Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
Every privacy tool you'll meet — ZK, FHE, TEEs, differential privacy, MPC — solves a slightly different problem. MPC's specific job is to let n parties jointly compute f(x_1, …, x_n) while each party learns only the output. The thing being replaced is a trusted third party: instead of Alice and Bob handing their inputs to a trusted referee, they run a protocol that gives the same answer with no referee in the room. This is not a theoretical luxury — auctions, genomic research consortia, cross-bank AML checks, and ad-measurement all ship in production today specifically because the trusted referee either doesn't exist, can't be paid enough, or is the regulator.
Additive secret sharing: split Alice's and Bob's wealth across three parties so that no single party can reconstruct either value. The three parties locally subtract their shares of (alice − bob) and reconstruct only the sign — the result of the comparison — without any party ever seeing the raw numbers.
# Yao's Millionaires via 3-party additive sharing (semi-honest, no ZK).
# Each party i holds share s_i; only the SUM of all three shares equals the secret.
# No party can reconstruct the secret alone — the security is information-theoretic.
import secrets
P = (1 << 127) - 1 # Mersenne prime field
def share(x: int) -> tuple[int, int, int]:
"""Split x into 3 additive shares mod P."""
s1 = secrets.randbelow(P)
s2 = secrets.randbelow(P)
s3 = (x - s1 - s2) % P
return s1, s2, s3
def reconstruct(s1: int, s2: int, s3: int) -> int:
return (s1 + s2 + s3) % P
def sign_over_field(v: int) -> str:
"""Interpret a field element in two's complement over P."""
if v == 0: return "tie"
elif v < P // 2: return "alice" # alice - bob > 0
else: return "bob" # alice - bob < 0 (wrapped)
# ── Inputs (each party only knows their own secret) ───────────────────────
alice_wealth = 1_000_000
bob_wealth = 5_000_000
a1, a2, a3 = share(alice_wealth)
b1, b2, b3 = share(bob_wealth)
# ── Local subtraction: no new communication needed (linearity of sharing) ─
diff_shares = ((a1 - b1) % P, (a2 - b2) % P, (a3 - b3) % P)
# ── Reconstruct only the SIGN; no party learns the actual values ──────────
diff = reconstruct(*diff_shares)
result = sign_over_field(diff)
print(f"Result: {result}") # -> bob
print(f"Party 1 sees: alice_share={a1} (looks random)")
print(f"Party 2 sees: alice_share={a2} (looks random)")
print(f"Party 1 learns ONLY the comparison result — not Bob's net worth.")python3 main.pyalice_wealth = bob_wealth. Notice the tie case — in a real sealed-bid auction, ties need a tie-breaking rule baked into the circuit. Whose problem is that?Use these three in order. Each builds on the one before.
In one paragraph, explain what multi-party computation is to someone who knows 'encryption' as 'the thing that turns text into scrambled text'. Use Yao's Millionaires as the running example and be explicit about which party learns what at each step.
Walk me through, step by step, the difference between (a) Alice and Bob using a trusted third party, (b) Alice and Bob using homomorphic encryption, and (c) Alice and Bob running an MPC protocol. What is each participant doing, and what does each participant learn? Name the point in each story where trust is placed.
I have [describe your scenario: e.g. two hospitals wanting to find overlapping patient IDs without sharing rosters]. Tell me honestly: is MPC the right tool, or am I reaching past simpler options (contractual data-sharing, hashes, differential privacy, a trusted escrow)? Walk through each alternative and name where it fails for my case.