L1 - Faster Development and Benchmarking of Cryptographic Protocols Axel Schr¨opfer, Florian Kerschbaum, Debmalya Biswas, Steffen Geißinger, and Christoph Sch¨ utz SAP Research Karlsruhe, Germany {axel.schroepfer, florian.kerschbaum, debmalya.biswas, steffen.geissinger, christoph.schuetz}@sap.com Abstract. Secure Multi-party Computation (SMC) enables secure dis- tributed computation of arbitrary functions of private inputs. Multiple techniques for SMC have been well studied and can be applied within cryptographic protocols, leading to large and complex protocols. Their implementation is difficult for an average programmer to understand, time consuming and potentially prone to errors. We introduce a new pro- gramming language dedicated to cryptographic protocols, which speeds up their implementation, the deployment of the running software, and furthermore provides integrated support for benchmarking. 1 Introduction In many situations, especially in business contexts, multiple parties would like to compute a common function of their private inputs. Suppose several business partners of a supply chain wish to create an optimal supply chain master plan as in [7]. The master plan recommends the amount of products to be manufac- tured and the routes and times of shipping, in order to end up with minimal total costs of the supply chain. For this computation it requires the partners to expose sensible business data (e.g., production costs and capacities) to a cen- tral planning unit, i.e., trust in her. Although their will be a benefit due to reduced costs, the business partners are reluctant to share their sensible data with others, since they are very risk averse. Sharing their business data leads to potential risks, e.g., a loss in bargaining power. Secure Multi-party Computation (SMC) can overcome this risk by providing a privacy preserving solution to the computation. SMC allows a set of n players, P = P 1 ,...,P n , to jointly compute an arbi- trary function of their private inputs, f (x 1 ,...,x n ). The computation is privacy preserving, i.e. nothing else is revealed to a player than what is inferable by his private input and the outcome of the function. A cryptographic protocol is then run between the players in order to carry out the computation. Even if there are adversarial players, the constraints on correctness and privacy can be proven to hold under well stated settings. These settings consider the type of adversary as well as his computing power which can be bounded or unbounded. An ad- versary can be passive, i.e. following the protocol correctly but trying to learn