Efficient Secure Multi-Party Computation for Multi-Dimensional Arithmetics and Its Applications ^†

Abstract

Over years of development in secure multi-party computation (MPC), many sophisticated functionalities have been made practical, and multi-dimensional operations occur more and more frequently in MPC protocols, especially in protocols involving datasets of vector elements, such as privacy-preserving biometric identification and privacy-preserving machine learning. In this paper, we introduce a new kind of correlation, called tensor triples, which is designed to make multi-dimensional MPC protocols more efficient. We will discuss the generation process, the usage, and the applications of tensor triples and show that they can accelerate privacy-preserving biometric identification protocols, such as FingerCode, Eigenfaces, and FaceNet, by more than 1000 times, with reasonable offline costs, and grant pre-computability for the secure matrix multiplication process in privacy-preserving machine learning protocols, such as SecureML and SecureNN, while achieving similar efficiency.

1. Introduction

1.1. Motivation

Secure multi-party computation (MPC) is one of the central subfields in cryptography. MPC aims to accomplish a joint evaluation of a function over inputs provided by multiple parties without revealing any extra information. Due to its feature of protecting the inputs, it has been widely used in the analysis and processing of private or sensitive data held by multiple parties. Over years of development, circuit-based MPC has gradually gained the capability of practically computing more and more sophisticated and large-scale functions. Apart from one-dimensional numeric computation, the necessity of handling higher-dimensional operations has also become a concern. For instance, people for years have explored the possibility of the application of MPC on privacy-preserving biometric identification [1,2,3,4,5,6,7,8,9], privacy-preserving machine learning [10,11,12,13,14], and many other practical fields that require an intensive use of vector and matrix operations, such as vector tensoring and matrix multiplication. A detailed description is provided below.

• Privacy-Preserving Machine Learning
  The training process of machine learning models often rely on large-scale data collected from multiple sources, such as personal information, medical records, financial transactions, and user behavior logs. Directly sharing raw data among parties poses significant privacy risks and may violate legal regulations. On the other hand, when making use of these models, inevitable exchanges of information about sensitive data, such as personal information and private model parameters between the servers and the clients, also necessitate secure protocols for privacy protection. Privacy-preserving machine learning aims to enable collaborative model training and inference without exposing sensitive data. The core challenge in privacy-preserving machine learning is secure computation over encrypted or distributed data. Many machine learning algorithms, from the most basic functionalities such as linear regression and clustering to more sophisticated model structures such as convolution neural networks and large language models (LLMs), rely heavily on matrix operations, particularly matrix multiplication, for procedures like forward propagation, back propagation, and gradient updates. Secure matrix product protocols are therefore crucial in privacy-preserving machine learning, enabling parties to jointly compute matrix products without revealing individual data entries.
• Privacy-Preserving Biometric Identification
  Biometric identification systems rely on physiological or behavioral traits such as fingerprints, iris scans, facial features, and gait patterns for authentication and recognition. Traditional biometric systems store and process biometric templates in raw forms, and usually in centralized databases, raising concerns about data security, unauthorized access, and identity theft. Privacy-preserving biometric identification techniques aim to enable secure biometric matching while preventing information leakage. In privacy-preserving biometric identification, the secure matrix product plays a crucial role in similarity computations, such as secure batched dot products and squared Euclidean distance computation, where biometric features are often represented as high-dimensional vectors or matrices. Secure matrix product protocols are therefore crucial in privacy-preserving biometric identification for comparisons of encrypted biometric templates without revealing their contents.

Unlike the straightforward homomorphic encryption methods, which often behave less computationally efficient, it is crucial to find a way to accelerate multi-dimensional arithmetics for circuit-based MPC protocols. For instance, the SPDZ framework has been used to boost multi-dimensional MPC protocols [15].

Meanwhile, apart from the classical correlation generation protocols such as an OT and Beaver triples, researchers have also attempted to find new kinds of correlations (for example, [16]) that can fulfill different needs of MPC protocols and perform more efficiently compared to classical ways [17,18,19,20]. Among these variants, vector oblivious linear evaluation (VOLE), as an efficient way to provide correlated random vector sharings for two parties, has been widely used as a convenient auxiliary tool to accomplish circuit-based MPC involving multi-dimensional inputs. Therefore, we would like to explore a way to boost MPC protocols involving multi-dimensional objects, such as vectors and matrices, and we would like to take advantage of the correlation properties of VOLE to assist the procedure.

1.2. Our Contribution

The goal of this paper is to explore a more efficient and flexible way to fulfill multi-dimensional secure multi-party computation. In this paper, we used a new kind of correlation called tensor triples, which can be generated using subfield VOLE. We show that tensor triples can be used to assist and accelerate MPC on multi-dimensional arithmetics with the following nice properties:

• Efficiency: The tensor triple method behaves much more efficient both computationally and communicatively compared to the usual Beaver’s method when dealing with secure matrix multiplication and the vector outer product.
• Flexibility: Or pre-computability. The usual matrix triple method for secure matrix multiplication cannot generate triples in the offline phase without the knowledge of the dimensions of the matrices involved in the online phase of the MPC protocol, while the tensor triple method can generate tensor triples beforehand that are suitable and utilizable in the online phase for all matrices as long as the dimensions are below a pre-determined threshold. When the parties are not capable of determining the sizes of the matrices in the pre-computation process or when the matrices involved in the online phase of the protocol may have various and different sizes, it seems to the authors that only the tensor triple method can perform the triple generation process in the offline phase.

We will also present a detailed discussion of the advantages of the tensor triple method in later sections.

As a result, we explore several applications of tensor triples on privacy-preserving biometric identification and privacy-preserving machine learning protocols. More specifically, we realize implementations of three privacy-preserving biometric identification protocols, namely FingerCode [21], Eigenfaces [22], and FaceNet [23]. As for the privacy-preserving machine learning protocols, we compare our tensor triple generation procedure with the straightforward matrix triple method adopted by SecureML [24] and SecureNN [25]. We also analyze the performance of the implementations and prove our claim that the tensor triple method indeed provides a more efficient way to carry out multi-dimensional MPC protocols. Our implementation results show that the online phase of secure squared Euclidean distance computation in 128 batched privacy-preserving Fingercode queries against a database of 1024 references only takes 0.082 s, and that of 80 batched privacy-preserving Eigenfaces queries against a database of 1000 references only takes 0.032 s, both of which perform thousands of times faster than the classical GSHADE framework [6]. Meanwhile, the online phase of our implementation of privacy-preserving FaceNet achieves a speedup by more than 10,000 times compared to previous works. Even if the offline cost is taken into consideration, the implementations still achieve a significant acceleration. As for the privacy-preserving machine learning protocols, our implementation of the secure matrix product possesses a flexibility or pre-computability property compared to the matrix triple method used in SecureML and SecureNN while managing to achieve almost the same online computational and communicative costs.

1.3. Related Works

This paper is an extended version of our paper published in the 23rd international conference on cryptology and network security (CANS 2024) [26].

Abspoel et al. in [16] proposed the concept of the “outer product triple” through linear secret sharing schemes over Galois rings. The authors have also explained that the outer product triples are useful as they can be utilized to assist the secure multi-party computation of outer products between vectors. Also, Boyle et al. in [20] proposed the idea of using subfield VOLE for secure matrix multiplications. The definition of the outer product triple in [16] is equivalent to the notion of the tensor triple we will define in Section 2.3, and we will introduce protocols involving these triples for the secure 2PC of the outer product and matrix multiplication as noted in [20]; further, we will provide a detailed description of the protocols as well as an application of a broader range of parameters.

There also exist generic ways to fulfill multi-dimensional MPC. One practical way is realization through the SPDZ framework (for instance, [15,27]). Since our work only uses comparatively lightweight MPC components such as VOLE, we will show in detailed statistics that our method obtains a high efficiency and greatly outperforms the homomorphic encryption-based protocols.

Similarly, there are multiple works aiming to accelerate the privacy-preserving biometric identification and privacy-preserving machine learning protocols. For instance, for FingerCode, Eigenfaces, and FaceNet, the three protocols discussed in this paper, we are aware of the existence of various works and improvements. Nevertheless, we have not discovered any work using VOLE or similar techniques to improve the efficiency. We will still discuss them in the corresponding sections and show a detailed comparison between different implementations. As introduced earlier, we are also aware of previous privacy-preserving machine learning protocols, such as SecureML and SecureNN, which use the matrix triple method to fulfill MPC protocols. We will show that this method cannot implement a full precomputable triple generation process, while, in our case, the generation procedure is completely precomputable.

1.4. Security Model

All protocols involved in the rest of this paper are secure against semi-honest and computationally bounded adversaries.

1.5. Organization of Paper

In Section 2, we define necessary notions and primitives in MPC and the notion of the tensor triple and briefly explain the intuition and idea of how it can be used to accelerate multi-dimensional circuit-based MPC protocols. We then proceed in Section 3 by introducing several ways to generate tensor triples. The protocols are focused on resolving the generation of tensor triples for two parties, as is the usual need in most practical applications. Then, we explain the usage of tensor triples to accomplish the MPC of basic algebraic operations for scalars, vectors, and matrix operations. In Section 4, we discuss possible applications of tensor triples in practice. It should be emphasized that tensor triples can be used to accelerate all multi-dimensional MPC protocols universally, and the applications that we list in the section are merely a few instances. In Section 5, implementations of the protocols as well as the results of the experiments after the execution are presented. It can been clearly seen that the tensor triple method provides a significant speedup as well as the crucial property of pre-computability.

2. Preliminaries and Notations

2.1. Vectors and Matrices

In this paper we mainly deal with multi-dimensional objects such as vectors and matrices. We use ${\mathbb{F}}_p$ to denote a finite field of size p, and we use K to denote a finite field or a finite ring. The inner product of two vectors $\mathbf{u},\mathbf{v}\in K^n$ is defined as $\mathbf{u}·\mathbf{v}={\sum }_{i=1}^n{u}_i{v}_i$, and the outer product of two vectors $\mathbf{u}\in K^m,\mathbf{v}\in K^n$ is defined as the matrix $\mathbf{u}\otimes \mathbf{v}={\left(u_i{v}_j\right)}_{1\le i,j\le n}\in M_{m\times n}\left(K\right)$. We use both $AB$ and $A·B$ to denote the standard matrix multiplication.

2.2. Oblivious Transfer (OT)

We provide a very brief introduction of an oblivious transfer together with its multiple invariants in order to import all possible notations to be used. In an oblivious transfer [28], the sender with a pair of messages $(m_0,m_1)$ interacts with the receiver with a choice bit b. The result ensures that the receiver learns $m_b$ but obtains no knowledge of $m_{1-b}$, while the sender obtains no knowledge of b. In an OT extension protocol ${\mathrm{OT}}_l^n$, the input of the sender is n message pairs $(m_{i,0},m_{i,1})\in {\{0,1\}}^{2l}$ and the input of the receiver is a string $\mathbf{b}\in {\{0,1\}}^n$. The result allows the receiver to learn $m_{i,\mathbf{b}\left[i\right]}$ for $1\le i\le n$. In a random OT (ROT), the sender inputs nothing beforehand but obtains two random strings in the outputs as the message pair, and the receiver inputs nothing as well but obtains the choice bit together with the selected message afterwards. Similarly, a batched version of an ROT (also known as an OT extension; see [29,30,31]) that generates n message pairs of bit-length l is denoted by ${\mathrm{ROT}}_l^n$. A correlated OT (COT) [20,32,33] is a variant of an ROT that allows the sender to pre-determine a string $\Delta$ and obtain two correlated random strings as the message pair with their XOR equal $\Delta$. The extension of a COT denoted by ${\mathrm{COT}}_m^n$ allows the sender to choose $\Delta \in {\mathbb{F}}_{2^m}$. The protocol eventually provides two uniformly distributed vectors $\mathbf{u}\in {\mathbb{F}}_2^n,\mathbf{v}\in {\mathbb{F}}_{2^m}^n$ to the receiver and $\mathbf{v}\oplus (\mathbf{u}·\Delta )$ to the sender. A subfield vector oblivious linear evaluation (sVOLE) protocol is a generalization of ${\mathrm{COT}}_m^n$ to an arbitrary finite base field. A vector oblivious linear evaluation (VOLE) allows one party to obtain two vectors $\mathbf{u},\mathbf{v}\in {\mathbb{F}}_p^n$, and the other party to obtain a scalar $x\in {\mathbb{F}}_p$ and the linear evaluation $\mathbf{u}x+\mathbf{v}$.

In further chapters, we will be mainly using the random variants of ${\mathrm{COT}}_m^n$ and sVOLE functionalities defined below in Figure 1. It is not difficult to see that ${\mathrm{RCOT}}_m^n$ is a special case of ${\mathcal{F}}_{\mathrm{RsVOLE}}^{p,m,n}$ when $p=2$.

VOLE protocols with semi-honest and computational security in the OT-hybrid model have been defined in [18,20]. Subfield VOLE, as an important variant of VOLE, has also been implemented in various ways (see [19,20,33,34,35,36]).

2.3. Tensor Triple

In this section, we first define the notion of (additive) vector sharing. By definition, an (additive) secret sharing of a vector $\mathbf{v}$ is simply a set $\{{\left[\mathbf{v}\right]}_1,...,{\left[\mathbf{v}\right]}_s\}$ of s vectors such that ${\sum }_{i=1}^s{\left[\mathbf{v}\right]}_i=\mathbf{v}$, provided the condition that

$$\mathrm{Pr}(\mathbf{v}=\mathbf{x}|{\left\{{\left[\mathbf{v}\right]}_j\right\}}_{j\ne i})=\mathrm{Pr}(\mathbf{v}={\mathbf{x}}^{\prime }|{\left\{{\left[\mathbf{v}\right]}_j\right\}}_{j\ne i})$$

for any $i=1,...,s$ and any $\mathbf{x},{\mathbf{x}}^{\prime }$ in the ambient space.

The notion of a tensor triple has been proposed in various forms (see [16,20]) to more efficiently fulfill the MPC of vectors. We propose the following definition to better facilitate its properties.

Definition 1 

(Tensor triple). By definition, a tensor triple $(\mathit{u},\mathit{v},W)$ consists of data $\mathit{u}\in K^m,\mathit{v}\in K^n,W\in M_{m\times n}\left(K\right)$ satisfying $\mathit{u}\otimes \mathit{v}=\mathit{u}{\mathit{v}}^T=W$.

Definition 2 

(Tensor triple sharing). Let $P_1,...,P_s$ be the participants of a secure multi-party computation protocol over K. By definition, a tensor triple sharing scheme provides two vectors and one matrix ${\left[\mathit{u}\right]}_i\in K^m,{\left[\mathit{v}\right]}_i\in K^n,{\left[W\right]}_i\in M_{m\times n}\left(K\right)$ for the participant $P_i$ such that ${\left[\mathit{u}\right]}_i,{\left[\mathit{v}\right]}_i$ form secret sharings of $\mathit{u}\in K^m,\mathit{v}\in K^n$, respectively, with the relation $\mathit{u}\otimes \mathit{v}=\mathit{u}{\mathit{v}}^T={\sum }_{i=1}^s{\left[W\right]}_i$. Shares of $\mathit{u},\mathit{v}$, and W will be denoted by $\left[\mathit{u}\right],\left[\mathit{v}\right]$, and $\left[W\right]$ if indices are not particularly involved. For our convenience, such a triple will be called an $(m,n)$-triple. A tensor triple sharing scheme is called information-theoretically (or computationally) secure if the distribution of $\mathit{u},\mathit{v}$ to an adversary who obtains ${\left\{({\left[\mathit{u}\right]}_i,{\left[\mathit{v}\right]}_i,{\left[W\right]}_i)\right\}}_{i\ne i^{*}}$ for any $i^{*}\in \{1,...,s\}$ is information-theoretically (or computationally) indistinguishable from the uniform one.

3. Tensor-Triple-Based MPC Protocols

3.1. Tensor Triple Generation

Now, we would like to introduce multiple ways to efficiently generate tensor triples. Figure 2 shows the ideal functionality of tensor triple generation. In practice, the generation process can be fulfilled via subfield VOLE. We provide these protocols in detail below.

3.1.1. sVOLE-Based Two-Party Tensor Triple Generation

An OT-based protocol for generating Beaver multiplication triples was proposed in [37]. In [38], the authors established a more efficient protocol based on a correlated-OT extension. In this section, we propose an sVOLE-based method to efficiently generate tensor triples.

Observe that under a fixed ${\mathbb{F}}_p$-vector space isomorphism $\phi :{\mathbb{F}}_{p^m}\to {\mathbb{F}}_p^m$ (for instance, $\phi (a_0+a_1\alpha +...+a_{m-1}{\alpha }^{m-1})=(a_0,...,a_{m-1})$, where ${\mathbb{F}}_{p^m}$ is realized through an extension ${\mathbb{F}}_p\left[\alpha \right]$ by adding a root of an irreducible monic polynomial of degree m), ${\mathcal{F}}_{\mathrm{RsVOLE}}^{p,m,n}$ becomes the following functionality ${\mathcal{F}}_{{\mathrm{RsVOLE}}^{\prime }}^{p,m,n}$, as shown in Figure 3.

Given a protocol $\mathsf{RsVOLE}(m,n,\lambda )$ realizing ${\mathcal{F}}_{{\mathrm{RsVOLE}}^{\prime }}^{p,m,n}$, where $\lambda$ is the statistical security parameter, we can easily formulate many ways to generate a tensor multiplication triple. Figure 4 shows a straightforward method.

In particular, when $p=2$, one may also use COT protocols in an analogous way to generate tensor triples over fields with even characteristics.

We use two ways to materialize $\mathsf{RsVOLE}(m,n,\lambda )$. The first method is to use COT for the case when $p=2$, as shown in Figure 5. The idea is the same as the one implemented in [20], which uses masking vectors in ${\mathbb{F}}_{2^m}^n$. We adapt and formalize the implementation into the following protocol using masking vectors ${\mathbb{F}}_2^n$.

The second way is to use a silent OT (SOT). The SOT procotol can be directly used to fulfill $\mathsf{RsVOLE}(m,n,\lambda )$. The silent OT process first aims to let the two parties obtain a compressed form of random secret shares $\mathbf{u},\mathbf{v}$ with the correlation $\mathbf{u}=\mathbf{v}\oplus x\mathbf{e}\in {\mathbb{F}}_{2^m}^N$, where $\mathbf{e}\in {\mathbb{F}}_2^N$ is a random, sparse vector held by one party and $x\in {\mathbb{F}}_{2^m}$ is a random field element held by the other party. Once this distribution is fulfilled, the two parties can use a public pre-determined binary matrix H to compress the dimension of the shares from N down to $n<N$, or, more specifically, using a formula to illustrate the process, $\mathbf{u}H=\mathbf{v}H\oplus x\left(\mathbf{e}H\right)$. As a variant of the learning parity with noise (LPN) assumption asserts, the vector $\mathbf{e}H$ is computationally pseudorandom. This, under the classical isomorphism $\phi$, gives exactly a random sVOLE distribution.

To fulfill the distribution of the compressed form, [20] utilizes a GGM PRF tree to obliviously transfer a punctured PRF key $\mathsf{k}\left\{\alpha \right\}$ together with the punctured output $z=\mathsf{PRF}(\mathsf{k},\alpha )+x$ to the receiver. To be more specific, the two parties invoke a total of $l=logN$ parallel OT executions, where the sender’s message pairs consist of sums of “left” and “right” nodes in each layer of the GGM tree and the receiver chooses the messages according to the bit expansion of his chosen path to $\alpha$. A parallel distribution of multiple punctured PRF keys leads to a sharing of the vector differed by a sporadic vector $x\mathbf{e}$ and hence a distribution of the needed correlation. We refer to [20] for a detailed description of the SOT protocol.

3.1.2. Third-Party Tensor Triple Generation

A third-party with computational power may be eligible for providing triples for multiple parties in a much more efficient way. This idea has been explored by many people, such as [39,40]. The flexibility of the tensor triple allows the server to provide triples of fixed dimensions while fulfilling the needs for all lower-dimensional computations. More specifically, the dimensions of the triples may be pre-determined, as a generic $(n,n)$-triple could be tailored to serve as a pair of triples of dimensions $(s,t)$ and $(n-s,n-t)$ for any $s,t<n$. This means that the parties may not need to know the precise dimensions in advance for the pre-processing procedure. A great advantage is that a specialized server may serve as the triple generator for multiple sets of multiple parties in order to speed up all pre-processing procedure. In the setting of the existence of a trusted server, the server-aided tensor triple distribution can be naturally extended to a generic multi-party scenario. As a reference, in [41], the author provides server-aided 3PC and 4PC tensor triple distribution protocols with optimization.

3.2. Secure Multi-Dimensional Arithmetic Evaluations

In this section we will discuss various vector operations that may be performed securely using Beaver’s method. When $m=n=1$, tensor triples are simply usual Beaver triples. Therefore, they can also be used for basic arithmetics. We mainly discuss the multi-dimensional computations below.

3.2.1. Linear Operations and Dot Product

As expected, additions and operations involving constants may all be computed locally without any interaction by the homomorphicity. More specifically, the following operations are securely multi-party computable and the computation can be performed locally without any interaction:

• $\left[\mathbf{a}\right]+\left[\mathbf{b}\right]=[\mathbf{a}+\mathbf{b}]$;
• Given a public constant vector $\mathbf{c}$, ${[\mathbf{a}+\mathbf{c}]}_1={\left[\mathbf{a}\right]}_1+\mathbf{c}$, ${[\mathbf{a}+\mathbf{c}]}_i={\left[\mathbf{a}\right]}_i$ for $i\ne 1$;
• $c\left[\mathbf{a}\right]=\left[c\mathbf{a}\right]$, where $c\in K$ is a constant number;
• $\mathbf{c}·\left[\mathbf{a}\right]=[\mathbf{c}·\mathbf{a}]$, where $\mathbf{a}\in K^n$, and $\mathbf{c}\in K^n$ is a constant vector;
• $\mathbf{c}\otimes \left[\mathbf{a}\right]=[\mathbf{c}\otimes \mathbf{a}]$, where $\mathbf{c}$ is a constant vector.

Now, let us consider the dot product of two vectors $\mathbf{a},\mathbf{b}$ in the same dimension n. Suppose that we have an $(n,n)$-triple. First, we denote $\mathbf{a}-\mathbf{u}=\mathbf{s},\mathbf{b}-\mathbf{v}=\mathbf{t}.$ By Beaver’s method, each party may announce its share of $\mathbf{s}$ and $\mathbf{t}$ to recover the two vectors. Then, they could securely compute the shares as $[\mathbf{a}·\mathbf{b}]=\mathbf{s}·\mathbf{t}+\left[\mathbf{u}\right]·\mathbf{t}+\left[\mathbf{v}\right]·\mathbf{s}+\mathrm{tr}\left(\right[W\left]\right).$ Note that the last term uses the fact that the trace function is linear. The correctness can easily be verified by a direct computation. One thing to be noted is that the usage of tensor triples for fulfilling one single secure inner product is rather wasteful, and therefore the tensor triple method is more suitable for the case where a batch of cross inner products are needed. The batching process will be discussed in detail in Section 4.

3.2.2. Outer Product and Matrix Product

Figure 6 shows the ideal functionality for secure multi-party outer product computation. One can use exactly the same method to fulfill the need of an outer product. Let us suppose that all parties would like to compute the outer product $\mathbf{a}\otimes \mathbf{b}$ of two vectors $\mathbf{a}\in K^m$ and $\mathbf{b}\in K^n$ with the help of an $(m,n)$-triple $(\mathbf{u},\mathbf{v},W)$. First, we denote $\mathbf{a}-\mathbf{u}=\mathbf{s},\mathbf{b}-\mathbf{v}=\mathbf{t}.$ Then, similarly, we could compute

$$\mathbf{a}\otimes \mathbf{b}=(\mathbf{s}+\mathbf{u})\otimes (\mathbf{t}+\mathbf{v})=\mathbf{s}\otimes \mathbf{t}+\mathbf{u}\otimes \mathbf{t}+\mathbf{s}\otimes \mathbf{v}+W.$$

Therefore, we could similarly make the protocol described below in Figure 7.

As a direct application of the outer product, we can now introduce a way to securely compute a matrix product of two matrices. Figure 8 shows the functionality of secure multi-party matrix multiplication. In practice, we consider $A\in M_{m\times k}\left(K\right),B\in M_{k\times n}\left(K\right).$ First, denote the columns of A by $A=({\mathbf{a}}_1,...,{\mathbf{a}}_k)$ and the rows of B by $B={({\mathbf{b}}_1,...,{\mathbf{b}}_k)}^T$. As is well-known, the matrix product has the following outer product expansion formula: $AB={\sum }_{i=1}^k{\mathbf{a}}_i\otimes {\mathbf{b}}_i.$ Therefore, it is easy to formulate a way to compute the matrix product from the outer product primitive. All the parties may simultaneously perform k primitives to compute each summand in the formula above and then individually add the results together without any further interaction. A protocol is described as follows in Figure 9.

3.2.3. Security

Regarding the security of all protocols proposed above, the proofs are somehow evident from the simple observation that the triple always hides the input vectors perfectly and in none of the protocols is the third matrix share published in any sense. This also illustrates the correct and secure usage of tensor triples, namely to randomize the input vectors to announce while always keeping the third matrix share secret. The precise statements of the security are given below.

Theorem 1 

([20]). The COT-based RsVOLE protocol (Figure 5) realizes the functionality ${\mathcal{F}}_{{\mathit{RsVOLE}}^{\prime }}^{p,m,n}$ in the two-party setting and is semi-honest secure.

Theorem 2. 

The sVOLE-based tensor triple generation protocol $\mathsf{TT}.\mathsf{Gen}\left(\right)$ realizes the functionality ${\mathcal{F}}_{\mathit{TTGen}}^{p,m,n}$ in the two-party setting and is semi-honest secure in the ${\mathcal{F}}_{{\mathit{RsVOLE}}^{\prime }}^{p,m,n}$-hybrid model.

Proof. 

Due to symmetry, it suffices to consider a semi-honest adversary $P_0$.

Security against corrupted $P_0$: We construct the simulator ${\mathsf{SIM}}_{\mathrm{\Pi }}^{P_1}$, which acts as the participant $P_1$ as follows.

1.

The simulator invokes ${\mathcal{F}}_{{\mathrm{RsVOLE}}^{\prime }}^{p,m,n}$ as the sender and receives $\mathbf{x}{\in }_r{\mathbb{F}}_p^m,V{\in }_r{\mathbb{F}}_p^{mn}$.

2.

The simulator invokes ${\mathcal{F}}_{{\mathrm{RsVOLE}}^{\prime }}^{p,m,n}$ as the receiver and receives ${\mathbf{y}}^{\prime }{\in }_r{\mathbb{F}}_p^n,U^{\prime }{\in }_r{\mathbb{F}}_p^{mn}$.

The following hybrid games are then performed to show the claim of the statement.

${\mathcal{H}}_0$:

The real-world execution of the protocol, where the simulator acts exactly as an honest $P_1$.

${\mathcal{H}}_1$:

The ideal-world execution. The simulator acts as ${\mathsf{SIM}}_{\mathrm{\Pi }}^{P_1}$. This hybrid is indistinguishable from the original hybrid ${\mathcal{H}}_0$ by Theorem 1.

□

Theorem 3. 

The secure outer product protocol $\mathsf{Out}\left(\right)$ realizes the functionality ${\mathcal{F}}_{\mathit{Out}}$ and is semi-honest secure in the ${\mathcal{F}}_{\mathit{TTGen}}^{p,m,n}$-hybrid model.

Proof. 

The proof is similar to the one in Theorem 2. Due to symmetry, it suffices to consider a semi-honest adversary $P_i$ for a fixed i.

Security against corrupted $P_i$: We construct the simulator ${\mathsf{SIM}}_{\mathrm{\Pi }}^{P_{\widehat{i}}}$, which acts as the other participants as follows.

1.

The simulator receives from the adversary $P_i$ the shares ${\left[\mathbf{a}\right]}_i\in K^m,{\left[\mathbf{b}\right]}_i\in K^n$ of two vectors $\mathbf{a}\in K^m,\mathbf{b}\in K^n$.

2.

The simulator invokes ${\mathcal{F}}_{\mathrm{TTGen}}^{p,m,n}$ as the participant $P_i$ and receives ${\left[\mathbf{u}\right]}_i\in K^m,{\left[\mathbf{v}\right]}_i\in K^n,{\left[W\right]}_i\in M_{m\times n}\left(K\right)$.

3.

The simulator samples random vectors ${\left[\mathbf{s}\right]}_{\widehat{i}}\in K^m,{\left[\mathbf{t}\right]}_{\widehat{i}}\in K^n$ for all $\widehat{i}\ne i$ and sends to the adversary $P_i$ the shares ${\left[\mathbf{s}\right]}_{\widehat{i}},{\left[\mathbf{t}\right]}_{\widehat{i}}$.

4.

The view of the adversary follows the execution of the protocol with ${\left[\mathbf{s}\right]}_{\widehat{i}},{\left[\mathbf{t}\right]}_{\widehat{i}}$.

The following hybrid games are then performed to show the claim of the statement.

${\mathcal{H}}_0$:

The real-world execution of the protocol, where the simulator acts exactly as an honest $P_i$.

${\mathcal{H}}_1$:

The ideal-world execution. The simulator acts as ${\mathsf{SIM}}_{\mathrm{\Pi }}^{P_{\widehat{i}}}$. This hybrid is indistinguishable from the original hybrid ${\mathcal{H}}_0$ by Theorem 2 and the security of the Beaver method.

□

Theorem 4. 

The secure matrix product protocol $\mathsf{MatProd}\left(\right)$ realizes the functionality ${\mathcal{F}}_{\mathit{MatProd}}$ and is semi-honest secure in the ${\mathcal{F}}_{\mathit{Out}}$-hybrid model.

Proof. 

As pointed out in the earlier sections, ${\mathcal{F}}_{\mathrm{MatProd}}$ can be seen as individual applications of ${\mathcal{F}}_{\mathrm{Out}}$ for a multiple amount of times. Therefore, $\mathsf{MatProd}\left(\right)$ as an application of multiple $\mathsf{Out}\left(\right)$ individually realizes ${\mathcal{F}}_{\mathrm{MatProd}}$. The proof is similar to the one in Theorem 2 and we omit it for brevity. □

3.2.4. Compact Storage of Tensor Triples

Since tensor triples are often generated in the pre-processing phase, the storage of tensor triples is a major concern. As tensor triples can be regarded as a decomposition of matrix triples, the total size of tensor triples used in a generic secure matrix multiplication is comparatively larger than that of classical matrix triples needed in the same protocol. To solve this problem, note that the outer product expansion

$$AB=\sum _{i=1}^k{\mathbf{a}}_i\otimes {\mathbf{b}}_i$$

in terms of the columns of $A=({\mathbf{a}}_1,...,{\mathbf{a}}_k)\in M_{m\times k}\left(K\right)$ and the rows of $B={({\mathbf{b}}_1,...,{\mathbf{b}}_k)}^T\in M_{k\times n}\left(K\right)$ can be arranged in multiple ways to form more compact decompositions. More specifically, we have the decomposition $AB={\sum }_{i=1}^s{A}_i\otimes B_i$, where $A_i=({\mathbf{a}}_{j_1+...+j_{i-1}+1},...,{\mathbf{a}}_{j_1+...+j_i})\in M_{m\times j_i}\left(K\right)$ and $B_i={({\mathbf{b}}_{j_1+...+j_{i-1}+1},...,{\mathbf{b}}_{j_1+...+j_i})}^T\in M_{j_i\times n}\left(K\right)$ for arbitrary $j_1,...,j_s\ge 1$ such that $j_1+...+j_s=k$. Therefore, a secure matrix multiplication can be performed using a family of triples $(U_i,V_i,W_i)$ for $i=1,...,s$ where $U_i\in M_{m\times j_i}\left(K\right),V_i\in M_{j_i\times n}\left(K\right)$ and $W_i\in M_{m\times n}\left(K\right)$ such that $U_i{V}_i=W_i$. Also, note that this type of matrix triple can be generated by an assembly of tensor triples. Therefore, the parties can amalgamate some tensor triples to save space, while preserving adequate original tensor triples. A description of the amalgamation method is given in Figure 10. Note that this can shrink the storage space of tensor triples by approximately $1/l$.

Although this seems an ideal way to shrink the storage space, we need to clarify that, in the process of amalgamation, the triples lose some flexibility, more specifically, if the parties have only generated amalgamated tensor triples of the form $(U,V,W)$, where $U\in M_{m\times l}\left(K\right),V_{\in }{M}_{l\times n}\left(K\right)$ and $W\in M_{m\times n}\left(K\right)$. Then, they can only directly accomplish a secure matrix multiplication of two matrices $A\in M_{s\times k}\left(K\right)$ and $B\in M_{k\times t}\left(K\right)$ for $s\le m$, $t\le n$, and $l|k$. We refer to Section 4.3.1 for a more detailed explanation of this issue. Hence, the parties need to be careful when choosing the amalgamation size l to balance the storage space and the flexibility of the amalgamated tensor triples. In general, if the parties have generated amalgamated tensor triples of the form $(U_i,V_i,W_i)$ for $i=1,...,s$ where $U_i\in M_{m\times l_i}\left(K\right),V_i\in M_{l_i\times n}\left(K\right)$ and $W_i\in M_{m\times n}\left(K\right)$, then they can securely compute the matrix product of two matrices $A\in M_{s\times k}\left(K\right)$ and $B\in M_{k\times t}\left(K\right)$ for $s\le m$, $t\le n$ and any k such that $k={\sum }_{i=1}^s{l}_i{x}_i$ has a non-negative integer solution vector $\mathbf{x}=(x_1,...,x_s)$.

According to our observation, in practice, the dimensions of matrices involved in matrix multiplication in various biometric identification and machine learning functionalities are multiples of a power of 2 or 10 due to coding or conventional reasons. Hence, in practice, the MPC participants may choose the amalgamation size accordingly, say $l=8$, for instance.

In general, the amalgamation process can also be extended to multiple amalgamation sizes $l_1,...,l_t$. By choosing these sizes wisely, the parties may achieve a better compacting of the storage of tensor triples.

As a last note, although the tensor triples together with the amalgamated variant can all be trimmed, column-wise for the first component and row-wise for the second component, to fulfill the secure computation requirement of two matrices with smaller sizes, they cannot be extended in the same direction directly to fulfill the secure computation of two matrices with larger sizes. One possible solution to such a problem is to try to generate tensor triples with “infinite” dimensions. We refer to [41] for details of such a method.

4. Applications

4.1. Batched Squared Euclidean Distance Computing

Squared Euclidean distance is a widely used and crucial function in biometric identification and machine learning. In biometric identification, it is often the case that the client needs to launch multiple queries and the server needs to compute the squared Euclidean distance between each query with all references in its own dataset. This type of batched query essentially portrays a matrix multiplication functionality. Therefore, one can use a tensor triple to accelerate this process. We will explain this by presenting concrete examples as follows.

4.2. Batched Privacy-Preserving Biometric Identification

In this chapter, we show applications for vector triples on privacy-preserving biometric identification protocols. Biometric identification, such as face recognition and fingerprint recognition, often involves computation between biometric samples and references in a dataset. In this scenario, Euclidean distance computing between a vector and a fixed family of vectors is implemented each time a query is launched. We demonstrate that tensor triples can be used for batched queries in privacy-preserving biometric identification protocols to extremely increase the efficiency.

4.2.1. FingerCode

FingerCode [3,21] is a fingerprint recognition algorithm. In the setting of FingerCode, the server holds a dataset of references $Y=({\mathbf{y}}_1^T,...,{\mathbf{y}}_n^T)\in M_{k\times n}\left(K\right)$. The client would like to securely make a batch of queries $X={({\mathbf{x}}_1^T,...,{\mathbf{x}}_m^T)}^T\in M_{m\times k}\left(K\right)$ for recognition. The protocol should proceed as described below.

1.

The parties securely compute $D=D_X+D_Y-2XY\in M_{m\times n}\left(K\right)$, where $D_X=({\mathbf{x}}_1{\mathbf{x}}_1^T,...,{\mathbf{x}}_m{\mathbf{x}}_m^T)\otimes (1,1,...,1)$ and $D_Y=(1,1,...,1)\otimes ({\mathbf{y}}_1{\mathbf{y}}_1^T,...,{\mathbf{y}}_n{\mathbf{y}}_n^T).$

2.

The parties securely compare entries of D with the pre-determined threshold d. Recognize ${\mathbf{x}}_i$ as ${\mathbf{y}}_j$ if $D_{ij}\le d$.

Note that $D_X$ and $D_Y$ can be computed locally. Therefore, the first step can be fulfilled by implementing $\mathsf{MatProd}(X,Y)$ using tensor triples. The second step can be carried out using any regular implementation of the secure comparison protocol.

4.2.2. Eigenfaces

Eigenfaces [22] is a classical face recognition algorithm. In the setting of Eigenfaces, the server holds a dataset of Eigenfaces $U=({\mathbf{u}}_1^T,...,{\mathbf{u}}_n^T)\in M_{k\times n}\left(K\right)$, an average face $\overline{\mathbf{u}}\in K^k$, and a dataset of N projected faces $Y=({\mathbf{y}}_1^T,...,{\mathbf{y}}_N^T)\in M_{n\times N}\left(K\right)$. The client would like to securely make a batch of queries $X={({\mathbf{x}}_1^T,...,{\mathbf{x}}_m^T)}^T\in M_{m\times k}\left(K\right)$ for recognition. The protocol should proceed as described below.

1.

The parties securely compute $\overline{X}=(X-\overline{U})U\in M_{m\times n}\left(K\right)$, where $\overline{U}={({\overline{\mathbf{u}}}^T,...,{\overline{\mathbf{u}}}^T)}^T\in M_{m\times k}\left(K\right)$;

2.

The parties securely compute $D=D_X+D_Y-2\overline{X}Y\in M_{m\times N}\left(K\right)$, where $D_X=({\overline{\mathbf{x}}}_1{\overline{\mathbf{x}}}_1^T,...,{\overline{\mathbf{x}}}_m{\overline{\mathbf{x}}}_m^T)\otimes (1,1,...,1)$ and $D_Y=(1,1,...,1)\otimes ({\mathbf{y}}_1{\mathbf{y}}_1^T,...,{\mathbf{y}}_N{\mathbf{y}}_N^T).$ More specifically, they use a Beaver triple to compute ${\overline{\mathbf{x}}}_i·{\overline{\mathbf{x}}}_i$ and tensor triple to compute $\overline{X}Y$. Also, note that $D_Y$ can be computed locally;

3.

The parties securely compare entries of D with the pre-determined threshold d. Recognize ${\mathbf{x}}_i$ as ${\mathbf{y}}_j$ if $D_{ij}\le d$.

4.2.3. FaceNet

FaceNet [23] is a more recent facial recognition system based on deep learning. It was proposed in 2015 and successfully provided a way to generate a very-high-quality mapping from face images to their vector representatives. In its setting, the server holds a dataset of references $Y=({\mathbf{y}}_1^T,...,{\mathbf{y}}_n^T)\in M_{k\times n}\left(K\right)$. The client would like to securely make a batch of queries $X={({\mathbf{x}}_1^T,...,{\mathbf{x}}_m^T)}^T\in M_{m\times k}\left(K\right)$ for recognition. We assume that all the data have been pre-processed through a well-trained network. The MPC part of the overall protocol proceeds exactly the same as in the FingerCode case and we omit the protocol for brevity.

As a remark, the flexibility of tensor triples allows us to apply all protocols above on a dataset of vectors in an arbitrary dimension. This is extremely useful as dimensions of data points may vary in different settings.

4.2.4. One-Sided Triple Method

Note that, in the protocols above and also other applications in practice, the parties often need to compute a matrix product of two matrices, where one is fully determined by one party’s input and the other one is also fully determined by the other party’s input. In this case, to securely compute an outer product, instead of using the original tensor triple method, they can simply invoke one subfield VOLE to generate a “one-sided” triple and use a multiple of these triples to accomplish the secure computation. More specifically, let $(\mathbf{a},V)$ and $(\mathbf{b},U)$ be the distributed VOLE to the participants $P_1$ and $P_2$ such that $U=-V+\mathbf{a}\otimes \mathbf{b}$. When the parties want to securely compute the outer product $\mathbf{x}\otimes \mathbf{y}$, where $\mathbf{x}$ is determined by $P_1$ and $\mathbf{y}$ is determined by $P_2$, the parties can announce $\mathbf{s}=\mathbf{a}+\mathbf{x}$ and $\mathbf{t}=\mathbf{b}+\mathbf{y}$, respectively. Then, since

$$\mathbf{x}\otimes \mathbf{y}=(\mathbf{s}-\mathbf{a})\otimes (\mathbf{t}-\mathbf{b})=(\mathbf{s}\otimes \mathbf{t}-\mathbf{a}\otimes \mathbf{t}+U)+(-\mathbf{s}\otimes \mathbf{b}+V),$$

the two parties can then output the values enclosed in two parentheses, respectively. Compared to the tensor triple method, a one-sided triple only requires a single invocation of the subfield VOLE protocol.

4.2.5. Joint Biometric Identification

In practice, we also consider the scenario where several parties would like to jointly identify a union of individual data, such as a criminal investigation by a joint investigation team or model training in federated learning. Formally speaking, consider that the clients $P_1,...,P_n$ would like to jointly launch a query to the server S, and each $P_i$ holds a batch of queries

$$X^{\left(i\right)}=({\mathbf{x}}_1^{\left(i\right)},...,{\mathbf{x}}_{i_j}^{\left(i\right)})$$

while the server S holds a dataset of references $Y=({\mathbf{y}}_1,...{\mathbf{y}}_n)$. Instead of launching the secure Euclidean distance computation protocol separately, they may also realize the secure computation in a single packaged protocol, where each $P_i$ holds $(0,...,0,{\mathbf{x}}_1^{\left(i\right)},...,{\mathbf{x}}_{i_j}^{\left(i\right)},0,...,0)$ as the share of the joint input

$$X=\left(X^{\left(1\right)}\right|...\left|X^{\left(n\right)}\right)$$

Then, they do not need an extra secret sharing step, and they can directly compute ${\left[D_X\right]}_i=D_{X^{\left(i\right)}}$ without interaction. Note that the participants could individually invoke protocols with the server and obtain the same efficiency if we only consider the online phase. However, if the triples have been generated beforehand for all parties, they cannot be used in these one-on-one communications with the server and, therefore, extra triple generation steps are required.

4.3. Privacy-Preserving Machine Learning

In many widely used machine learning training functionalities, such as linear regression (both the gradient descent method and the direct least-square method) and ridge regression, principal component analysis (PCA), fully connected layers in a convolutional neural network (CNN), matrix multiplication, and so on, the matrix multiplication procedure dominates the overhead of the overall complexity. Secure multi-party matrix multiplication may simply be realized using Beaver triples, but for a matrix multiplication of size $(m,k)$ by $(k,n)$, we need k$(m,n)$-triples or $mnk$ Beaver triples. While the cost may not seem to differ much in low dimensions, the cost of Beaver triples will increase quadratically as the size of the matrices increases. As an example, to carry out a secure multi-party matrix multiplication between two $1024\times 1024$ matrices over ${\mathbb{Z}}_{2^{32}}$, we need $2^{30}$ Beaver triples in total. Even the generation process of this many Beaver triples is a burden to all the parties. For instance, if we use an RLWE-based method [42] for Beaver triple generation, the communication cost reaches an astonishing 256TB. Meanwhile, the parties only need to consume 1024 of $(1024,1024)$-tensor triples to accomplish the computation, which only yields an approximately 115 GB communication cost for the silent OT method. Due to the batch generation nature of sVOLE, it is much easier to generate tensor triples of the required amount.

4.3.1. Matrix-Triple-Based MPC

Apart from the classical Beaver triple method, previous works such as SecureML [24] and SecureNN [25] apply the matrix triple method to fulfill secure matrix multiplication functionality. More specifically, the parties generate matrix triples of the form $\left(\right[X],[Y],[Z\left]\right)$, where $Z=XY$, and later use them to mask input matrices. This seems a straightforward and convenient way to accomplish the requirement, but no longer has the crucial pre-computability property obtained by the original Beaver method. To be specific, if the parties choose to generate classical matrix triples $\left(\right[X],[Y],[Z]=[X·Y\left]\right)$ to assist the computation of matrix multiplication, the parties must choose the dimensions of $X,Y,Z$ to be exactly the ones used in the online phase. This is because a matrix triple cannot be trimmed to form a matrix triple of smaller dimensions, which is shown according to the following block matrix computation:

$$\left[\begin{array}{cc}{X}_{\mathrm{trim}}& X_{12}\\ X_{21}& X_{22}\end{array}\right]\left[\begin{array}{cc}{Y}_{\mathrm{trim}}& Y_{12}\\ Y_{21}& Y_{22}\end{array}\right]=\left[\begin{array}{cc}{X}_{\mathrm{trim}}{Y}_{\mathrm{trim}}+X_{12}{Y}_{21}& \ast \\ \ast & \ast \end{array}\right]\ne \left[\begin{array}{cc}{Z}_{\mathrm{trim}}& \ast \\ \ast & \ast \end{array}\right]$$

This dispossession of the flexibility is definitely not insignificant. In practice, the parties may not be able to know the sizes of the matrices involved in the MPC protocol beforehand. The matrices used in the MPC protocol may vary in sizes and dimensions, so there is no universal way for triple generation. In short, for the matrix triple method, the triples cannot be generated in the offline phase in general.

On the other hand, the tensor multiplication triples are more flexible and applicable for matrix operations. As mentioned in previous sections, any $(n,n)$-triple can be trimmed to serve as two triples of size $(s,t)$ and $(n-s,n-t)$, respectively, for any $s,t<n$. Therefore, secure multi-party matrix operations with different matrix sizes can be achieved using tensor triples of a universal size. Also, when the tensor triple technique is applied to achieve the secure multi-party matrix multiplication $A·B$, the number of columns of A (which equals the number of rows of B) can be arbitrary. This is extremely convenient in most applications, for example, the ones we will introduce in Section 4. Hence, the tensor triple method still provides the pre-computability property just as the original Beaver method, as the method does not require the parties to know anything about k while still being able to utilize the pre-computed triples.

4.3.2. Optimization for Horizontal Data

We also consider a practical scenario where a matrix is formulated by a concatenation of separate datasets from multiple parties. This often happens when the data are of the vector form and hence a concatenation of numerous data naturally forms a matrix. In this case, the parties do not need to re-share their private inputs, but can hold the data directly as the sharing of the result matrix. This can save a lot of communication cost especially when dealing with large-scale datasets.

5. Implementation and Performance

In this chapter, our implementations are based on C++. All experiments, including those in references, have been run by ourselves on a desktop with AMD 3950X CPU and 48 GB RAM. We consider both simulated LAN and WAN environments with 500 mbps bandwidth and 20 ms one-way latency. The protocols are suitable for multi-threading by parallel computation, but we measure the performance in a single-thread setting. The experiments are executed 10 times and the medians of the results are presented in the following tables. Source codes have been provided at https://github.com/lzjluzijie/triple (accessed on 1 July 2025).

5.1. Tensor Triple Generation

We implement both the correlated-OT-based protocol and silent-OT-based protocol for $\mathsf{RsVOLE}$. We also use the libOTe library to fulfill basic functionalities, such as COT and OT extensions. For the silent OT, we use the expand-convolute code from [36] with expander weight 7 and convolution state size 24. The hamming weight of the sparse vector in this setting is 400, which means that each silent VOLE requires an execution of an OT-extension-based subfield VOLE of size 400.

We present the performance as well as the corresponding communication cost for each method in

Table 1. Performance of COT-based 32-bit $(m,n)$-tensor triple generation (in milliseconds). For each size, we generate $1,2^5,2^{10}$ triples (arranged in rows).

$\mathit{m}\setminus \mathit{n}$	$2^3$		$2^8$		$2^{10}$		$2^{14}$
	LAN	WAN	LAN	WAN	LAN	WAN	LAN	WAN
$2^3$	10	188	10	312	12	394	53	985
	14	317	23	649	60	1596	748	19,153
	287	5836	567	15,354	1771	45,577	22,378	597,527
$2^8$			29	654	108	1603	3906	22,553
			409	9356	1737	37,379	85,391	602,922
			12,603	309,499	57,274	1,181,690
$2^{10}$					638	5530	22,323	92,565
					14,003	149,363	567,917	2,665,457
					425,520	4,732,780

,

Table 2. Performance of SOT-based 32-bit $(m,n)$-tensor triple generation (in milliseconds). For each size, we generate $1,2^5,2^{10}$ triples (arranged in rows).

$\mathit{m}\setminus \mathit{n}$	$2^3$		$2^8$		$2^{10}$		$2^{14}$
	LAN	WAN	LAN	WAN	LAN	WAN	LAN	WAN
$2^3$	104	529	93	528	93	576	193	691
	3865	4554	3765	4651	3840	4690	7922	7972
	123,127	143,559	122,763	143,203	122,937	140,101	257,346	267,526
$2^8$			593	1603	591	1646	763	1733
			24,532	33,195	24,534	32,774	31,096	37,629
			786,790	1,047,499	788,486	1,052,955	1,006,983	1,193,853
$2^{10}$					2271	4850	2647	5252
					92,154	137,287	104,976	142,970
					2,991,083	4,441,299	3,395,699	4,606,848

and

Table 3. Communication cost of 32-bit $(m,n)$-tensor triple generation (in megabytes). For each size, we test the cost for $1,2^5,2^{10}$ triples (arranged in rows).

$\mathit{m}\setminus \mathit{n}$	$2^3$		$2^8$		$2^{10}$		$2^{14}$
	COT	SOT	COT	SOT	COT	SOT	COT	SOT
$2^3$	0.03	1.00	0.52	1.00	2.02	1.00	32.02	1.23
	0.76	32.86	16.26	32.86	64.26	32.86	1024.26	39.31
	12.10	525.82	260.10	525.82	1028.10	525.82	16,388.08	628.95
$2^8$			16.26	28.79	64.26	28.79	1024.26	28.99
			520.01	921.21	2056.01	921.21	32,776.01	927.65
			8320.08	14,739.36	32,896.08	14,739.36	––	14,842.48
$2^{10}$					257.01	114.76	4097.02	114.96
					8224.01	3672.21	131,104.04	3678.65
					130,969.60	58,755.36	––	58,858.48

. It can be seen from the tables that the COT method is more efficient when tensor triples of small sizes are needed while the SOT method allows for the generation of tensor triples of large sizes with a moderate communication cost.

We present here also a high-level analysis of the two methods. In small cases, the COT-based generation method is straightforward and faster, while it may take a considerable amount of time for the SOT-based method to finish the structure building for the protocol. When one deals with matrices of large dimensions or needs a large amount of tensor triples, since there is a linear overhead in the communication cost of the COT-based generation method, the data transfer may become intolerable for the parties to generate these triples, while, on the other hand, as the communication cost of the SOT-based generation method is sublinear asymptotically, it requires much less communication to generate all the necessary tensor triples.

5.2. Matrix Multiplication

Table 4. Performance and communication cost of triple-based 32-bit $(m,k)\times (k,n)$ matrix multiplication time (in milliseconds and megabytes, resp.).

k	$\mathit{m}=\mathit{n}$	$2^3$			$2^5$			$2^8$			$2^{10}$
	Online	LAN	WAN	Com.	LAN	WAN	Com.	LAN	WAN	Com.	LAN	WAN	Com.
$2^3$	Tensor	1	26	0.001	1	26	0.004	1	27	0.03	11	44	0.13
	Matrix	2	142	0.002	3	142	0.010	3	267	0.30	77	529	4.19
$2^8$	Tensor	1	26	0.031	1	37	0.125	22	62	1.00	292	323	4.00
	Matrix	3	143	0.047	3	225	0.191	92	588	1.75	4076	5220	10.00
$2^{10}$	Tensor	1	37	0.125	2	44	0.500	71	128	4.00	1062	1289	16.00
	Matrix	3	225	0.188	8	391	0.754	372	896	6.25	12,799	15,134	28.00

shows the performance and communication cost of the online phase for our implementation of the tensor-triple-based secure multi-party matrix multiplication protocol and a comparison of the classical matrix method used in other works on secure machine learning (for instance, [24,25]), and we use the server-aided method described in [25], which we consider to be the fastest implementation for the matrix method. In this table, we do not consider the generation procedure of the matrix triples as in the pre-processing phase as we do not presume the knowledge of the exact dimensions of matrices used in the MPC protocol.

As a comparison with previous works [15,27,43], we also provide

Table 5. Comparison of our performance with previous works on 128-bit square matrix multiplication of size $d\times d$ (single thread by default, LAN environment, in seconds).

d	[15] (16 thrds.)	[15]	SPDZ [43]	[27] (16 thrds.)	Ours	Ours (Offline)
128	5.90	36	128	3.09	0.01	0.51
256	25.50	214	900	13.49	0.05	2.82
384	68.30	654	2808	33.60	0.16	9.22
512	138.00	1470	6300	67.39	0.40	18.94
1024	870.00	10,380	44,100	395.20	4.32	143.36

on the performance of secure multi-party square matrix multiplication protocols. Due to a lack of source codes or problems in code running, we were not able to individually launch experiments in these previous works under the same environment, but we believe that the statistics in the table already imply the high efficiency of the tensor triple method. Note that our experiments are executed with a single thread, and matrix multiplication is known to be highly parallelizable. The computation can be fulfilled easily using parallel computation. Although not given explicitly in the performance tables, parallel computation is capable of significantly reducing the overall computational cost. Hence, our performance significantly outperforms all previous works listed in the table. This is reasonable as, in these previous works, homomorphic encryption is heavily used, while, in our work, we have mainly applied VOLE, which is somewhat lightweight comparatively.

5.3. Batched Privacy-Preserving Biometric Identification

In this section we present the performance of tensor-triple-based implementations of batched queries of FingerCode [21] and Eigenfaces [22] protocols with a comparison of the efficiency with the GSHADE [6] protocol, and FaceNet [23] with a comparison with the [44] protocol. For FingerCode, we use 640-dimensional vectors of 8-bit elements, and we use 32 bits to record each square Euclidean distance. For EigenFaces, we use 10304-dimensional vectors of 8-bit elements, and we use 32 bits to record each square Euclidean distance. For FaceNet, the database consists of 128-dimensional vectors of elements with floating point precision, but a truncation will be applied to all of the elements to map them into 8-bit strings, and each final square Euclidean distance consumes 64 bits. It can be seen from the comparison that the tensor triple significantly accelerates the identification process. The data for the performance of FingerCode and FaceNet protocols are collected individually according to our experiments. The experiments for all implementations are run in the same environment introduced at the beginning of this chapter.

Table 6. Performance of secure squared Euclidean distance computation in batched FingerCode protocol (128 queries, LAN environment).

	$\mathit{n}=128$			$\mathit{n}=1024$
Protocol	[6]	Ours	Ours (Offine)	[6]	Ours	Ours (Offline)
Time (s)	154.37	0.02	1.90	176.64	0.08	15.54
Comm. (MB)	1688.71	1.25	2640.02	5379.24	5.63	20,560.00

shows a comparison between the performances of our FingerCode implementation with COT-based triple generation and the one in [6]. Clearly, the tensor triple method achieves a much better online performance according to the comparison. It is worth noting that, while the proposed method significantly reduces online computation time, it induces higher communication overhead in the offline phase as a trade-off. Therefore, the tensor triple method is suitable for the stateful protocols where the offline cost is not a major concern compared to the interaction phase.

Table 7. Performance of Eigenfaces protocol without the secure comparison step (80 queries, LAN environment).

	$\mathit{N}=320$		$\mathit{N}=1000$
Protocol	Ours	Ours (Offline)	Ours	Ours (Offline)
Time (s)	0.03	41.44	0.03	124.24
Communication (MB)	14.57	65,207.00	14.69	202,057.00

shows the performance of our implementation for the Eigenfaces protocol with COT-based triple generation. As a comparison to the performance in [6], a single query for the $N=320$ case would take 0.6 s to fulfill, and the corresponding communication cost is 7.7 MB. When $N=1000$, a single query takes 1.6 s and costs 9.4 MB. Although the performance in [6] also takes the secure comparison step into consideration, it can still clearly be seen that the tensor triple method behaves much better for batched queries.

Table 8. Performance (time in seconds, LAN environment) of secure squared Euclidean distance computation in batched FaceNet protocol for m queries against a database of n references.

$(\mathit{m},\mathit{n})$	[44]	Ours (Online)	Ours (Offline, COT)	Ours (Offline, SOT)
$(2^4,2^4)$	2.58	<0.01	0.02	-
$(2^4,2^{10})$	165.95	0.01	0.38	12.00
$(2^{10},2^{10})$	10,559.68	0.25	19.46	1219.05

shows a comparison between the performances of our FaceNet implementation and the one in [44]. We achieve a significant speedup by around 10,000 times.

One may argue that there is a pre-computation cost for the tensor triple method. We shall elaborate here with two points. First, even if one considers the generation step, the tensor triple method still performs faster under almost all circumstances, as shown in the tables. Second, as we have pointed out, the tensor triple method truly enables the possibility of a pre-computation process in secure multi-party matrix computation. Compared to other protocols, for instance, GSHADE for the FingerCode protocol, there is no valid way to split the protocol into an online and offline process, as the dimensions of the matrices are already involved in their fundamental components, such as the OT. Therefore, the comparisons in the tables that we listed should be considered as fair.

6. Conclusions

The tensor triple is a new kind of correlation that is very suitable for multi-dimensional MPC due to its high efficiency and pre-computability. It can be used to accelerate and optimize many existing privacy-preserving biometric identification protocols and privacy-preserving machine learning protocols, which mainly involve vector and matrix operations. Compared to the classical matrix method, the tensor triple method has the pre-computability property as required in many real-world applications, and, compared to the classical Beaver triple method, the tensor triple method obtains high efficiency in both computation and communication.