Passive Secure Protocols

Passively secure VIFF runtime.

class viff.passive.PassiveRuntime(player, threshold, options=None)

The VIFF runtime.

The runtime is used for sharing values (shamir_share() or prss_share()) into Share object and opening such shares (open()) again. Calculations on shares is normally done through overloaded arithmetic operations, but it is also possible to call add(), mul(), etc. directly if one prefers.

Each player in the protocol uses a Runtime object. To create an instance and connect it correctly with the other players, please use the create_runtime() function instead of instantiating a Runtime directly. The create_runtime() function will take care of setting up network connections and return a Deferred which triggers with the Runtime object when it is ready.

Inheritance diagram of PassiveRuntime

add(share_a, share_b)

Addition of shares.

Communication cost: none.

input(inputters, field, number=None, threshold=None)

Input number to the computation.

The input is shared using the shamir_share() method.

lin_comb(coefficients, shares)

Linear combination of shares.

Communication cost: none. Saves the construction of unnecessary shares compared to using add() and mul().

mul(share_a, share_b)

Multiplication of shares.

Communication cost: 1 Shamir sharing.

open(share, receivers=None, threshold=None)

Open a secret sharing.

The receivers are the players that will eventually obtain the opened result. The default is to let everybody know the result. By default the threshold + 1 shares are reconstructed, but threshold can be used to override this.

Communication cost: every player sends one share to each receiving player.

pow(share, exponent)

Exponentation of a share to an integer by square-and-multiply.

powerchain(share, max)

Returns the list [share, share**2, share**4, ..., share**(2**max)].

prss_double_share(field, quantity)

Make quantity double-sharings using PRSS.

The pair of shares will have degree t and 2t where t is the default threshold for the runtime.


Create unique key for PRSS.

This increments the program counter and returns it as a tuple. Each straight-line program (typically a callback attached to some Deferred) is executed in a context with unique starting program counter. This ensures that consequetive calls to PRSS-related methods will use unique program counters.

prss_powerchain(*args, **kwargs)

Generate a random secret share in GF256 and returns [share, share**2, share**4, ..., share**(2**max)].

prss_powerchains(max=7, quantity=20)

Does quantity times the same as prss_powerchain(). Used for preprocessing.


Shamir share a random bit over field and GF256.

prss_share(inputters, field, element=None)

Creates pseudo-random secret sharings.

This protocol creates a secret sharing for each player in the subset of players specified in inputters. Each inputter provides an integer. The result is a list of shares, one for each inputter.

The protocol uses the pseudo-random secret sharing technique described in the paper “Share Conversion, Pseudorandom Secret-Sharing and Applications to Secure Computation” by Ronald Cramer, Ivan Damgård, and Yuval Ishai in Proc. of TCC 2005, LNCS 3378. Download

Communication cost: Each inputter does one broadcast.


Share a random bit over field and GF256.

The protocol is described in “Efficient Conversion of Secret-shared Values Between Different Fields” by Ivan Damgård and Rune Thorbek available as Cryptology ePrint Archive, Report 2008/221.

prss_share_random(field, binary=False)

Generate shares of a uniformly random element from the field given.

If binary is True, a 0/1 element is generated. No player learns the value of the element.

Communication cost: none if binary=False, 1 open otherwise.

prss_share_random_multi(field, quantity, binary=False)

Does the same as calling quantity times prss_share_random(), but with less calls to the PRF. Sampling of a binary element is only possible if the field is GF256.

Communication cost: none.

prss_share_zero(field, quantity)

Generate quantity shares of the zero element from the field given.

Communication cost: none.

shamir_share(inputters, field, number=None, threshold=None)

Secret share number over field using Shamir’s method.

The number is shared using polynomial of degree threshold (defaults to threshold). Returns a list of shares unless there is only one inputter in which case the share is returned directly.

In code it is used like this:

a, b, c = runtime.shamir_share([1, 2, 3], Zp, x)

where Zp is a field and x is a Python integer holding the input of each player (three inputs in total).

If only a subset of the players provide input it looks like this:

if == 1:
    a = runtime.shamir_share([1], Zp, x)
    a = runtime.shamir_share([1], Zp)

Instead of branching when calling shamir_share(), one can give None as input:

if == 1:
    x = int(raw_input("Input x: "))
    x = None
a = runtime.shamir_share([1], Zp, x)

which might be practical in some cases.

Communication cost: n elements transmitted.

sub(share_a, share_b)

Subtraction of shares.

Communication cost: none.

Previous topic

Runtime Module

Next topic

A Thresholdbased Actively Secure Runtime

This Page