What's the pros and cons of Binary Secret Sharing compare to Garbled Circuits?

[ntlm1686]

I see many papers are using Garbled Circuits instead of Secret Sharing. Why did they use the costly GC instead of SS?

[mohammad-alrubaie]

I think there are multiple factors that would motivate any researcher/engineer to use one secure computation technique over another. After all, each method has its benefits, drawbacks, and scenarios in which it shines. Some of these factors is threat model or problem setting, where is the data? how is it distributed (vertically or horizontally)? and who is trying to train the model? ... etc For instance, is the data distributed across small number of parties, where secret sharing may shine, or do we have too many parties where communication cost may be an issue, in which case, should we use federated learning and have some secure aggregation protocol in place. Does one party have all the data, and want to delegate the computation to an untrusted server, in which case secret sharing may not be your best choice, and you might want to use garbled circuits or a protocol based on FHE. So, you always start by analyzing the problem setting, and threat model, and then see which techniques can help.

[ntlm1686]

Hi @mohammad-alrubaie , really appreciate your answer. As the CrypTen's paper says, CrypTen and systems like Delphi and GAZELLE all assumes a semi-honest threat model, why would GC works better than SS when

one party have all the data, and want to delegate the computation to an untrusted server, in which case secret sharing may not be your best choice

Could you please me more specific on the situation that GC is better than SS? My current understanding is that GC is more secure when 1 party is corrupted, and SS cannot ensure security in this situation. Please correct me if it's wrong.