Secret Sharing-based MPC vs. Garbled Circuits-based MPC

Secret Sharing-based MPC excels at high-throughput arithmetic operations because it operates directly on numerical shares over a finite field. For example, secure addition of vectors is essentially free (local computation), and secure multiplication requires a single round of communication, enabling linear layers in a neural network to achieve latencies on the order of milliseconds per operation in a 3-party setting. This makes it the go-to protocol for efficiently computing large dot products and matrix multiplications common in training and inference. For a deeper dive into how these protocols enable private training, see our guide on PPML for Training vs. PPML for Inference.

Garbled Circuits-based MPC takes a fundamentally different approach by representing the computation as a boolean circuit, which is then encrypted and evaluated gate-by-gate. This results in a trade-off: while it is exceptionally efficient for non-linear functions like comparisons (ReLU, MaxPool) and bitwise operations—often requiring only two rounds of communication regardless of circuit depth—it becomes prohibitively expensive for pure arithmetic on large numbers. The communication overhead scales with the number of AND gates in the circuit, making a single 32-bit multiplication thousands of times more costly than in secret sharing.

The key trade-off is between arithmetic efficiency and non-linear efficiency. If your priority is linear algebra on large datasets (e.g., logistic regression, linear layers), choose Secret Sharing-based MPC. Its low communication rounds for multiplication make it scalable. If you prioritize complex decision logic and activation functions (e.g., tree-based models, ReLU networks), choose Garbled Circuits-based MPC. Its constant-round complexity for boolean circuits provides a decisive advantage. For a broader view of how MPC fits into the privacy landscape, consider the strategic choice between Secure Multi-Party Computation (MPC) vs. Federated Learning (FL).

Secret Sharing-based MPC excels at efficient, high-throughput arithmetic operations because its core protocols (like Beaver's triples for multiplication) are optimized for linear algebra. For example, in a secure training scenario for a linear regression model, secret sharing can achieve communication costs that scale linearly with the number of multiplicative gates, often resulting in latencies under 100ms per layer for large matrix multiplications within a data center. This makes it the default choice for privacy-preserving training of neural networks where operations are dominated by additions and multiplications.

Garbled Circuits-based MPC takes a different approach by securely evaluating any boolean circuit. This strategy results in a fundamental trade-off: exceptional performance for non-linear functions like comparisons (ReLU, MaxPool) and cryptographic hashes, but significant communication overhead for basic arithmetic. A single AES-128 evaluation via garbled circuits can be extremely fast, but the per-gate communication cost (typically 2 ciphertexts, ~256-512 bits) makes it inefficient for deep learning's voluminous arithmetic workloads when used in isolation.

The key trade-off is between computational primitive and network tolerance. If your priority is privacy-preserving training of deep neural networks on continuous data (e.g., healthcare imaging), choose Secret Sharing-based MPC. Its efficiency for arithmetic directly maps to the dominant operations in ML. If you prioritize securely evaluating complex boolean logic or decision trees (e.g., privacy-preserving credit scoring with many threshold comparisons), or require constant-round protocols for high-latency networks, choose Garbled Circuits-based MPC. For a complete system, the optimal solution often involves a hybrid protocol, using secret sharing for linear layers and garbled circuits for activation functions, as explored in our guide on MPC-based Federated Learning vs. DP-based Federated Learning.