 Hello everyone, today I would like to talk about my work on two round SPS MPC where SPS stands for super polynomial simulation and this is joint work with James Bartusek, Wipul Goyal, Takshita Khurana and Julio Malavolta. Let me start by describing the setting of MPC. So here we have a bunch of parties each with their private inputs and their goal is to compute some functions C on their private inputs by interacting with each other. And the adversary might corrupt some subset of these parties and we want the security guarantee that the adversary should not learn anything about the honest parties inputs apart from what it can learn from the output of the functionality. And the type of adversary that we are interested in is polynomial time adversary with arbitrary static corruptions, malicious behavior and dishonest majority. And there is a long line of work targeting this kind of setting. In this paper we are mainly focused on the round complexity of MPC and in the MPC setting a round is defined in the simultaneous exchange message model where every party can simultaneously send their next round message to all other parties in every round. And the reason why we should study round complexity is because from a quantitative aspect rounds correspond to network latency in real world distributed protocols. And from a qualitative aspect it studying round complexity helps us understand relationships within different aspects of protocol design like hardness assumptions and the respective security guarantees. So let me now give you a brief timeline of the progress that has been made in the round complexity of MPC. So first we have in the 80s the two-party Carbell Circuits protocol by Yao and the polynomial round protocol in the MPC setting by Godraic, Macaulay and Middleson. Then in 96 Godraic and Orens showed the impossibility of simulation security in two round protocols. Then there was a line of works by Paas, Mith, Katz, Ostrowski, Smith and Goyev that showed how to do constant round MPC. In 2016 there was an impossibility result by Garg Mukherjee Parle of Andean Polychronado building on the earlier impossibility result by Katz and Ostrowski which showed that three round black box simulation for MPC is impossible. Then recently there was this work by Chaudhary, Khyampi, Goyal, Chan and Ostrowski which showed a four round MPC protocol based on the minimal assumption of OD. So given these works it's natural to ask can we go below four rounds? But as you might notice because of these two impossibility results we cannot do so without relaxing something. So there have been some works in 2017 especially these works by Badrinarayan, Garg, Ishaay, Sahay and Vardya and then by Jain, Kalai, Khurana and Ragulam which showed how to do two round malicious MPC using super polynomial simulation. But with one sided output, one sided meaning that only one of the parties can receive the output after two rounds. Then in 2018 there were these works by Garg and Srinivasan and Bhanamudha and Lynn which showed how to do two round MPC using just OT. But their protocol is only secure against semi honest or semi malicious adversaries. In our work we show how to do two round maliciously secure MPC protocol using SPS simulation where all parties can receive the output at the end of round two. And to motivate what super polynomial simulation is let me first describe the standard simulation in the real ideal paradigm. So we say that the protocol in the real world is secure if the adversaries view can be simulated by an ideal world simulator which only has access to the ideal functionality and the adversaries. And we want the guarantee that the real view should be computationally indistinguishable from a simulated ideal world view. And the restriction here that we base on the simulator is that it should run in polynomial time. So this is the standard simulation pattern. In SPS simulation we allow we have the same real ideal paradigm but we allow the simulator to run in super polynomial time. And the reason why this is meaningful is because in some cases the ideal functionality itself is secure against super polynomial adversaries. And here we still want the security guarantee that the real view should be computationally indistinguishable from the ideal world view where the ideal world view is being simulated by a super polynomial simulate. So note that our goal is to construct two round maliciously secure MPC protocol in the pain model. So we will begin by making some useful observations about any two round MPC protocol in general. So first of all in a syntax for a two round MPC protocol looks like the following. So Alice and Bob have their private inputs. And here I'm just illustrating it for two parties. Everything that I say also extends for multiple parties. So in the first round they simultaneously exchange their first round message with each other. And in the second round they exchange their second round messages. And note that after this both parties can reconstruct and can output the output of the function on their private inputs. And note that in this model we allow the adversary to be rushing. So in any round the adversary can hear the honest parties messages first and then reply back. So first of all note that if Bob sends a man from first round message then and if Alice continues to run the protocol then it might so happen that Bob can not only output the result of the function but also gain some extra information about Alice's private input. And the basic observation here is that Alice should validate the round one message of Bob before sending her round two message. So one straightforward solution is that in addition to sending the round one message we also ask the parties to send a zero knowledge proof attesting to the correctness of the first round message. And by correctness here I mean that the messages should be in the support of honest parties distribution. And then we require parties to first validate each other's proofs before sending over their second round message to each other. And this will ensure that the parties only learn the output of the function on their private inputs and nothing else. But the problem is that such one round zero knowledge proofs also called non interactive zero knowledge proofs require a CRS or a common reference string. Which is a long string that everyone has public access to in the sky. The the back part is that generating such CRS requires some kind of trusted set of assumption. For example you might have heard of CRS ceremonies being conducted in cryptocurrency domains to bootstrap such CRS based protocols. Ideally we would like to require ideally we would want to remove the need for such a CRS. Because and the natural question to ask is can we still do two round MPC protocols in the plain model which doesn't require any trusted setup phase for generating such a CRS. And that requires us to ask can we have an alternative to zero knowledge proofs which do not require setup. So for example suppose Alice and Bob exchange their first round message. We are asking is it possible for Alice to lock her second round message in a box in such a way that the box can be opened by Bob only if Bob's first round message was valid. If we have such a magical box then Alice can send over this box over to Bob. And if Bob was indeed behaving honestly in his first round then he would be able to open this box up and retrieve Alice's second round message. However if Bob's first round message was invalid or malformed then Bob won't be able to open the second round message of Alice. With that we observe that there is an existing primitive in the literature called conditional disclosure of secret which does precisely this. So in this setting we have a sender having a secret message and some public NP instance X prime and a receiver having a potential witness W prime. And an NP relation captures the valid pairs of instance and witnesses. Now the functionality that CDS achieves is that it allows the sender to transfer M to the receiver if the instance and the witness pair is valid. And typically CDS is a two round protocol between the receiver and the sender which guarantees the following. So correctness ensures that if the witness is correct then the receiver retrieves the message and sender security says that if the instance is not in the language then the sender's message is hidden. And receiver security says that the sender cannot distinguish between two possible choices of witness that might have been used by the receiver. And this is a sort of witness indistinguishability kind of hiding on the receiver. Now there is a challenge though of using such two party CDS protocols in the MPC setting and let me illustrate that. So imagine that there are three parties Alice, Bob and Charlie and they are trying to do an MPC. So also note that in such a setting all the messages that are being exchanged are identical. So Alice's messages to all other parties are identical and so is the case for all other parties. So in their first round Alice exchange is a first round message and here I am omitting the communication between Bob and Charlie for just illustration purpose. So Alice exchange a first round message with Bob and Charlie and then sends over a second round message locked up in these special CDS boxes. Now if Bob and Charlie both are correct what can happen is the following. So Charlie sends a mile from first round message and Bob sends a valid first round message. If that happens then although Charlie won't be able to retrieve Alice's message by unlocking this box, Bob would be able to do so because Bob's first round message was valid. So he would be able to open the box and retrieve Alice's second round message. But if Bob and Charlie are colluding with each other they together in collusion have retrieved Alice's second round message. And this is bad in a setting where the adversary might corrupt a dishonest majority of the players. And in such MPC setting we want that Alice's second round message should be transferred to all other players only if the round one message of all other players were valid at the same time. So with that we formalize the notion of multi-party conditional disclosure of secret in this paper which we indicate with MCDS for short. So here we have a sender with a message M and multiple receivers each with their witnesses and instances. And NP relation captures the valid set of valid pairs of instance and witnesses. And the guarantee is that and the functionality that we want to achieve is the following. We want that the sender's message M should be transferred to all the receivers if all the instance and witness pairs were valid. Now in our paper we provide an approach for constructing such MCDS primitive in the following way. So this is just the high level approach and I'll go into the details later. So we first start off with this primitive called witness encryption for music of commitments in the CRS model given in this paper by Bamu and Lynn from 2020. And this is based on the SXTH assumption on bilinear groups. So we take that and we remove the CRS in the protocol by using new ease from Roth Ostrowski in 2006. And therefore we get two-party CDS with public reconstruction property in the plane model. And here we also inherit the deal in assumption on bilinear groups. And once we have this two-party CDS with public reconstruction property, we leverage this public reconstruction property to get multi-party CDS in the plane model by the secret sharing the sender's message in one different two-party CDS sessions. And let me now start by describing what this primitive witness encryption for music of commitments is. So in this paper by Bamu and Lynn, they show how commitments and proofs can be generated in a Google mode CRS setting where CRS can have two different computationally indistinguishable modes. One is the binding mode and in this mode the commitments are perfectly binding and zero knowledge proofs are perfectly sound. In the hiding mode, the commitments are perfectly hiding an EQ vocal using some trapdoor tau underlying the CRS. And we have computational zero knowledge and in their scheme they support the generation of music proofs of statements of the following form. Reserting that C, some commitment string C, commits to some value V such that some circuit when applied to the value V results in an output Y. So they show how to generate zero knowledge proofs validating such assertions. Now, in their paper they add a witness encryption property on top of these commitment and proofs key. And witness encryption is nothing but a form of one round CDS protocol where the sender can encrypt his message M with respect to some NP statement to create a psychotech C such that C is decryptable by the receiver only using a valid NP witness W. Now, in their paper they construct a special kind of witness encryption scheme where the psychotech C can be decrypted using any valid music proof pi instead of the standard setting where we decrypted using a witness W. And this special property where the psychotech C decryptable using the proof pi will enable public reconstruction and will be crucial in creating the MCDS primitive in our paper. So now let me give an illustration of what their primitive looks like. So we have a sender with a secret message M and a receiver with the potential witness W. And in the real world the CRS will be in binding mode. The receiver as a first step will generate commitment to its witness using the CRS and send it over to the sender. Then at a later phase the receiver puts up a claim saying that here sender the witness that I committed to when applied to the circuit public circuit C will result in this output W. The sender can now say okay I will encrypt my message M with respect to the circuit and your commitment and create the psychotech C and send it over to the receiver. The receiver can now derive a music proof pi validating his earlier claim and then use this proof pi to decrypt the psychotech C and retrieve the message M. Now the crucial property here is that these psychotechs can be decrypted just using a valid proof pi. And crucially it doesn't need any private state. So although the receiver needs some private state to derive this proof but once the proof is derived the decryption can be done using just the public proof pi. So looking ahead a receiver might even send his proofs over to other receivers and help them decrypt the psychotech C without compromising his own security of the witness. Now our approach to is the following we create two party CDS with public reconstruction property in the plain model by removing the need for an offline CRS in the bamboo the length witness encryption scheme. And the high level ideas as follows we allow the prover to sell sample to CRS strings in a way so that one of them is guaranteed to be in binding mode. And the prover then is required to provide valid music proofs under both CRS strings. And the security intuition here is that since one of the CRS is guaranteed to be in binding mode the soundness of the binding CRS will ensure the overall soundness of the protocol. And the receiver security holds because in the security proof we can switch from one we can switch one of the CRS from binding mode to hiding mode and then switch from one witness to the other. And this will ensure witness industry visibility style of hiding on the receiver side. Now let me give an illustration of how our compiler looks like. So as a first step receiver sells samples to CRS strings in the binding mode and generates commitments to his witness under both of these CRS individual. Then it generates a new we prove stating validating the following claim saying that one of the CRS is in binding mode and the respective commitment is valid. Then it sends over the CRS strings and commitments and the proof to the sender. Later when there is a claim stating that the circuit C applied on witness W prime results in the output Y sender will first check whether the name we prove was valid. If the name we prove was valid sender will split his message M into two shares M1 and M2. Individually witness encrypt both these shares under the CRS and commitment and send over these two ciphertexts to the receiver. The receiver can now generate proofs or under both these CRS strings and then using these proofs witness decrypt each of the two shares. And then by exploring together the shares it can retrieve the message of the center. So once we have this two party CDS with public reconstruction property we can derive an MCDS protocol in the following way. So the main idea is for the sender to split his message M into two shares M1 and M2. And then use two two party CDS protocols in a black box way. So the sender locks up his each of the shares in two party CDS boxes. And at the same time receivers can derive proofs from their private witnesses. Now the sender can send over these CDS boxes who both the receivers and at the same time receivers can exchange their proofs with each other. Now in the end the receivers have received the two party CDS boxes from the sender and also have exchanged their proofs by with each other. Now they can use these proofs to locally decrypt each of the two party CDS boxes to retrieve the shares of the message and then XOR it together to retrieve the sender secret message M. So with that we are finally construct the following MCDS primitive which has the following guarantees. So correctness ensures that if receivers if all the receivers have valid witnesses then all the receivers retrieve the message M from the sender at the end of round two. Sender security says that if there is at one if even if one of the instances is not in the language then the sender's message M is hidden from all receivers. And receiver security says that the sender's view is computationally indistinguishable between two possible choices of witnesses used by the receiver. And I emphasize that the sender security here should hold even if some subset of receivers are colluding and the receiver security should hold even if the sender along with some receivers are colluding together. So now I'll show how we go from two round semi malicious secure MPC protocol to two round maliciously secure protocol by using this MCDS primitive. So recall that the basic structure of two round any two round semi maliciously secure MPC protocol looks like the following. So in the first round parties exchange the first round MPC message and in the second round exchange the second round MPC messages. So now we take such two round semi maliciously secure MPC protocol and we just condition the transfer of second round of such second round messages of MPC using the MCDS box. Foundation on the fact that the first round message of the other party was valid. So this almost works but it's unclear how to simulate this kind of protocol because the MCDS that we construct only provides witness indistinguishability style of hiding. So to get simulation security we have to do a bit more work. So what we do is we use the fire show me trapdoor kind of paradigm where we add a trapdoor phase in the round one of MPC. So each party samples a trapdoor which is just a uniformly random string and then sends a commitment to it to the other party. At the same time each party takes a guess at what the other parties trapdoor might be. So for example Bob here in his blue commitment is taking a guess at what the value underlying Alice's yellow commitment is. So I'll refer to the yellow commitment as commitment containing trapdoor information and blue commitments as commitment containing guess information. Now we modify the second round in the following way. We condition this transfer of second round MPC message on the fact that either the first round MPC message was valid or the guess commitment contain a value which is identical to the value underlying the commitment containing the trapdoor information. It is the yellow one. So note that in the on real world parties cannot and we also require a special form of non-malability between these yellow and blue commitments for the security proof to go through. At a very high level in the real world parties won't be able to guess what the other parties trapdoor is and so they will be required to stick to the honest protocol. But in the in the security proof the simulator can take correct guesses in super polynomial time at what the adversaries trapdoor values are and then take a different branch in the MCDs. A brief note on non-malability. So as I said we have these two kind of commitments yellow and the blue one. And what we require is that it should not be possible to transfer any implicit information inside the yellow commitments to the values inside blue commitments. And this is needed in order to avoid an adversary from making correct implicit guesses about honest parties trapdoor values. We also require that the blue commitments should be non-malable with respect to themselves. And this is required in order for the security proof to go through. So in one of the hybrids will we switch the simulator from taking wrong guesses to taking correct guesses about adversaries trapdoor and we don't want the adversary to notice this change. So with that our final two round MPC compiler looks like the following. So we start with existing two round semi-malishly secure MPC protocols in the plain model. And the MCDs primitive that we construct in this paper. We combine these two by conditioning the transfer of second round MPC message on an NP relation which captures the correctness of first round MPC message. Then we add a trapdoor witness in the NP relation to upgrade from the WI style of hiding to zero knowledge state of hiding. And at the end we finally achieve two round maliciously secure MPC protocol in the plain model with SPS simulation. And this trapdoor part requires super polynomial assumption because the simulator and the security proof needs to guess the adversary's trapdoor before wrong one. So with that a final result looks as follows. So we show that there exists a two round maliciously secure MPC protocol in the plain model with super polynomial simulation assuming. A bilinear group in which deline and XTS are sub exponentially hard. And we use this assumption in order to instantiate the sub exponentially secure versions of God of Stravski, Sahai and Nehvi. And BL-20 PEM with a limb witness encryption scheme. We also rely on two round sub exponentially secure MPC against semi-malicious adversaries. And this follows from instantiating known protocols like GS-18 and BL-18 with sub exponential secure two round OD. Third assumption that we rely on are these special non-interactive non-malable commitments. And in the paper we show two different possible instantiations for it. For constant parties it follows from sub exponential secure time-up puzzle and sub exponential quantum hardness of LWE. For bounded polynomial number of parties it follows from sub exponential quantum hardness amplifiability of LWE, sub exponential hardness amplifiability of TTH and sub exponentially secure one message peak CK. And with that I conclude my talk. Thanks for listening.