 So thank you everyone for tuning in. Today I'll be presenting the paper Revisiting Fairness in MPC, Polynomial Number of Parties and General Adversarial Structures. So let me start by giving a brief overview of fairness in multi-party computation. So informally what it means to achieve fairness is to prevent a subset of malicious parties from aborting the protocol early, receiving the output of the functionality, while preventing the honest parties from learning the output. In the ideal real formalization, it means that in the ideal model, there are two stages. First, the parties send their inputs to the ideal functionality. In this stage, parties can still cause an abort to occur. In the second stage, all the parties get their output simultaneously, and no party can cause another party to not receive its output. So let's see what's known in terms of MPC with fairness. So without an honest majority, there are some functions that cannot be computed fairly. Cleave showed that fair coin tossing is impossible when n out of 2 out of n parties are fail stock, which means they behave honestly, but may abort early. There is also work on fairness for general adversarial structures. So what is an adversarial structure? So an adversarial structure A is a set of sets, and the adversary is allowed to corrupt any set S of parties that is contained in A. The set Q2 is a set of adversarial structures, and it consists of those structures A for which no two sets in A cover the entire set of parties N. Her and Maurer presented an inefficient information theoretic secure protocol for fail stop adversaries for all adversarial structures in Q2. And on the flip side, they showed it is impossible to achieve even computational fairness for all functionalities for adversarial structures that are not contained in Q2. So Q2 is essentially the analog of honest majority for the case of general adversarial structures. For the rest of the talk, I'm going to be focusing on fairly computing functionalities F without honest majority. So we cannot hope to do every functionality F, but we'll see that there are some functionalities that we can compute without honest majority or more generally with adversarial structures that are outside of this set Q2. So let's look briefly at what can be done in the two party setting. So non trivial functions that can be computed fairly without honest majority were first discovered by Gordon at all and their breakthrough result. And subsequently, there was a lot of follow up on that follow up work on this. By now, the two party setting is quite well understood with a full characterization of the necessary and sufficient conditions for fair computation of large classes of functionalities. What is the situation for the multi party setting? So prior to our work, it was known how to compute the and and or functionalities with any polynomial number of parties and up to n minus one corruptions. It was also known how to compute the majority function with three parties and up to two corruptions. And a more general result showed that for functions F with logarithmic number of parties and up to n over two corruptions, assuming that every partition, every n over two and over two partition of F can be fairly computed efficiently in the two party setting. They showed that F can be computed fairly in the multi party setting with up to n over two corruptions. So in summary prior to our work, efficient protocols achieving fairness with no honest majority and polynomial number of parties were known only for the and and or functionalities. So due to this, the high level question that motivated our work was to actually consider pairs of adversarial structures and functionalities and to characterize the pairs AF for which we can obtain fair protocols where that adversarial structure is not contained in the set q two and F is an n party functionality. And we give some partial answers in this work that I'll be talking about today. But in general, I believe that this is an interesting research direction for future work. So I'll be talking about two main results. Our first result is for functions F that are symmetric functions. So that means that the output of F depends only on the number of ones in the input. And additionally, this means that we can express big F on n inputs as a two input functionality little f, where the first input of little f is the sum of the first half of the inputs of big F. And the second input of little f is the sum of the second half of the inputs of big F. Assuming there is an efficient protocol computing little F fairly in the two party setting, then for any polynomial number of parties, we show that there is an efficient protocol for computing big F fairly in the n party setting with up to n over two corruptions. Our second result pertains to majority. And we show that there is an efficient protocol for computing n party majority fairly for any polynomial number of parties and with up to n over two plus one corruptions. And just to mention some extensions of these two main results. So the second result can be extended to tolerate up to n over two plus C corruptions for constant C. And both results can be extended to more general non threshold adversarial structures, which I'll mention at the end of the talk. So in part one, I'm going to be talking about our first result. And for simplification, we're going to be looking at protocol in what is called the dealer model. So this is a simplified model where you have a trusted party called the dealer. In each round, the dealer sends each party its output in case the other party aborts. We have our rounds of the protocol. And without loss of generality, we're going to be assuming that party P zero gets its output a AI before party P one gets its output bi. Once we have a secure protocol in the dealer model, we can apply standard transformation to go from the dealer model to the standard model. So let me talk briefly about the prior results. So Ashraf at all showed a transformation from the two party dealer model to the multi party setting and at most n over two corruptions with some assumptions on the underlying functionality F. And just briefly the way that their transformation works is that the dealer is going to compute for every possible subset of the end parties of size n over two. It's going to pre compute a transcript of A's and B's where we assume that party P zero holds inputs Xi for I and S and party P one holds input Xi for I in the complement of S. In addition, the dealer is going to compute an so called inner secret sharing, which means that each AIS value is going to be secret shared across the set S. So AIS can only be reconstructed by all parties in sets and bi complement S is going to be secret shared across the set S complement for some and then the dealer will be handing out the shares for every possible subset S. For some intuition on why this is secure. First of all, if less than n over two parties abort, this will be taken care of by the outer secret sharing scheme, which is something I will discuss later on in the talk. If exactly n over two parties abort, then this is going to correspond to some subset S. And if set S aborts in round I, because of the inner secret sharing scheme, these parties can reconstruct only the values AIS or BIS depending on if it's the P zero or P one 20. Alternatively, the remaining honest parties can reconstruct the matching view either be I minus one S complement or AI S complement. And so collectively, the honest parties and the corrupt parties reconstruct exactly one view of the underlying protocol. And that is how security is argued. So what is the problem with this transformation? So the obvious problem is that even if the underlying two party protocol is efficient, once we enumerate over all possible two partitions of size n over two and over two, this is going to cause an exponential blow up. Ultimately, this means that we can only scale up to n equals logarithmic number of parties. We're talking about logarithmic in the security parameter lambda. So our transformation is going to overcome this exponential blow up. But only for the case where the function f is a symmetric function. So intuitively in the case where f is a symmetric function, there are only going to be a small number of possibilities for inputs for the first and second party. So the way the protocol will proceed in the dealer model is that the end parties are going to submit their inputs Xi to the dealer. And the dealer is going to compute the sum of all their inputs. The output of the function now depends only on this sum X. So for a running example, let's assume the number of parties is six, and the sum of their inputs are four. So at a high level, what the dealer is going to pre compute is it's going to pre compute transcripts for all possible inputs for party P zero. So this is all possible in the case of n equals six parties, the inputs for P zero can be anything from zero to three. And all possible inputs for party P one, again, all possible values from zero to three. In some cases, we'll have a matching transcript. So for example, if party P one holds the value one, it must be that party P three party P one holds the value three. And so the AI is that the dealer pre computes for this case will be matching. On the other hand, there may also be some inputs that are impossible. So party P zero cannot possibly have zero ones, because we know that X equals four. Similarly for party P one. And so in this case, we are going to have dummy outputs a one to air. In general, AI Z is going to correspond to the situation that party P zero holds Z number of ones, and N over two minus the number of zeros. And similarly for B I Z. Now we're going to carefully choose an inner secret sharing scheme. And what this inner secret sharing scheme is going to guarantee is that for all rounds I and R, AI Z, the share for AI Z can be recovered by a set of parties consisting of P zero and N over two minus one other parties who collectively hold Z number of ones and N over two minus the number of zeros. So the shares of the jth party holding input B are denoted by S tilde J B Z I. So it depends both on the index of the party I, as well as the value B that the party's input corresponds to. And each party is going to get N over two plus one shares for N over two plus one different secret sharing schemes. And these shares will be denoted as tilde B Z I for Z and zero to an N over two. And similarly, the same thing will be happening for the B I Z values, except this will be for the set of N over two parties other than P zero. So what are the key observations for why this is secure? Note that again, if less than ever two parties abort, we're going to deal with it using the outer secret sharing scheme, which I will talk about on the next slide. If exactly N over two parties abort in round I, then we'll have two cases. If P zero is one of these N over two corrupted parties, then the corrupted parties can collectively open a single transcript AI Z, where Z is the number of ones that these parties hold. If P zero is not corrupted, the corrupted parties can collectively open a single transcript B I Z, where again, Z is the number of ones that these parties hold. On the flip side, if exactly N over two parties abort in round I, then in case one, when P zero is corrupted, the remaining parties can collectively open the corresponding transcript B I minus one X minus C, where X minus C is the number of ones that they hold. And in case two, if P zero is not corrupted, the remaining parties can collectively open a single transcript AI X minus C, where again, X minus C is the number of ones that these parties collectively hold. And so again, similarly to the inefficient transformation of Ashraf at all, the views and outputs of the corrupt and honest parties are going to correspond to exactly a single view and output in the underlying bare two party protocol. And just to mention how we convert from the dealer model to the model to the standard model. So we use the adder secret sharing scheme. The basic idea is that every inner secret chair is again shared using an N over two plus one out of N secret sharing scheme. What this allows us to do is it says that if less than N over two parties abort the protocol, the remaining parties don't care. They can simply continue simulating the protocol by simulating the dealer using the adder secret sharing scheme. So what happens if we try to apply this technique to achieve security for more than an approach? So note that if we want to handle more than an over two corruption, then we must have that the honest parties can reconstruct some output, even if N over two plus one parties abort. Otherwise, things are hopeless. But in turn, because we don't know which N over two plus one parties will be corrupt, this means that any set of N over two minus one parties must be able to reconstruct their output shares. And if there are N over two plus one corruptions, what this means is that the corrupted parties can now open multiple outputs because there will be many subsets of size N over two minus one among the N over two plus one corrupted parties. And in turn, this means that they'll be able to learn information about more than a single transcript of the underlying fair protocol. Additionally, if N over two minus one parties abort, their meaning parties can reconstruct multiple outputs because there are N over two plus one remaining parties and multiple sets of N over two minus one parties can reconstruct their output. And now they don't know which is the right value to output. So in part two, I'll talk about how to overcome these problems for the case of the majority function. And we will not be using the generic transformation here, we will be designing a specific protocol that will work for the majority function. So the basis for our multi party protocol is the two party geometric protocol of Gordon et al. And we're going to view it in the dealer model. So the way this protocol works is that it runs for our number of rounds. The dealer is going to choose a special round r star from a geometric distribution with parameter alpha. And the correct value f of x zero x one is going to be outputted at rounds I that are greater than or equal to our star. For the prior rounds, the output that party p zero gets is the function f evaluated at its own input x zero and a random input x tilde corresponding to the other parties input. And similarly, before round our star party p one gets outputs that correspond to f evaluated at its own input x one and a random input x tilde corresponding to the other parties input. And again, we can apply standard transformation to go from the dealer model to the standard model. So how do we transform the protocol of Gordon et al to the multi party setting? So similarly to the idea from before, the end parties are going to submit their inputs x i to the dealer, and the dealer is going to compute the sum of the inputs. And again, in our example, we'll have n equals six parties, and the sum of their inputs will be equal x equal to four. The dealer is going to choose a random round r star from a geometric distribution with parameter alpha as before. But now it's going to pre compute many of these values. And essentially, since we want parties to be able to reconstruct when there are only two, three or four remaining parties, we'll have to consider the case of n prime equal to n prime equal three and n prime equal four. So for example, for n prime equal two, we're going to compute the value ar two zero, which corresponds to the case where we have a set of n prime parties, two parties that hold zero number of ones and two number of zeros. And in this case, we're going to give it the output of f evaluated on its own input zero together with a random input for the other party. And similarly, we're going to do this for all possible inputs of subsets of size two, all possible inputs for subsets of size three, and all possible inputs for subsets of size four. And as before for rounds are greater than or equal to our star, all of the output values are going to correspond to the actual correct output of the function. And now, similarly, to before we're going to choose a particular inner secret sharing scheme. And this inner secret sharing scheme is going to tell us that AI n prime z, this aperture can be recovered by a set of parties of size n prime, who together hold zero number of one z number of ones and n prime minus z number of zeros. shares of the jth party holding input b are going to be denoted by s till the jn prime zi. So its output share depends both on the parties index, as well as the input b that it holds. And each party gets n prime plus one shares for every n prime. So what are the key observations for why this protocol is secure? So if less than n over two minus one parties abort, again, we will deal with it using the outer secret sharing scheme. If n over two minus one n over two or n over two plus one parties abort in round i, then the key observation is that the set of corrupted parties can collectively open only a constant number of shares per round. So for example, if there are four corrupted parties who collectively hold two zeros and two ones, then they can open the following shares for n prime equals to two, they can open these three shares for n prime equal to three, they can open these two shares. And for n prime equal to four, they can open exactly one share. So in total, they can open six number of shares. On the other hand, the remaining n parties who hold the number of ones and n minus the number of zeros can open the corresponding share a minus one and z. So that the proof of ashram actually goes through in this case, because only a constant number of shares can be opened by the set of corrupted parties. We do need to introduce some new technical contributions and analysis. Specifically, the prior results of ashram at all assume the domain has constant size. And they show the existence of the parameter alpha, which is the parameter of the geometric distribution and determines number of rounds. They show its existence and that it depends only on the domain size. However, our domain necessarily has polynomial size. Since if there are n parties each holding input zero one, then the domain is going to be the values from zero to n. And so we need to show that this parameter alpha depends inverse polynomially on the domain size. In other words, we require a quantitative version of the previous analysis in order for the proof to go through. So let me just talk briefly now about the extension to other adversarial structures. So as you can kind of see, we have this inner and outer secret sharing scheme. And this is going to correspond to adversarial structures that have two parts a one and a two, where a one is a q two adversarial structure. And this is going to correspond to the outer secret sharing scheme. A two is going to be the non q two adversarial structure, the part of the adversarial structure that is not in q two. And this corresponds to the inner secret sharing scheme. For our first transformation to work, we require that a two does not contain two sets s one of two, such that s one is a proper subset of s two. For a second transformation, we're going to require that for any two sets s one and s two and a two. It's okay if s one is a proper subset of s two, as long as the number of elements in s two minus s one is at most c. And additionally, we show constructions of non threshold adversarial structures, satisfying these requirements, using tools such as projective planes and combinatorial designs. So let me end here and thank you very much for listening.