$ be the three MPC parties. During the PPML execution, we encode the float numbers as fixed-point structure [4, 5]: for a fixed point value $x$ with $k$ -bit precision, if $x\geq 0$ , we encode it as $\lfloor x\cdot 2^{k}\rfloor$ ; if $x<0$ , we encode it as $2^{\ell}+\lfloor x\cdot 2^{k}\rfloor$ . We use $\eta_{j,k}$ to denote the common seed held by $P_{j}$ and $P_{k}$ . Our protocol contains two types of secret sharing as follows:

•

$[\cdot]^{\ell}$ -sharing: We define $[\cdot]^{\ell}$ -sharing over ring $\mathbb{Z}_{2^{\ell}}$ as $[x]^{\ell}:=([x]_{1}\in\mathbb{Z}_{2^{\ell}},[x]_{2}\in\mathbb{Z}_{2^{\ell}})$ where $x=[x]^{\ell}_{1}+[x]^{\ell}_{2}$ . $P_{j}$ for $j\in\{1,2\}$ hold share $[x]^{\ell}_{j}$ .
•

$\langle\cdot\rangle^{\ell}$ -sharing: We define $\langle\cdot\rangle^{\ell}$ -sharing over ring $\mathbb{Z}_{2^{\ell}}$ as $\langle x\rangle^{\ell}:=([r_{x}]^{\ell},m_{x})$ where $r_{x}$ is a fresh random value and $m_{x}=r_{x}+x$ . $P_{j}$ for $j\in\{1,2\}$ hold $(m_{x}\in\mathbb{Z}_{2^{\ell}},[r_{x}]^{\ell}_{j}\in\mathbb{Z}_{2^{\ell}})$ and $P_{0}$ holds $([r_{x}]^{\ell}_{1},[r_{x}]^{\ell}_{2})$ .

We use $[\cdot]^{\ell[x]}$ and $\langle\cdot\rangle^{\ell[x]}$ to denote the share in the polynomial ring $\mathbb{Z}_{2^{\ell}}[x]/f(x)$ where $f(x)$ is a degree- $d$ irreducible polynomial over $\mathbb{Z}_{2}$ . For simplicity, we use $[\cdot]$ , $\langle\cdot\rangle$ when semantics are clear.

All the aforementioned secret-sharing forms have the linear homomorphic property, i.e., $[x]+[y]=([x]_{1}+[y]_{1},[x]_{2}+[y]_{2})$ and $c\cdot[x]=(c\cdot[x]_{1},c\cdot[x]_{2})$ and $[x]+c=([x]_{1}+c,[x]_{2})$ , where $c$ is a public value. The same linear operation holds for $\langle\cdot\rangle$ , and $\langle\cdot\rangle^{\mathbb{Z}_{2^{\ell}}[x]}$ .

Secret sharing. Let $\Pi_{[\cdot]}$ and $\Pi_{\langle\cdot\rangle}$ denote the corresponding secret-sharing protocols. By $\Pi_{[\cdot]}(x)$ , we mean that $x$ is shared by $P_{0}$ ; by $\Pi_{[\cdot]}$ , we mean the parties jointly generate a shared random value. We utilize pseudo-random generators (PRG) to reduce the communication [28]. In our protocol description, when we let parties $P_{j}$ and $P_{k}$ pick random values together, we mean that these parties invoke PRG with seed $\eta_{j,k}$ . The brief sketch of secret sharing schemes is as follows.

•

$[x]^{\ell}\leftarrow\Pi_{[\cdot]}^{\ell}(x)$ : (Generate shares of $x$ .)

- $P_{0}$ and $P_{1}$ pick random value $[x]_{1}\in\mathbb{Z}_{2^{\ell}}$ with seed $\eta_{0,1}$ ;

- $P_{0}$ sends $x_{2}=x-[x]_{1}\pmod{2^{\ell}}$ to $P_{2}$ .
•

$[x]^{\ell}\leftarrow\Pi_{[\cdot]}^{\ell}$ : (Generate shares of a random value.)

- $P_{0}$ and $P_{1}$ pick random value $[x]_{1}\in\mathbb{Z}_{2^{\ell}}$ with seed $\eta_{0,1}$ ;

- $P_{0}$ and $P_{2}$ pick random value $[x]_{2}\in\mathbb{Z}_{2^{\ell}}$ with seed $\eta_{0,2}$ ;

- $P_{0}$ calculates $x=[x]_{1}+[x]_{2}$ .
•

$\langle x\rangle^{\ell}\leftarrow\Pi_{\langle\cdot\rangle}^{\ell,k}(x)$ : (Generate shares of $x$ .)

- All parties perform $[r_{x}]\leftarrow\Pi_{[\cdot]}$ in the offline phase, and $P_{k}$ holds both seeds of $[r_{x}]_{1}$ and $[r_{x}]_{2}$ generation;

- $P_{i}$ send $m_{x}=x+[r_{x}]_{1}+[r_{x}]_{2}$ to $P_{1}$ and $P_{2}$ .
•

$\langle x\rangle^{\ell}\leftarrow\Pi_{\langle\cdot\rangle}^{\ell}$ : (Generate shares of a random value.)

- All parties perform $[r_{x}]\leftarrow\Pi_{[\cdot]}$ in the offline phase;

- $P_{1}$ and $P_{2}$ pick random value $m_{x}$ with seed $\eta_{1,2}$ .

$\Pi_{[\cdot]}$ and $\Pi_{\langle\cdot\rangle}$ also work for the share $[\cdot]^{\ell[x]},\langle\cdot\rangle^{\ell[x]}$ over the polynomial ring $\mathbb{Z}_{2^{\ell}}[x]/f(x)$ , which are denoted as $\Pi_{[\cdot]}^{\ell[x]}$ , $\Pi_{\langle\cdot\rangle}^{\ell[x]}$ .

Verifiability of share reconstruction. We note that the shared form $\langle\cdot\rangle$ has the verifiable reconstruction property against a single malicious party. To be precise, for shared value, $\langle x\rangle$ , a single active adversary cannot deceive the honest parties into accepting an incorrect reconstruction result $x+e$ with a non-zero error $e$ . This is because any two honest parties can collaboratively reconstruct the secret, and invalid shares will be detected by the honest parties.

Formally, the verifiable reconstruct protocol $\Pi_{\mathsf{Rec}}$ is described as follows:

•

$x\leftarrow\Pi_{\mathsf{Rec}}(\langle x\rangle)$ :

- $P_{0}$ sends $[r_{x}]_{1}$ to $P_{2}$ and $[r_{x}]_{2}$ to $P_{1}$ ;

- $P_{1}$ sends $m_{x}$ to $P_{0}$ and $H([r_{x}]_{1})$ to $P_{2}$ ;

- $P_{2}$ sends $H(m_{x})$ to $P_{0}$ and $H([r_{x}]_{2})$ to $P_{1}$ ;

If the received messages from the other parties are inconsistent, $P_{i}$ output abort. Otherwise $P_{i}$ output $x=m_{x}-[r_{x}]_{1}-[r_{x}]_{2}$ .
•

$x\leftarrow\Pi_{\mathsf{Rec}}^{\ell,k}(\langle x\rangle)$ : All parties send their shares (or the hash value) to $P_{k}$ . If the received messages from the other parties are inconsistent, $P_{k}$ output abort. Otherwise $P_{k}$ output $x=m_{x}-[r_{x}]_{1}-[r_{x}]_{2}$ .

For the share $\langle\cdot\rangle^{\ell[x]}$ in polynomial ring, $\Pi_{\mathsf{Rec}}^{\ell[x]}$ works analogously as the above.

Preprocessing and postprocessing. We follow the “preprocessing” paradigm [29], which splits the protocol into two phases: the preprocessing/offline phase is data-independent and can be executed without data input, and the online phase is data-dependent and is executed after data input. Specifically, all the items $r_{x}$ of share $\langle x\rangle$ of our protocols can be generated in the circuit-depend offline phase. What the parties need to do in the online phase is to collaborate in computing $m_{x}$ for $P_{1}$ and $P_{2}$ . To achieve malicious security, we further introduce the postprocessing phase [19], where batch verification is performed.

Multiplication gate. We adopt the multiplication protocol of ASTRA[11]. For multiplication $z=x\cdot y$ with input $\langle x\rangle$ , $\langle y\rangle$ and output $\langle z\rangle$ , all parties first generate $[r_{z}]\leftarrow\Pi_{[\cdot]}(r_{z})$ for the output wire in the offline phase. To calculate $m_{z}$ for $P_{1}$ and $P_{2}$ in the online phase, it can be written as

	$\displaystyle m_{z}=xy+r_{z}$	$\displaystyle=(m_{x}-r_{x})(m_{y}-r_{y})+r_{z}$
		$\displaystyle=\overbrace{m_{x}m_{y}-m_{x}r_{y}-m_{y}r_{x}}^{P_{1}\text{ and }P% _{2}\text{ can locally evaluate}}+\overbrace{r_{x}r_{y}+r_{z}}^{\text{Known to% }P_{0}}\enspace.$

$[\Gamma^{\prime}]=m_{x}m_{y}-m_{x}[r_{y}]-m_{y}[r_{x}]$ can be calculated by $P_{1}$ and $P_{2}$ locally and $[\Gamma]=[r_{x}\cdot r_{y}]-[r_{z}]$ can be secret shared by $P_{0}$ to $P_{1}$ and $P_{2}$ in the preprocessing phase. In the online phase, $P_{1}$ and $P_{2}$ calculate and reconstruct $[m_{z}]=[\Gamma^{\prime}]+[\Gamma]$ .

Inner product. Given an arbitrary dimension inner product, its communication cost equals to a single multiplication. Considering $n$ -dimension inner product $z=\sum^{n-1}_{i=0}x_{i}\cdot y_{i}$ , the artifact $m_{z}$ requires to be evaluated in online phase can be written as

	$\displaystyle m_{z}$	$\displaystyle=\sum^{n-1}_{i=0}x_{i}\cdot y_{i}+r_{z}=\sum^{n-1}_{i=0}(m_{x_{i}% }-r_{x_{i}})(m_{y_{i}}-r_{y_{i}})+r_{z}$
		$\displaystyle=\overbrace{\sum^{n-1}_{i=0}(m_{x_{i}}m_{y_{i}}-m_{x_{i}}r_{y_{i}% }-m_{y_{i}}r_{x_{i}})}^{P_{1}\text{ and }P_{2}\text{ can locally evaluate}}+% \overbrace{\sum^{n-1}_{i=0}r_{x_{i}}r_{y_{i}}+r_{z}}^{\text{Known to }P_{0}}\enspace.$

Similar to single multiplication, $[\Gamma^{\prime}]=\sum^{n-1}_{i=0}(m_{x_{i}}m_{y_{i}}-m_{x_{i}}[r_{y_{i}}]-m_{% y_{i}}[r_{x_{i}}])$ an be locally evaluated by $P_{1}$ and $P_{2}$ . Meanwhile, $[\Gamma]=\sum^{n-1}_{i=0}[r_{x_{i}}r_{y_{i}}]+[r_{z}]$ can be secret shared by $P_{0}$ to $P_{1}$ and $P_{2}$ in the offline phase. In the online phase, $P_{1}$ and $P_{2}$ compute $[m_{z}]=[\Gamma]+[\Gamma^{\prime}]$ and reconstruct $m_{z}$ .

Security up to additive attacks. A protocol is secure up to additive attacks when all behaviors the adversary performs can only introduce an additive error known to the adversary to the output of the protocol. As proven in [30], the typical replicated secret sharing protocol, such as aforementioned multiplication and inner product, is secure up to additive attacks against malicious adversaries, i.e., the adversary’s cheating ability is limited to introducing an additive error to the output.

Security Model. Our protocol and framework achieve active security with abort in an honest majority setting, while one arbitrary party in $\mathcal{P}$ is under the control of a static malicious adversary. We emphasize abort security with computational soundness, ensuring that malicious behavior will be detected with overwhelming probability.

III 3PC with Malicious Security

We use the postprocessing verification procedure to detect any potential malicious behavior. Before reconstructing the final result, an extra verification is performed to ensure the correctness of the final result. Our maliciously secure protocol is based on the additive security of RSS, namely, the corresponding protocol is secure up to additive attacks.

Correctness Verification for Arithmetic Circuit. For a circuit containing both multiplication and addition gates, the correctness verification of the overall circuit using 3PC replicated shares reduces to verifying all multiplication gates. When an adversary introduces an error at an addition gate, since addition is non-interactive, it will cause an inconsistency in the shares. As previously mentioned, replicated shares possess a verifiable reconstruction property against a single malicious party. In the multiplication operation $z=x\cdot y$ , $P_{0}$ can introduce an error when sharing $[r_{x}\cdot r_{y}]$ , while $P_{1}$ and $P_{2}$ can introduce errors during the reconstruction of $m_{z}$ , without breaking share consistency. Denoting the set of multiplication gates by $\mathcal{G}$ , the verification checks the following equation:

\begin{split}\bigwedge_{\{x^{(i)},y^{(i)},z^{(i)}\}\in\mathcal{G}}x^{(i)}\cdot y% ^{(i)}&=z^{(i)}\end{split}

(1)

To batch verify multiple multiplication gates ${\langle x^{(i)}\rangle,\langle y^{(i)}\rangle,\langle z^{(i)}\rangle}_{i\in|% \mathcal{G}|}$ , we verify that the following inner product equals zero:

\begin{split}\Delta=\sum^{|\mathcal{G}|}_{i=0}(r^{i}\cdot x^{(i)}\cdot y^{(i)}% -r^{i}\cdot z^{(i)})=0\end{split}

(2)

where $r$ is a challenge picked during verification. The terms $r^{i}$ prevent an adversary from introducing opposing errors in different outputs $z_{i}$ and $z_{j}$ that could cancel each other. For example, if $z^{(i)}=x^{(i)}\cdot y^{(i)}+e$ and $z^{(j)}=x^{(j)}\cdot y^{(j)}-e$ , then $z^{(i)}+z^{(j)}=x^{(i)}\cdot y^{(i)}+x^{(j)}\cdot y^{(j)}$ , making the error undetectable.

However, directly evaluating the inner product poses challenges. One challenge is that the adversary, knowing the additive error in $\langle z^{(i)}\rangle$ , could cancel out the error to fabricate $\Delta=0$ . A typical solution involves using a random factor $\alpha$ . Instead of the 2-degree inner product, verification becomes a 3-degree polynomial:

\begin{split}\Delta=\sum^{|\mathcal{G}|}_{i=0}(r^{i}\cdot\alpha\cdot x^{(i)}% \cdot y^{(i)}-r^{i}\cdot\alpha\cdot z^{(i)})=0\end{split}

(3)

where $\alpha$ is a random share unknown to each party. This randomness $\alpha$ serves as an additional layer of security by making it difficult for a malicious adversary to manipulate the values of the inputs and outputs in a way that cancels out errors introduced during verification. If the evaluation of this 3-degree polynomial is secure against additive attacks, the adversary can only introduce an input-independent error $e^{\prime}$ in $\Delta$ . To cancel the original error $e$ in $z^{(i)}$ , the adversary must guess $e^{\prime}=\alpha\cdot e$ . Since $\alpha$ is unknown and chosen randomly, the probability of correctly guessing the exact value of $\alpha\cdot e$ is extremely low.

Ring-Specific Challenges. The second challenge comes from irreversible multiplication in the ring. In ring-based computations, particularly over modular arithmetic, certain errors can exploit the properties of the ring to bypass verification. For instance, an adversary could introduce a specific error $e$ such that when multiplied by $r^{i}$ , it results in zero within the ring, even though the error itself is non-zero. Such chosen $e$ will be undetected in a high probability if a lot of values $\alpha$ meets $e\cdot\alpha=0$ . A typical attack could involve introducing an error $e=2^{\ell-1}$ , where $\ell$ is the bit length of the ring. If $r$ is an even number, this error would result in $r^{i}\cdot(z^{(i)}+e)=r^{i}\cdot z^{(i)}$ , passing verification with a probability of 1/2.

One common solution to this problem is to increase the size of the ring used for verification, ensuring that the probability of an error passing undetected becomes vanishingly small. For example, in a protocol like SPDZ2k [18], a larger ring size (e.g., $\ell=100$ ) is used for 64-bit data, resulting in a soundness error of $2^{-36}$ . In this scenario, even if the adversary tries to exploit the properties of the ring to introduce errors, the larger modulus significantly reduces the probability of success. Since converting shares from $\mathbb{Z}_{2^{64}}$ to $\mathbb{Z}_{2^{100}}$ is expensive, it is better to perform the arithmetic directly in $\mathbb{Z}_{2^{100}}$ rather than during the verification phase, which doubles the overhead. For smaller data ranges (e.g., 1-bit values), this overhead ratio increases.

Our approach is different. We perform $\Delta$ over the extension ring $\mathbb{Z}_{2^{\ell}}[x]/f(x)$ , where $f(x)$ is an irreducible polynomial of degree $d$ over $\mathbb{Z}_{2^{\ell}}$ [20]. (The original share over $\mathbb{Z}_{2^{\ell}}$ becomes the free coefficient, with $d$ random elements added to the other coefficients.) According to the Schwartz-Zippel Lemma, the probability that a $|\mathcal{G}|$ -degree non-zero polynomial $\Delta(r)=0$ for a randomly chosen $r$ is at most $\frac{2^{(\ell-1)d}|\mathcal{G}|+1}{2^{\ell d}}\approx\frac{|\mathcal{G}|}{2^{% d}}$ .

Compared to the larger ring size approach, the extension ring offers two advantages: (i) Since the share conversion to the extended ring is non-interactive, there are no modifications required during the circuit evaluation phase for the semi-honest version of the protocol. This avoids any additional communication costs typically incurred during the verification phase. (ii) The extension ring approach is compatible with the dimensionality reduction technique proposed by [14], which reduces the communication complexity from $\Theta(|\mathcal{G}|)$ to $\Theta(\log|\mathcal{G}|)$ . This optimization further improves the efficiency of the protocol, especially when dealing with a large number of multiplication gates.

In summary, our protocol operates as follows. First, we use a semi-honest protocol to evaluate the arithmetic circuit (on the ring $\mathbb{Z}_{2^{\ell}}$ ). We then transform all the multiplication gate triplets to the extended ring $\mathbb{Z}_{2^{\ell}}[x]/f(x)$ and reformulate their verification as an inner product. Next, we apply the dimension reduction method from [14] to reduce the $|\mathcal{G}|$ -dimensional inner product to $\frac{|\mathcal{G}|}{2^{R}}$ dimensions. Finally, we use an inner product verification protocol to check the inner product after dimension reduction.

Figure 1: Compression of Multiplication Triples.

Compression of multiplication triples. We first design a subprotocol, $\Pi_{\mathsf{Trans}}$ (Fig. 1), which converts $|\mathcal{G}|$ multiplication triples over the ring $\mathbb{Z}_{2^{\ell}}$ into an $|\mathcal{G}|$ -dimensional inner product over the polynomial ring $\mathbb{Z}_{2^{\ell}}[x]/f(x)$ for verification.

The transformation begins by locally converting the multiplication triples $\{\langle x^{(i)}\rangle,\langle y^{(i)}\rangle,\langle z^{(i)}\rangle\}_{i\in% \mathbb{Z}_{|\mathcal{G}|}}$ to the polynomial ring equivalents $\{\langle x^{(i)}\rangle^{\ell[x]},\langle y^{(i)}\rangle^{\ell[x]},\langle z^% {(i)}\rangle^{\ell[x]}\}{i\in\mathbb{Z}_{|\mathcal{G}|}}$ . In this step, the free coefficient of the shares in $\mathbb{Z}_{2^{\ell}}[x]/f(x)$ is set to the original shares, while the remaining coefficients are padded with zero shares.

Next, the parties collectively generate a random challenge $r\in\mathbb{Z}_{2^{\ell}}[x]/f(x)$ by invoking the subprotocol $\langle r\rangle^{\ell[x]}\leftarrow\Pi_{\langle\cdot\rangle}^{\ell[x]}$ , followed by reconstructing $r$ via $\Pi_{\mathsf{Rec}}$ (To ensure that $r$ is unknown to each party before circuit evaluation). Each party then locally computes $\langle z\rangle^{\ell[x]}=\sum_{i=0}^{|\mathcal{G}|-1}r^{i}\cdot\langle z^{(i% )}\rangle^{\ell[x]}$ and $\langle x^{\prime(i)}\rangle^{\ell[x]}=r^{i}\cdot\langle x^{(i)}\rangle^{\ell[% x]}$ for all $i\in\mathbb{Z}_{|\mathcal{G}|}$ .

Finally, the protocol returns the ${|\mathcal{G}|}$ -dimensional inner product tuple as $(\{\langle x^{\prime(i)}\rangle^{\ell[x]},\langle y^{(i)}\rangle^{\ell[x]}\}_{% i\in\mathbb{Z}_{|\mathcal{G}|}},\langle z\rangle^{\ell[x]})$ .

Lemma 1.

Suppose protocol $\Pi_{\mathsf{Trans}}$ take $\{\langle x^{(i)}\rangle,\langle y^{(i)}\rangle,\langle z^{(i)}\rangle\}_{i\in% \mathbb{Z}_{|\mathcal{G}|}}$ as input, and it outputs $\{\langle x^{\prime(i)}\rangle^{\ell[x]},\langle y^{(i)}\rangle^{\ell[x]}\}_{i% \in\mathbb{Z}_{|\mathcal{G}|}};\langle z\rangle^{\ell[x]}$ . The probability that the following two conditions hold is at most $\frac{|\mathcal{G}|}{2^{d}}$ , where $d$ is the degree of $f(x)$ w.r.t. $\mathbb{Z}_{2^{\ell}}[x]/f(x)$ :

•

$z=\sum^{{|\mathcal{G}|}-1}_{i=0}x^{\prime}_{i}\cdot y_{i}$
•

$\exists i\in\mathbb{Z}_{|\mathcal{G}|}$ s.t. $z_{i}\neq x_{i}\cdot y_{i}$

Figure 2: The Inner Product Dimension Reduction Protocol

Proof.

It is sufficient to demonstrate that $r$ is uniformly random, assuming that the reconstruction protocol $\Pi_{\mathsf{Rec}}$ does not abort. The adversary’s goal is to manipulate the verification by ensuring that the following equation holds:

\sum^{|\mathcal{G}|-1}_{i=0}r^{i}\cdot z^{(i)}=\sum^{|\mathcal{G}|-1}_{i=0}r^{% i}\cdot x^{(i)}\cdot y^{(i)}

where $z^{(i)}=x^{(i)}\cdot y^{(i)}+e^{(i)}$ for each $i\in\mathbb{Z}_{|\mathcal{G}|}$ , and ${e_{i}}_{i\in\mathbb{Z}{|\mathcal{G}|}}$ represents the list of errors introduced by the adversary at each gate. This can be written as

\sum^{|\mathcal{G}|-1}_{i=0}r^{i}\cdot x^{(i)}\cdot y^{(i)}=\sum^{|\mathcal{G}% |-1}_{i=0}r^{i}\cdot(x^{(i)}\cdot y^{(i)}+e^{(i)})

By simplifying, we get:

\sum^{|\mathcal{G}|-1}_{i=0}r^{i}\cdot x^{(i)}\cdot y^{(i)}=\sum^{|\mathcal{G}% |-1}_{i=0}r^{i}\cdot x^{(i)}\cdot y^{(i)}+\sum^{|\mathcal{G}|-1}_{i=0}r^{i}% \cdot e^{(i)}

To satisfy this equation, the adversary must ensure that the error terms cancel out, which would require:

\sum^{|\mathcal{G}|-1}_{i=0}r^{i}\cdot e^{(i)}

This means that the adversary needs to find a value of $r$ that is a root of the polynomial:

f(x)=\sum^{|\mathcal{G}|-1}_{i=0}x^{i}\cdot e^{(i)}

Since this polynomial is of degree at most ${|\mathcal{G}|}-1$ , the number of possible roots that satisfy the equation is limited. Specifically, for a degree- $\{{|\mathcal{G}|}-1\}$ polynomial over the ring $\mathbb{Z}_{2^{\ell}}[x]$ , according to the Schwartz-Zippel Lemma, the number of potential roots is bounded by $2^{(\ell-1)d}({|\mathcal{G}|}+1)$ .

Thus, the probability that a uniformly random $r$ selected during the protocol coincidentally matches one of these roots is given by:

\frac{2^{(\ell-1)d}({|\mathcal{G}|}+1)}{2^{\ell d}}\approx\frac{{|\mathcal{G}|% }}{2^{d}}

. ∎

Figure 3: The Inner Product Verification Protocol

Dimension reduction. We extend the dimension reduction technique of Goyal et al. [14] to our 3PC over ring setting. As shown in Fig. 2, protocol $\Pi_{\mathsf{Reduce}}$ takes a shared triple $(\{\langle x^{(i)}\rangle^{\ell[x]},\langle y^{(i)}\rangle^{\ell[x]}\}_{i\in% \mathbb{Z}_{|\mathcal{G}|}},\langle z\rangle^{\ell[x]})$ as input and outputs $(\{\langle x^{\prime(i)}\rangle^{\ell[x]},\langle y^{\prime(i)}\rangle^{\ell[x% ]}\}_{i\in\mathbb{Z}_{{|\mathcal{G}|}/2}},\langle z^{\prime}\rangle^{\ell[x]})$ . $\Pi_{\mathsf{Reduce}}$ ensures that $\sum^{{|\mathcal{G}|-1}}_{i=0}x^{(i)}\cdot y^{(i)}=z$ if and only if $\sum^{{|\mathcal{G}|}/2-1}_{i=0}x^{\prime(i)}\cdot y^{\prime(i)}=z^{\prime}$ except for a negligible probability. At a high level, for the inner product input $\{x^{(i)}\}_{i\in\mathbb{Z}_{|\mathcal{G}|}}$ and $\{y^{(i)}\}_{i\in\mathbb{Z}_{|\mathcal{G}|}}$ , we can utilize $x^{(2i)}$ and $x^{(2i-1)}$ to interpolate ${|\mathcal{G}|}/2$ linear functions $\{f_{i}(\cdot)\}_{i\in\mathbb{Z}_{{|\mathcal{G}|}/2}}$ at the point $0$ and $1$ , and similarly interpolate $\{g_{i}(\cdot)\}_{i\in\mathbb{Z}_{{|\mathcal{G}|}/2}}$ by $\{y^{(i)}\}_{i\in\mathbb{Z}_{|\mathcal{G}|}}$ . Considering the correct output $z$ , we have

z=\sum^{{|\mathcal{G}|}/2}_{i=0}f_{i}(0)\cdot g_{i}(0)+f_{i}(1)\cdot g_{i}(1)

Let $h(\cdot)=\sum^{{|\mathcal{G}|}/2}_{i=0}f_{i}(\cdot)\cdot g_{i}(\cdot)$ . This leads to the equation $h(1)=z-h(0)$ . The protocol $\Pi_{\mathsf{Reduce}}$ computes $h(0)=\sum^{{|\mathcal{G}|}/2}_{i=0}f_{i}(0)\cdot g_{i}(0)$ and $h(2)=\sum^{{|\mathcal{G}|}/2}_{i=0}f_{i}(2)\cdot g_{i}(2)$ , and from this, it calculates $h(1)=z-h(0)$ . Then, $\Pi_{\mathsf{Reduce}}$ interpolates the polynomial $h(x)$ using the values $h(0)$ , $h(1)$ , and $h(2)$ . Finally, all parties choose a random point $\zeta$ and output the new shared triple $(\{\langle f_{i}(\zeta)\rangle^{\ell[x]},\langle g_{i}(\zeta)\rangle^{\ell[x]}% \}_{i\in\mathbb{Z}_{{|\mathcal{G}|}/2}},\langle h(\zeta)\rangle^{\ell[x]})$ , which preserves the inner product relation if and only if the initial condition $z=\sum^{{|\mathcal{G}|}/2}_{i=1}f_{i}(0)\cdot g_{i}(0)+f_{i}(1)\cdot g_{i}(1)$ holds.

It is important to note that the points 0, 1, and 2 correspond to ring elements with free coefficients of 0, 1, and 2 in $\mathbb{Z}_{2^{\ell}}[x]/f(x)$ .

The protocol $\Pi_{\mathsf{Reduce}}$ requires one round of communication involving $5\ell\cdot d$ bits in the online phase and one round involving $\ell\cdot d$ bits in the offline phase. We execute $\Pi_{\mathsf{Reduce}}$ $R$ times to reduce the inner product dimension to ${|\mathcal{G}|}/2^{R}$ , after which the resulting vectors are verified by checking

\sum^{{|\mathcal{G}|}/2^{R}}_{i=0}\langle f_{i}(\zeta)\rangle^{\ell[x]}\cdot% \langle g_{i}(\zeta)\rangle^{\ell[x]}=\langle h(\zeta)\rangle^{\ell[x]}

We prove the soundness error of the $\Pi_{\mathsf{Reduce}}$ is $\frac{1}{2^{d-1}}$ in Lemma 2.

Figure 4: The Batch Multiplication Verification Protocol

Lemma 2.

Suppose $\Pi_{\mathsf{Reduce}}$ take $(\{\langle x^{(i)}\rangle^{\ell[x]},\langle y^{(i)}\rangle^{\ell[x]}\}_{i\in% \mathbb{Z}_{|\mathcal{G}|}},\langle z\rangle^{\ell[x]})$ as input, and it outputs the new list $(\{\langle x^{\prime(i)}\rangle^{\ell[x]},\langle y^{\prime(i)}\rangle^{\ell[x% ]}\}_{i\in\mathbb{Z}_{{|\mathcal{G}|}/2}},\langle z^{\prime}\rangle^{\ell[x]})$ . The probability that the following two conditions hold is at most $\frac{1}{2^{d-1}}$ , where $d$ is the degree of $f(x)$ w.r.t. $\mathbb{Z}_{2^{\ell}}[x]/f(x)$ :

•

$z^{\prime}=\sum^{{|\mathcal{G}|}/2}_{i=0}x^{\prime(i)}\cdot y^{\prime(i)}$
•

$z\neq\sum^{{|\mathcal{G}|}}_{i=0}x^{(i)}\cdot y^{(i)}$

Proof.

For clarity, we denote $h^{\prime}(k)=\sum^{{|\mathcal{G}|}/2}_{i=0}f_{i}(k)\cdot g_{i}(k)$ . The adversary’s goal is to manipulate the computation such that $h(\zeta)=h^{\prime}(\zeta)$ , while also ensuring that

h(0)+h(1)=h^{\prime}(0)+h^{\prime}(1)+e,

where $e$ represents the error introduced in $z$ . Simultaneously, the adversary can introduce new errors $e_{1}$ and $e_{2}$ during the calculation of $h(0)$ and $h(2)$ , such that:

h(0)=h^{\prime}(0)+e_{1},\quad h(1)=h^{\prime}(1)+e-e_{1},\quad h(2)=h^{\prime% }(2)+e_{2}.

Considering the Lagrange interpolation for randomly chosen $\zeta\in\mathbb{Z}_{2^{\ell}}[x]$ , we have:

\begin{split}h(\zeta)&=\sum^{2}_{i=0}\left(\prod^{2}_{\begin{subarray}{c}j=0\\ j\neq i\end{subarray}}\frac{\zeta-j}{i-j}\right)\cdot h(i)=\frac{(\zeta-1)(% \zeta-2)}{2}\cdot h(0)\\ &+\zeta(2-\zeta)\cdot h(1)+\frac{(\zeta-1)\zeta}{2}\cdot h(2)\end{split}

and for $h^{\prime}(\zeta)$ :

h^{\prime}(\zeta)=\frac{(\zeta-1)(\zeta-2)}{2}\cdot h^{\prime}(0)+\zeta(2-% \zeta)\cdot h^{\prime}(1)+\frac{(\zeta-1)\zeta}{2}\cdot h^{\prime}(2).

To ensure $h(\zeta)=h^{\prime}(\zeta)$ , the adversary must satisfy the following equation:

\frac{(\zeta-1)(\zeta-2)}{2}\cdot e_{1}+\zeta(2-\zeta)\cdot(e-e_{1})+\frac{(% \zeta-1)\zeta}{2}\cdot e_{2}=0

The probability that the adversary can choose $e,e_{1},e_{2}$ such that this equation holds is equivalent to making $\zeta$ a root of the degree-2 polynomial:

f(x)=\frac{(x-1)(x-2)}{2}\cdot e_{1}+x(2-x)\cdot(e-e_{1})+\frac{(x-1)x}{2}% \cdot e_{2}

over $\mathbb{Z}_{2^{\ell}}[x]$ , which has at most $2^{2(\ell-1)d}+1$ roots. Therefore, the soundness error is:

\frac{2^{(\ell-1)d+1}+1}{2^{\ell d}}\approx\frac{1}{2^{d-1}}.

∎

Figure 5: The Multiplication Protocol

Inner product verification. Our inner product verification protocol, denoted as $\Pi_{\mathsf{InnerVerify}}$ (Fig. 3), verifies the inner product relationship of shared values over the polynomial ring $\mathbb{Z}_{2^{\ell}}[x]/f(x)$ . Specifically, to verify the relation

\sum_{i=0}^{|\mathcal{G}|/2^{R}}\langle x^{(i)}\rangle^{\ell[x]}\cdot\langle y% ^{(i)}\rangle^{\ell[x]}=\langle z\rangle^{\ell[x]},

$\Pi_{\mathsf{InnerVerify}}$ checks whether the expression

\langle\alpha\rangle^{\ell[x]}\cdot(\sum_{i=0}^{|\mathcal{G}|/2^{R}}\langle x^% {(i)}\rangle^{\ell[x]}\cdot\langle y^{(i)}\rangle^{\ell[x]}-\langle z\rangle^{% \ell[x]})

is equal to zero.

Unfortunately, as far as we know, there is currently no semi-honest 3PC protocol that securely evaluates a cubic (degree-3) polynomial while being resilient to additive attacks. As an alternative, we compute $x^{\prime(i)}=\alpha\cdot x^{(i)}$ for each $i\in\mathbb{Z}_{|\mathcal{G}|}$ . Subsequently, all parties evaluate the inner product

\sum_{i=0}^{|\mathcal{G}|/2^{R}}x^{\prime(i)}\cdot y^{(i)}.

This method, however, does not achieve complete security against additive attacks, as an adversary may introduce an error $e^{\prime(i)}$ into $x^{\prime(i)}$ , resulting in an overall error term:

\sum_{i=0}^{|\mathcal{G}|/2^{R}}e^{\prime(i)}\cdot y^{(i)},

which is dependent on $y^{(i)}$ . Nevertheless, considering that $y^{(i)}$ is obtained via multiple Lagrange interpolations in the prior dimension reduction protocol, $y^{(i)}$ can be treated as a random value.

Let $e$ denote the error in $z$ . The adversary must guess $\alpha\cdot e+\sum_{i=0}^{|\mathcal{G}|/2^{R}}e^{\prime(i)}\cdot y^{(i)}=0$ , where $y^{(i)}$ is effectively random. The probability of success for this guess is $\frac{1}{2^{d}}$ .

We prove in Lemma 3 that the soundness error of the $\Pi_{\mathsf{InnerVerify}}$ protocol is $\frac{1}{2^{d}}$ .

Figure 6: The Inner Product Protocol

Lemma 3.

Let $(\{\langle x^{(i)}\rangle^{\ell[x]},\langle y^{(i)}\rangle^{\ell[x]}\}_{i\in% \mathbb{Z}_{|\mathcal{G}|}},\langle z\rangle^{\ell[x]})$ be the input of protocol $\Pi_{\mathsf{InnerVerify}}$ depicted in Fig. 3. The probability that $\Pi_{\mathsf{InnerVerify}}$ outputs $1$ and $z\neq\sum^{{|\mathcal{G}|}-1}_{i=0}x^{(i)}\cdot y^{(i)}$ is at most $\frac{1}{2^{d}}$ , where $d$ is the degree of $f(x)$ w.r.t. $\mathbb{Z}_{2^{\ell}}[x]/f(x)$ .

Proof.

Since $\alpha$ is uniformly random and unknown to the adversary, for $z=\sum_{i=0}^{|\mathcal{G}|}x^{(i)}\cdot y^{(i)}+e$ , we have

\Delta=\alpha\cdot e+\sum_{i=0}^{|\mathcal{G}|/2^{R}}e^{\prime(i)}\cdot y^{(i)},

where $e^{\prime(i)}$ is introduced during the evaluation of $\alpha\cdot x^{(i)}$ . Given that 3PC multiplication is secure up to additive attacks, $e^{\prime(i)}$ is independent of $\alpha$ . Therefore, we can treat $\sum_{i=0}^{|\mathcal{G}|/2^{R}}e^{\prime(i)}\cdot y^{(i)}$ as an overall error term $e^{\prime}$ .

By the Schwartz-Zippel Lemma, the polynomial $f(x)=e\cdot x+e^{\prime}$ over the ring $\mathbb{Z}_{2^{\ell}}[x]$ has at most $2^{(\ell-1)d}+1$ roots. Consequently, the probability that the adversary can deliberately choose $e$ such that $\Delta=0$ is

\frac{2^{(\ell-1)d}+1}{2^{\ell}d}\approx\frac{1}{2^{d}}.

∎

Our batch multiplication verification protocol $\Pi_{\mathsf{MultVerify}}$ in Fig. 4 integrates the above three subroutines, which requires one round communication of $(R+{|\mathcal{G}|}/2^{R})\ell\cdot d$ bits in the offline phase and $R+2$ -round communication of $(5R+3+{|\mathcal{G}|}/2^{R})\ell\cdot d$ bits in the online phase for ${|\mathcal{G}|}$ multiplication triples. We prove soundness error of $\Pi_{\mathsf{MultVerify}}$ is $\frac{{|\mathcal{G}|}}{2^{d-R-2}}$ in Thm. 1.

Theorem 1.

Let $\{\langle x^{(i)}\rangle,\langle y^{(i)}\rangle,\langle z^{(i)}\rangle\}_{i\in% \mathbb{Z}_{|\mathcal{G}|}}$ be the input of protocol $\Pi_{\mathsf{MultVerify}}^{R}$ depicted in Fig. 4. The probability $\Pi_{\mathsf{MultVerify}}^{R}$ outputs $1$ and $\exists i\in\mathbb{Z}_{|\mathcal{G}|}$ s.t. $z^{(i)}\neq x^{(i)}\cdot y^{(i)}$ is at most $\frac{{|\mathcal{G}|}}{2^{d-R-2}}$ , where $d$ is the degree of $f(x)$ w.r.t. $\mathbb{Z}_{2^{\ell}}[x]/f(x)$ .

Proof.

From Lemma 1, Lemma 2, and Lemma 3, we know that the adversary has $R$ chances with success probability $\frac{1}{2^{d-1}}$ , one chance with probability $\frac{|\mathcal{G}|}{2^{d}}$ , and one chance with probability $\frac{1}{2^{d}}$ to pass the verification.

Therefore, the total probability that the adversary succeeds is

1-\left(1-\frac{1}{2^{d-1}}\right)^{R}\cdot\left(1-\frac{|\mathcal{G}|}{2^{d}}% \right)\cdot\left(1-\frac{1}{2^{d}}\right)\approx\frac{|\mathcal{G}|}{2^{d-R-2% }}.

∎

Figure 7: The Batch Inner Product Verification Protocol

IV Enhancing PPML.

In this section, we implement a maliciously secure privacy-preserving machine learning framework. We use boolean share to evaluate nonlinear functions, which can be viewed as share over ring $\mathbb{Z}_{2}$ . We realize the share conversion protocol, which is entirely based on maliciously secure multiplication $\Pi_{\mathsf{Mult}}$ . This makes our framework merely reliant on $\Pi_{\mathsf{Mult}}$ .

IV-A Dealing with linear operation.

Our maliciously secure multiplication protocol is shown in Fig. 5. $\Pi_{\mathsf{Mult}}$ ensures the correctness of multiplication by invoking batch verification protocol $\Pi_{\mathsf{MultVerify}}$ in the post-processing phase. When handling a substantial volume of data, our protocol exhibits an amortized communication of $\ell$ bits in the preprocessing phase and $2\ell$ bits in the online phase for each multiplication operation. The multiplication protocol can be expanded to the inner product protocol. Our maliciously secure inner product protocol $\Pi_{\mathsf{Inner}}$ is shown in Fig. 6. Its semi-honest version is the special case of $\Pi_{\mathsf{PolyEvl}}$ for $2$ -degree $n$ -variate polynomial, which requires one round communication of $\ell$ bits in the preprocessing phase and one round communication of $2\ell$ bits in the online phase. To extend it to the malicious setting, we employ batch verification protocol $\Pi_{\mathsf{InnerVerify}}^{R}$ (Fig. 7) to ensure the correctness of the inner products with a similar manner of multiplication. Analogously, in $\Pi_{\mathsf{InnerVerify}}^{R}$ , all parties transform the verification of inner product triples over ring $\mathbb{Z}_{2^{\ell}}$ to the verification of a single inner product triple over the polynomial ring $\mathbb{Z}_{2^{\ell}}[x]/f(x)$ . Following that, all parties invoke $\Pi_{\mathsf{Reduce}}$ to reduce the dimension of the vector that needs to be verified. When handling a substantial volume of data, on average, our protocol exhibits an amortized communication of $\ell$ bits in the preprocessing phase and $2\ell$ bits in the online phase for each inner product operation. In the application of machine learning, we view the $m$ -dimensional output convolution and matrix multiplication as $m$ separate inner products. We implement these two types of operations by invoking $\Pi_{\mathsf{Inner}}$ a total of $m$ times.

Figure 8: The maliciously secure truncation protocol

IV-B Secure Truncation Protocol.

The multiplication of two fixed-point values with our encoding will lead to a double scale of $2^{k}$ for the fractional precision $k$ . An array of protocols [4, 5, 12] using the probabilistic truncation protocol to reduce the additional $2^{k}$ scaler. Their protocols introduce a one-bit error which is caused by the carry bit of truncated data. In addition, the probabilistic truncation protocol makes an error with a certain probability (assuming that the valid range of data is $\ell_{x}$ and the error probability is $2^{\ell_{x}-\ell+1}$ ). As shown in Fig. 8, we also design a maliciously secure probabilistic truncation protocol $\Pi_{\mathsf{Trunc}}^{t}$ for the truncation bit size $t$ . Our idea is similar to SWIFT [12], which generates correct truncation pair via maliciously secure inner product protocol. However, in contrast to SWIFT[12], we directly generate $r_{z}=\mathsf{rshift}(r_{x},d)$ , which allows the parties locally truncate $m_{z}=\mathsf{rshift}(m_{x},d)$ in the online phase without communication. Although SWIFT[12] eliminates communication by combining truncation with multiplication, they still need $2\ell$ online communication in the online phase of the standalone truncation protocol.

Figure 9: The maliciously edaBits generation

Specifically, we let $P_{0}$ and $P_{1}$ pick random bit list $\{b_{1,j}\}_{j\in Z_{\ell}}$ together; $P_{0}$ and $P_{2}$ pick random bit list $\{b_{2,j}\}_{j\in Z_{\ell}}$ together. We utilize these lists to calculate that $r_{x}=\sum^{\ell-1}_{j=0}2^{j}\cdot(b_{1,j}\oplus b_{2,j})$ and $r_{z}=\sum^{\ell-t-1}_{j=0}2^{j}\cdot(b_{1,j}\oplus b_{2,j})+\sum^{\ell-1}_{j=%$