The SPDZ protocol (pronounced "speeds") is a foundational secure multi-party computation (MPC) framework that allows a group of distrusting parties to compute an agreed-upon function—such as a sum, average, or a complex algorithm—while keeping their individual inputs private. It achieves this through a combination of secret sharing, where a secret value is split into random shares distributed among participants, and homomorphic encryption, which allows computations to be performed directly on the encrypted shares. The protocol's name originates from the initials of its key contributors (Smart, Passelegue, Damgård, and Zakarias) and its design for speed and efficiency.
LABS
Glossary
SPDZ Protocol
SPDZ is a family of cryptographic protocols for secure multi-party computation (MPC) that allows multiple distrusting parties to jointly compute a function over their private inputs while keeping those inputs confidential.
Chainscore © 2026
definition
CRYPTOGRAPHIC PROTOCOL
What is SPDZ Protocol?
SPDZ is a multi-party computation (MPC) protocol that enables multiple parties to jointly compute a function over their private inputs without revealing those inputs to each other.
A core innovation of SPDZ is its preprocessing model, which separates the computation into two phases. In an offline preprocessing phase, parties collaboratively generate a large pool of correlated random data, known as Beaver triples, without knowing the actual data inputs. This computationally heavy step can be done in advance. The subsequent online phase is extremely fast, as parties use these pre-computed triples to perform secure additions and multiplications on their secret-shared data with minimal communication, making practical, real-time MPC feasible for many applications.
The security of SPDZ is information-theoretic in the online phase, meaning it is secure against computationally unbounded adversaries, provided a majority of parties are honest. It typically assumes an honest majority adversarial model. This robust security foundation makes it suitable for high-stakes scenarios like private auctions, secure data analytics across multiple organizations, and privacy-preserving machine learning where data sovereignty is critical. The protocol's design has inspired numerous subsequent MPC systems and libraries that implement its core principles.
etymology
PROTOCOL NAMING
Etymology and Origin
The SPDZ protocol, a foundational framework for secure multi-party computation, derives its name from the initials of its creators, who introduced it in a seminal 2012 paper.
The SPDZ protocol is named after its authors: Ivan Damgård, Valerio Pastro, Nigel P. Smart, and Sarah Zakarias. The name is a direct acronym formed from the first letter of each author's surname: Smart, Pastro, Damgård, and Zakarias. This naming convention is common in academic cryptography, where protocols are often identified by their creators (e.g., RSA, ElGamal). The original 2012 paper, "Multiparty Computation from Somewhat Homomorphic Encryption," established SPDZ as a major breakthrough, providing a practical method for performing computations on encrypted data distributed across multiple untrusted parties.
The protocol's development was rooted in addressing the performance limitations of earlier Multi-Party Computation (MPC) schemes. Prior to SPDZ, many MPC protocols required extensive interactive communication rounds for each basic operation (like an addition or multiplication), making them impractical for complex computations. The SPDZ authors' key innovation was to use a somewhat homomorphic encryption (SHE) scheme as a preprocessing tool to generate a large quantity of correlated randomness, known as Beaver triples, in an offline phase. This preprocessing dramatically reduces the online computation time, as parties can consume these pre-computed triples to perform secure multiplications with minimal interaction.
The evolution of SPDZ has led to a family of protocols, often referred to as the SPDZ family. Subsequent optimizations, such as SPDZ2 and MASCOT, improved efficiency and removed the need for expensive public-key operations in the offline phase. The core SPDZ paradigm—preprocessing (or offline phase) for generating cryptographic material and a fast online phase for execution—has become a standard architecture for high-performance MPC. Its design enables secure computation with active security, meaning it is resilient even if some participants deliberately deviate from the protocol, making it suitable for high-stakes financial, medical, and data analysis applications.
key-features
MULTI-PARTY COMPUTATION PROTOCOL
Key Features of SPDZ
SPDZ (pronounced 'speeds') is a foundational protocol for secure multi-party computation (MPC) that enables multiple parties to jointly compute a function over their private inputs without revealing those inputs to each other.
01
Information-Theoretic Security
SPDZ provides information-theoretic (unconditional) security in the preprocessing model. This means that after an initial, input-independent setup phase, the online computation phase is secure against a computationally unbounded adversary controlling a dishonest majority of parties. The security does not rely on unproven cryptographic hardness assumptions.
02
Preprocessing (Offline) Phase
A core innovation is the separation into two phases. The offline (preprocessing) phase generates cryptographic material—like Beaver triples (secret-shared multiplications of random values)—independent of the actual inputs. This phase can be run in advance and is often the most computationally intensive, allowing the online phase to be extremely fast, involving only local additions and opening shares.
03
Active Security with Abort
SPDZ is secure against active adversaries (who can deviate from the protocol) corrupting up to n-1 parties. It guarantees that any cheating is detected, leading to the protocol aborting. This is achieved through information-theoretic Message Authentication Codes (MACs) on secret-shared values, which allow parties to verify the correctness of opened values.
04
Arithmetic Circuit Evaluation
The protocol is designed to evaluate functions represented as arithmetic circuits over a finite field or ring. It natively supports addition and multiplication gates on secret-shared values. Complex functions (e.g., comparisons, floating-point operations) must be compiled into this arithmetic circuit representation, which influences performance.
05
Secret Sharing Foundation
SPDZ uses linear secret sharing, typically additive secret sharing over a large field. Each party holds a share of every secret value. The sum of all shares reconstructs the secret. Operations are performed locally on shares: additions are free (local addition of shares), while multiplications require interaction using the precomputed Beaver triples.
06
The SPDZ Family & Evolution
SPDZ refers to a family of protocols. Key versions include:
- SPDZ1: The original, requiring a trusted dealer for preprocessing.
- SPDZ2 (MASCOT): Replaced the trusted dealer with Oblivious Transfer (OT) for secure preprocessing, making it fully decentralized.
- SPDZ2k: Operates over rings of the form ℤ₂ₖ, optimizing for binary operations. Later works like Overdrive and MP-SPDZ further improved efficiency and flexibility.
how-it-works
MULTI-PARTY COMPUTATION
How the SPDZ Protocol Works
An in-depth look at the SPDZ protocol, a foundational framework for secure multi-party computation (MPC) that enables multiple parties to jointly compute a function over their private inputs without revealing them.
The SPDZ protocol (named after its creators Smart, Paillier, and Damgård, with 'Z' for zero-knowledge) is a multi-party computation (MPC) framework that allows a group of mutually distrusting parties to compute an arbitrary function on their secret data. Its core innovation is a preprocessing phase that generates correlated randomness, such as Beaver triples, independent of the actual inputs and the function to be computed. This separation dramatically speeds up the online phase, where the actual secret-shared data is processed, making complex computations practical. The protocol provides active security, meaning it is secure against malicious adversaries who may deviate from the protocol, under the assumption that a majority of parties are honest.
Security in SPDZ is rooted in secret sharing and information-theoretic MACs (Message Authentication Codes). Each party's private input is split into additive secret shares distributed among all participants. Crucially, each share is accompanied by a MAC share, which collectively allows the group to verify the authenticity of the data during the computation without reconstructing it. This MAC key is also secret-shared, ensuring no single party knows it. The preprocessing phase uses homomorphic encryption (like the Paillier cryptosystem) to generate the necessary authenticated randomness securely, establishing a publicly verifiable setup that underpins the integrity of the entire computation.
The online phase is where the efficiency of SPDZ becomes apparent. With the precomputed Beaver triples, parties can perform multiplication of secret-shared values with only local operations and a single round of communication, as the triple absorbs the complexity. Linear operations like addition are essentially free. After computing the function on the secret-shared data, the parties reach the output phase. Here, they reconstruct the final result by combining their shares. The embedded MACs are simultaneously verified; if any party cheated by submitting an invalid share, the MAC check will fail with overwhelming probability, aborting the protocol without revealing the honest parties' inputs.
SPDZ's architecture has made it a benchmark and blueprint for practical MPC. Its influence is seen in subsequent protocols like MP-SPDZ, a comprehensive framework that implements SPDZ and its variants alongside other MPC paradigms. Real-world applications leveraging SPDZ's capabilities include private auctions, privacy-preserving machine learning on combined datasets from multiple hospitals or banks, and secure benchmarking where companies compute aggregate statistics without disclosing individual business data. The protocol demonstrates that cryptographically secure joint computation is not just theoretical but can be engineered for performance-critical tasks.
visual-explainer
PROTOCOL OVERVIEW
Visualizing the SPDZ Workflow
A step-by-step breakdown of the SPDZ protocol's operational phases, illustrating how it achieves secure multi-party computation (MPC) with malicious security.
The SPDZ protocol operates in a structured, two-phase workflow: a preprocessing (or offline) phase and an online computation phase. This separation is fundamental to its efficiency, as the computationally intensive cryptographic operations—primarily the generation of Beaver triples and other correlated randomness—are handled offline, before the actual data inputs are known. These precomputed materials are then consumed during the fast, online phase to perform arithmetic on secret-shared values with minimal communication overhead.
During the preprocessing phase, a set of parties collaboratively generate authenticated secret shares of random values, most notably multiplication triples (a, b, c) where c = a * b. This phase typically employs heavy public-key cryptography, such as homomorphic encryption or oblivious transfer, to create these correlated random shares without revealing any private information. The output is a pool of preprocessed data, independent of the actual inputs, which is stored for later use. This phase can be run in bulk during periods of low demand.
The online phase begins when the parties wish to compute a specific function on their private inputs. Each party secret-shares its input using a linear additive secret sharing scheme. The computation then proceeds gate-by-gate on these shares: addition gates are free (requiring only local addition of shares), while each multiplication gate consumes one preprocessed Beaver triple. Using the triple, the parties can compute a multiplication by revealing only masked values that contain no information about the original secrets, thanks to the randomness of a and b.
A critical component woven throughout the online phase is the MAC (Message Authentication Code) check, which provides active security against malicious adversaries. Every secret-shared value is accompanied by a secret-shared MAC key, ensuring data integrity. Before revealing the final output, the parties perform a global sacrifice or check protocol to verify that all MAC relationships held throughout the computation, aborting if any cheating is detected. This guarantees that even a malicious party cannot cause an incorrect output to be accepted.
To visualize a concrete example, consider three parties computing the function f(x,y,z) = x*y + z. They would: 1) Use preprocessed triples for the x*y multiplication, 2) Locally add the shares of z to the result of the multiplication, and 3) Perform a final MAC check before reconstructing the correct output. The entire online communication is proportional only to the size of the inputs and the circuit depth, not the complexity of the preprocessing cryptography, making it exceptionally fast for complex calculations.
security-model
SPDZ PROTOCOL
Security Model and Guarantees
The SPDZ protocol is a multi-party computation (MPC) framework that enables a set of parties to jointly compute a function over their private inputs while keeping those inputs secret. It provides information-theoretic security against a dishonest majority of corrupted parties.
01
Core Security Guarantee
SPDZ provides information-theoretic security in the preprocessing model. This means that after an initial, input-independent setup phase, the online computation phase is secure against an active adversary corrupting all but one of the participating parties. The security is based on secret-shared values and authenticated shares (MACs).
02
Preprocessing (Offline) Phase
This initial phase generates cryptographic material, such as Beaver triples (secret-shared multiplications), independent of the actual inputs. This phase can be computationally expensive but is executed once and stored. Its purpose is to enable efficient, information-theoretically secure operations in the online phase by providing pre-computed randomness and authentication data.
03
Online Computation Phase
During this phase, parties input their private data and perform the actual computation using the preprocessed material. Operations include:
- Linear operations (addition, scalar multiplication): Free and local.
- Multiplication: Requires consuming one pre-generated Beaver triple.
- Reconstruction: Opening a secret-shared value to all parties, verified by its MAC (Message Authentication Code). This phase is highly efficient and secure due to the offline preparation.
04
Authenticated Secret Sharing
SPDZ's security relies on additive secret sharing over a finite field, where a value x is split into shares [x]. Crucially, each share is accompanied by a global MAC (Message Authentication Code) [m], where m = α * x and α is a global secret key unknown to any party. This prevents malicious parties from submitting incorrect shares during reconstruction.
05
Adversarial Model
SPDZ is secure against a malicious (active) adversary that can corrupt all but one of the n parties. The adversary can deviate arbitrarily from the protocol. Security is guaranteed as long as the corrupted parties cannot forge the MACs, which is information-theoretically secure if the global MAC key α remains secret. This is a stronger guarantee than protocols secure only against passive (honest-but-curious) adversaries.
06
Applications & Context
SPDZ is a foundational protocol for practical Secure Multi-Party Computation (MPC). It is the basis for:
- Private smart contracts and blockchain computation (e.g., in some Layer-2 scaling solutions).
- Privacy-preserving data analytics across multiple organizations.
- Federated learning with formal privacy guarantees. Variants like SPDZ2k optimize for integer arithmetic, broadening its use cases.
examples
SPDZ PROTOCOL
Practical Applications and Use Cases
The SPDZ protocol, a foundational framework for Secure Multi-Party Computation (MPC), enables multiple parties to jointly compute a function over their private inputs without revealing them. Its primary applications span privacy-preserving data analysis, secure auctions, and confidential blockchain transactions.
02
Secure Auctions and Bidding
The protocol is ideal for implementing sealed-bid auctions where bid values must remain secret during and after the computation. SPDZ ensures:
- Bid Confidentiality: No party learns another's bid value, only the final winner and price.
- Correctness & Verifiability: The auction outcome is provably correct based on the secret inputs.
- Complex Rules: Supports complex auction types (e.g., Vickrey auctions) with privacy guarantees. This has direct applications in decentralized finance (DeFi) for liquidations and NFT sales.
03
Confidential Smart Contracts
SPDZ provides the cryptographic backbone for confidential smart contracts on blockchains, moving computation off-chain. This enables:
- Private State: Contract logic operates on encrypted or secret-shared data.
- Selective Disclosure: Outcomes can be proven (e.g., via zero-knowledge proofs) without revealing underlying data.
- Scalability: Heavy MPC computation is performed off-chain, with only a commitment and result posted on-chain. Frameworks like Ekiden and Keep Network have explored this architecture.
04
Secure Wallet and Key Management
SPDZ's MPC capabilities are used to create threshold signature schemes (TSS) for decentralized custody. This application involves:
- Distributed Key Generation (DKG): Multiple parties jointly generate a public/private key pair where no single party ever holds the complete private key.
- Signing Operations: Transactions are signed via an MPC protocol, requiring a threshold of parties (e.g., 2-of-3) to collaborate.
- Eliminating Single Points of Failure: This method removes the risk of a single private key being compromised, enhancing security for institutional crypto asset management.
05
Privacy in Machine Learning as a Service (MLaaS)
Clients can submit encrypted data to a cloud ML service, which runs predictions or training using SPDZ, ensuring the service provider never accesses the raw data. This solves critical trust issues in cloud computing:
- Model Privacy: The service's proprietary model parameters can also remain hidden from the client.
- Data Sovereignty: Enables analysis of data that cannot legally or ethically leave a secure environment (e.g., government or healthcare data).
- Auditable Computation: The integrity of the computation can be verified by all participating parties.
06
Secure Financial Calculations
Banks and financial institutions use SPDZ-like protocols for collaborative risk analysis and fraud detection without pooling sensitive customer data. Specific applications include:
- Credit Scoring: Computing a joint credit score based on data from multiple lenders without sharing individual loan books.
- Anti-Money Laundering (AML): Banks can collaboratively screen transactions against a combined watchlist without revealing their own client lists to competitors.
- Portfolio Analysis: Fund managers can compute exposure to a shared counterparty without disclosing their full portfolio holdings.
ecosystem-usage
SPDZ PROTOCOL
Ecosystem Usage and Implementations
The SPDZ protocol is a foundational framework for secure multi-party computation (MPC), enabling multiple parties to jointly compute a function over their private inputs without revealing them. Its core implementations focus on privacy-preserving smart contracts and confidential blockchain transactions.
01
Core Cryptographic Engine
SPDZ operates as a preprocessing-model MPC protocol, separating computation into two phases. First, an offline phase generates correlated randomness (like Beaver triples) independent of the actual inputs. Second, an online phase uses this precomputed material to perform fast, input-dependent computations with information-theoretic security, making the online operations extremely efficient.
02
Privacy-Preserving Smart Contracts
SPDZ enables the execution of confidential smart contracts where contract logic is processed on encrypted data. This allows for use cases like:
- Private auctions where bids remain secret.
- Confidential voting mechanisms.
- Cross-organizational data analysis (e.g., fraud detection) without sharing raw data. Platforms like Enigma (now Secret Network) pioneered this application using adapted SPDZ concepts.
03
Threshold Signatures & Key Management
The protocol's MPC foundation is used to implement threshold signature schemes (TSS). Multiple parties can collaboratively generate a signature or decrypt a message without any single party ever reconstructing the full private key. This provides superior security for:
- Multi-sig wallets with distributed key generation.
- Confidential transaction authorization in enterprise blockchains.
- Secure asset custody solutions.
04
Implementation Variants: SPDZ-2 and MASCOT
The original SPDZ protocol has been optimized in subsequent papers. SPDZ-2 introduced better efficiency for reactive computations. The MASCOT protocol (Olempia et al., 2016) significantly improved the offline phase, making it practical over the internet with oblivious transfer instead of expensive public-key operations, which is a key enabler for real-world deployment.
05
Integration with ZK Proofs
SPDZ is often combined with zero-knowledge proofs (ZKPs) to create hybrid privacy systems. While SPDZ provides live computation on secret-shared data, ZKPs can be used to prove properties about private inputs (e.g., a balance is sufficient) without revealing them. This combination is powerful for building verifiable confidential DeFi applications.
06
Challenges & Active Research
Practical deployment faces hurdles:
- Communication overhead between parties can be high.
- Latency in the preprocessing phase for complex circuits.
- Robustness against malicious majority requires additional checks. Active research focuses on dishonest-majority protocols, better preprocessing, and hardware acceleration to improve scalability for blockchain-scale applications.
COMPARISON MATRIX
SPDZ vs. Other MPC Approaches
A technical comparison of the SPDZ protocol's core characteristics against other major categories of Multi-Party Computation (MPC).
| Feature / Characteristic | SPDZ Protocol | Garbled Circuits (Yao's Protocol) | Secret Sharing (Shamir's, BGW) | Homomorphic Encryption (FHE/SHE) |
|---|---|---|---|---|
Cryptographic Basis | Secret Sharing with MACs | Boolean Circuit Encryption | Polynomial Secret Sharing | Algebraic Homomorphism |
Communication Model | Rounds dependent on circuit depth | Constant rounds (typically 2) | Rounds dependent on function | Non-interactive (client-server) |
Preprocessing Phase | ✅ Required (offline) | ❌ Not required | ❌ Not required | ❌ Not required |
Active Security (Malicious Adversaries) | ✅ Yes (with sacrifice) | ✅ Yes (with cut-and-choose) | ✅ Yes (with verification) | ✅ Yes (by construction) |
Primary Computational Cost | Heavy offline, light online | Heavy communication & encryption | Moderate communication | Extremely heavy computation |
Scalability (Parties) | Suited for 2-N parties | Typically 2 parties | Suited for 2-N parties | Typically 2 parties (client-server) |
Typical Latency Profile | Low online, high offline | High per-gate latency | Moderate, round-dependent | Extremely high computation time |
Representation of Data | Arithmetic circuits over field | Boolean circuits (AND/XOR gates) | Arithmetic circuits over field | Encrypted ciphertexts |
MPC CLARIFIED
Common Misconceptions About SPDZ
The SPDZ protocol is a foundational framework for secure multi-party computation, but its technical nature often leads to confusion. This section addresses frequent misunderstandings about its capabilities, security model, and practical applications.
SPDZ is a framework for secure multi-party computation (MPC), not a single, fixed protocol. The name refers to a family of protocols that share a common, efficient preprocessing model. The core innovation of SPDZ is its separation into an offline phase (preprocessing) and an online phase (computation). The offline phase, which is independent of the specific function to be computed, generates correlated randomness (like Beaver triples) and is typically the performance bottleneck. The online phase uses this precomputed material to execute the desired computation with minimal communication and high speed. Different instantiations of SPDZ use various cryptographic assumptions (e.g., homomorphic encryption, oblivious transfer) to implement the preprocessing, making it a versatile blueprint rather than a monolith.
SPDZ PROTOCOL
Frequently Asked Questions (FAQ)
The SPDZ protocol is a foundational framework for secure multi-party computation (MPC). These questions address its core concepts, applications, and relationship to blockchain technology.
The SPDZ protocol is a secure multi-party computation (MPC) framework that allows multiple parties to jointly compute a function over their private inputs without revealing those inputs to each other. It works by using secret sharing and homomorphic encryption to distribute data into encrypted shares. During computation, parties perform operations directly on these shares. A final reconstruction phase combines the results to reveal the output, but never the original private data. The protocol's security relies on a pre-processing phase that generates correlated randomness (like Beaver triples), which is consumed during the online computation phase to enable efficient multiplication of secret-shared values.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall