Question about semi-honest BMR with honest majority and the role of Shamir in shamir-bmr-party.x

[jieyemeixiao]

Hi,
Thank you for the impressive work on MP-SPDZ.
I have a question regarding the support for BMR protocols in the semi-honest setting with an honest majority (three or more parties).
From the documentation and the BMR table, we noticed the existence of the executable:

shamir-bmr-party.x

which is listed as:

• Protocol: Shamir
• Dishonest Maj: N
• Security: semi-honest (no malicious security)
• parties: 3 or more

We would like to clarify the following points:

1. Does MP-SPDZ provide an implementation of the BMR protocol in the semi-honest setting under an honest majority assumption (n ≥ 3)?
2. What is the precise relationship between shamir-bmr-party.x and the standard BMR protocol?
3. In this construction, what role does Shamir secret sharing play?
   • Is Shamir sharing used to securely generate or distribute wire labels / masks?
   • Or is it used more generally as the underlying MPC protocol for evaluating the BMR garbling phase?
4. Conceptually, should shamir-bmr-party.x be understood as a BMR protocol instantiated on top of a Shamir-based MPC backend, or is it a different variant of BMR?

Any clarification or references to relevant documentation or papers would be greatly appreciated.
Thank you very much for your time and help.

[mkskeller]

• Does MP-SPDZ provide an implementation of the BMR protocol in the semi-honest setting under an honest majority assumption (n ≥ 3)?

Yes

• What is the precise relationship between shamir-bmr-party.x and the standard BMR protocol?

The implementation has been created for https://eprint.iacr.org/2017/981 and then extended to Shamir instead of SPDZ.

• In this construction, what role does Shamir secret sharing play?

  • Is Shamir sharing used to securely generate or distribute wire labels / masks?
  • Or is it used more generally as the underlying MPC protocol for evaluating the BMR garbling phase?

The BMR garbling phase generates wire labels/masks and garbled gates, so I don't see a difference between the two.

• Conceptually, should shamir-bmr-party.x be understood as a BMR protocol instantiated on top of a Shamir-based MPC backend, or is it a different variant of BMR?

The original BMR probably doesn't use free XOR because that's a later invention for garbled circuits. MP-SPDZ uses the BMR variant in https://eprint.iacr.org/2015/523.