Question about security of 64-bit additive secret sharing over Z_{2^64} in the semi-honest setting

[rantong-research]

Hi, I have a simple question about ring-based MPC in MP-SPDZ.

In the semi-honest (passive) setting, is two-party additive secret sharing over the 64-bit ring Z_{2^64} considered fully secure from a privacy perspective?

More specifically:

• Do we need to lift computations to a larger ring such as Z_{2^{128}} for privacy reasons?
• Or is ring extension only required in the active/malicious setting (because MACs and integrity checks need extra statistical security bits), while semi-honest computations are perfectly private already in Z_{2^64}?

I'm trying to confirm whether staying in Z_{2^64} is cryptographically safe enough for passive security, or whether MP-SPDZ recommends using a larger ring even in that case.

Thanks!

[mkskeller]

I'm not aware of any issues relating to the size of the domain. Some protocols even use bits (i.e., Z_2). This works because the security is based on the view of parties being random, which can be the case for any size of share. If you have any particular concerns, can you elaborate on where you see privacy issues?

[rantong-research]

Thank you very much for the clarification!
I have one more question regarding the security foundations of additive secret sharing.

From a theoretical perspective, does two-party additive secret sharing over a ring (e.g., Z_{2^ℓ}) rely on any specific cryptographic hardness assumptions, or is its security purely information-theoretic?

More concretely, when proving security in the real/ideal world paradigm, is it sufficient to show that each party’s view consists only of uniformly random shares (independent of the secret), and therefore the simulator can sample the same distribution without knowing the underlying value?

I’m trying to understand how one usually writes a clear, formal security proof for an additive secret-sharing-based protocol in this framework, and whether there is anything beyond the uniform-randomness argument that I should be aware of.

I would really appreciate any guidance or references on how the simulation-based security proof for additive secret sharing is typically formalized.

[mkskeller]

The secret sharing per se does not rely on hardness assumptions, but the secret sharing alone does not provide for multiplications. MP-SPDZ uses oblivious transfer in this case, which does rely on assumptions, namely elliptic curve cryptography. I would suggest the following book for a thorough introduction: https://securecomputation.org/
You can also find further reading suggestions here: https://github.com/rdragos/awesome-mpc?tab=readme-ov-file#books

[rantong-research]

Ok, thank you for the detailed information.