 So next, let's take a word, let's give an answer to the paper called Turan Secure Multi-Party Computation for Minimal Assumptions by Sanchandar Akshai to the bottom and Akshai to the top. Hi everyone, I'm Akshai and I'm going to talk about Turan Secure Multi-Party Computation from Minimal Assumption. This is based on drawing work with Sanchandar. Let me start this talk while describing the setting of two-party computation. In this setting, there are two parties with priority inputs next one and next two respectively and they wish to compute a joint function again on their priority inputs. The security notion that we want to guarantee here is that even if one of the parties, let's say, gets corrected, it does not learn anything about the other parties input apart from what is linked by this function here. Secure two-party computation is one of the fundamental providers in the protocol and a whole lot of research effort has been put into to completely calculate it. So let me quickly summarize these. We know that there are certain functionalities for which two rounds are necessary to securely compute it, meaning that they do not be securely computed in a single problem. On the positive side, we know that garbled circuits along a two-round oblivious transfer gives a two-round protocol for securely computing any two-party function. So this present matches the lower bound in terms of long complexity. And furthermore, we know that two-round OT is the minimal assumption from which we can construct a two-round two-party computation, as any two-round two-party computation implies a two-round OT protocol. In this work, we are interested in the secured multi-party setting where there are seven parties with priority inputs next one and next two respectively, and they wish to compute a joint function again on their priority inputs. The security that we want to gather here is that even if a subset of the parties get corrupted, where the size of the subset would be as large as n minus one, the corrupted parties do not learn anything about the honest parties inputs, apart from what is needed by this function. Secure multi-party setting is a more demanding setting than this party computation, and it's much harder to design protocols in the multi-party setting. So let me first recall what we know about secured multi-party computation protocol. Back in 1987, almost thirty-one years ago, World-Wake Vitalian Tutors and they have protocol for securely computing any multi-party computation. However, the number of problems this protocol goes with the multiplicative depth of the circuit, and for circuits with large multiplicative depth, the number of problems could be a large problem. And a long line of problems starting with the similar work of Beaver, Michali, and Rockway in 1990, reduced the dot-complexity to a particular problem. And recently, there have been several problems which obstructed the round-optimals in BC protocol. They round-optimally means two rounds. So the first construction was given by Gerger-Tol in 2014, and this was based on indistinguishability of this case. Later on, Horner and Rod improved the assumptions to witness encryption. And then Eurogroup 2016, because they have a protocol for computing any multi-party functionality in two rounds from learning records. And in last year's Eurogroup, the Boyle, Gilboa, and Yushman gave a protocol for computing multi-party functions for a constant number of parties from the DDH function. And in FORCE last year, we gave a protocol for computing any multi-party function of strategy, based on standard assumptions by EDMs. So, if you see all these constructions of two rounds in BC protocol, you will see that there is a significant gap in the assumptions that are sufficient for constructing two-round in BC when compared to the other two-round in BC. Specifically, we know constructions of two-round two-party computation of the minimal assumption that two-round would be in BC, whereas all the prior constructions of two-round in BC somewhat required a structured and j-prick assumptions. So this brings us to the main question, which is the focus of this work, which is, can we construct two-round multi-party computation protocols from significantly weaker assumptions? So in this work, we show that we can construct two-round protocols for securely computing any multi-party functionality from any route of previous strategy. So this closes an actual line of work for finding the minimal assumption required for constructing two-round in BC protocols. And specifically, it places two-round in BC the same scale as the two-round two-party computation as far as assumptions are concerned. So let me give you more details about the result. In the setting on a setting, we get a construction of two-round in BC protocol from any two-round OT in the planning model. In the management setting, we get a construction of two-round in BC in the CRS model from any two-round maliciously secured OT in the CRS model. Interestingly, our malicious secure protocol does not require non-intractive zero-normic rules. Whereas all the prior constructions additionally require physics to get security in the malicious setting. So a corollary of this malicious protocol is that we get a two-round malicious secure in BC from DDHR in the community because we don't know constructions of these assumptions. And in a concurrent and independent work, which will be there in next, Ben-Havard and Len-Mohm also obtain similar results as ours. Specifically, they obtain the same result in the semi-non-setting that is they construct two-round in BC from any two-round OT in the planning model. In the malicious setting, they additionally require methods on top of two-round maliciously secured OT. And they also have some really interesting results in the planning model that is without any trust or set of assumptions and I think so please we'll be mentioning them. The main idea behind this. The main idea is that of round compressors. That is, we take an arbitrary round protocol, we securely compute the function F and we compress the round complexity to just two broad castors. This might sound a little bit copyright-inducing as how can you possibly compress an arbitrary round protocol without affecting its correctness or its security? So to explain this, I'll first consider a very simple toy protocol that computes a very simple functionality and I will then now compress the round protocol complexity of this protocol. Later I will stay out to compress the round protocol complexity of arbitrary computation protocol. This toy protocol computes a three-party functionality F that takes a bit A from the first party with B from the second party with C from the third party and outputs three bits A, A and B and A and B and C. So all the parties get all these three bits as well. Very simple protocol that securely computes this function as follows. So the private inputs of the party 1 is A which is the second party 2 is B and party 3 is C. And in the first round, the first party not has A to the other group of parties and in the second round, the second party not has A and B to the other group of parties and in the third round, the third party not has A and B and C to the other group of parties. So this is very simple protocol and it's information theoretically secure and it's secure against two corrections. I'll be focusing just on the semi-honest model and the rest of the job. So it's secure against passive corrections of at most two parties. But unfortunately this protocol runs in three rounds and it's not clear how to compress the round protocol to secure this protocol into two rounds in the information theoretically setting. In this work, we're going to throw in some computation and tools that compress the round protocol of this protocol. The main computation and tool that we'll be using is gavel circuits. So let me first recall gavel circuits and gavel circuits were introduced in this similar work of Gavel and it allows to import a Boolean circuit into a gavel circuit after that along with a pair of labels for each input wire of this circuit. So specifically as one label corresponding to the bits, you know, and another label corresponding to the input. The gavel circuit extended along with the labels corresponding to the bits of an input s allows one to evaluate f of s. And the security property is that the gavel circuit along with these labels do not need anything about f or s apart from just f of s. So let's now see how to compress the round complexity of this protocol it is running in three rounds two rounds using gavel circuits. So let me go with the ideal idea of our two round protocol. So in the first round, the first party not cascading which is the same as the protocol whereas in the second round in the two round protocol the second party garbles some circuit which I will specify later and it broadcasts this circuit to the other parties along with the labels for evaluating the circuit. Similarly, in the second round, the third party garbles two circuits and I will specify the functionality of these two circuits later and it garbles these two circuits and broadcasts these two circuits to the other parties along with the labels for evaluating the first gavel circuit. And these are all the interactions that I have. So now the question is how does this achieve ground compression? So the answer to this question is there these two garble circuits how about to implement the second round of the toy protocol and the final garble circuit implements the third round of the toy protocol. So given these two gar... given these garble circuits every party can locally evaluate them to obtain the output of the second round and the output of the third round and this is how we compress the ground compression here at this point. So let me go in some detail on how do these garble circuits somehow implement communication now. So let me take the example of the second round which is implemented by two garble circuits. The first garble circuit which is dedicated by the second party takes as input A which was broadcasted in the first round and B which is the priority input of the second party and the third party's garble circuit takes the priority input C of the third party. So the main idea behind the result is that we design a mechanism where the second party broadcasts A and B to the garble circuit and the third garble circuit somehow listens to what this broadcasts. So in some sense we enable the garble circuits to talk with each other. So once this garble circuit has listened to A and B it can pass on this information to the garble circuit which is implementing the third round of the protocol. So it can pass on C and A and B and the third round garble circuit just outputs A and B and C. So this is how we achieve round compression at high level and in our previous work we achieved this mechanism where the garble circuits can talk with each other using a special work-question-impression scheme built on standard assumptions on I and B and L. However, in this work we will just relay on two rounds of various structures to let us now see how to make the garble circuits to talk with each other using a two-round rule. So let me first recall an oblivious transfer. So an oblivious transfer is a protocol between two parties, a sender and a receiver. So the sender's inputs are M0 and M1 which are two strings and the receiver's input is a choice between them. And at the end of the protocol the receiver learns the message Mb and the sender does not learn anything about the bit B and the sender does not learn anything about the message Mb. That is the security that we want to get. In this talk we will be focusing on two rounds of oblivious transfers where the first round is sent from the receiver to the sender and some encodes his choice between them. In the second round the sender sends the message which somehow encodes his strings M0 and M1. So usually we rely on the fact that given the sender's message and the randomness used for generating the first round receiver's message one can recover the message corresponding to the bit B. We know constructions of two rounds of oblivious transfers from a variety of number theoretic assumptions such as any hedge, quadratic or severe CDN even lattice-based assumptions such as learning the hedge. So let us see how to use a two-round oblivious transfer to compress the round complexity of the structure. Let me just over the protocol. So in the first round the first party broadcasts in just same as before. But in the first round the second party broadcasts two messages. So the first there are two receiver duty messages. The first message encodes 0 and B where B is the private input of the second party. The second receiver duty message encodes 1 and B as its choice. This is the first round of the protocol. And in the second round as I mentioned before the sender sends the second party sends a gamma circuit. And the third party generates two gamma circuit. So the one thing that I have not yet mentioned is what are these functions computed by this gamma circuit so that they can implement the second and third round. So let me explain these problems. So let me start with the first gamma circuit of the third party. So this gamma circuit takes as input the bit C which is the private input of third party and it has a bunch of values which are hardwired. It has the bit K which is the first round message of the first party. It has the first round only messages of the second party. It has two sets of labels input labels of gamma circuit. So looking at these input labels will be the these labels will be the input labels of the second gamma circuit generated by this third party. So these are the hardwired values. Let me explain the output of this gamma circuit. So the output consists of two components. The first component is the label corresponding to the input C. The center component is the interesting component and it's a centers of the message which is generated as points. So depending on this choice bit A it either chooses the first message or the second message. So if A is 0 then it chooses the first message otherwise it chooses the second message. In either case the bit that is encoded by the chosen message is A and D. So it corresponding to that first round OT message it generates the second round OT message with the input making the labels corresponding to 0 and the labels corresponding to 0. This is the output of the first gamma circuit of the third party. So it's still not clear how this enables the gamma circuit to communicate and for that we rely on the the second party's gamma circuit. So the second party's gamma circuit takes as input A and B and it has the random message for detecting the first round OT message and the second round OT message. So omega 0 of the random circuit generating the message corresponding to 0 and B and 1 and omega. So this circuit's output again consists of two components. The first component is the second round message which is A and D. We call that the second round message consists of A and D and the third round message is B, A and B and C. So it outputs the second round message in the clear but it somehow needs to communicate A and B to the other party's gamma circuit. So it does this communication by outputting the randomness corresponding to omega D. So given the randomness corresponding to A and this sender's OT message one can recover the label corresponding to A and B and this is precisely the message that we wanted the gamma circuit to communicate to the other gamma circuit. So the gamma circuit which has to speak outputs the randomness corresponding to one of the OT messages. The gamma circuit that has to listen outputs the sender's OT message. So given this and this one can obtain the label corresponding to A and D which is the message that we wanted to first communicate. And given these two labels one can evaluate the third party's gamma circuit with the label corresponding to C and the label corresponding to A and D to obtain the third round output A and B and C. And this is how we achieve the normal compression of the gamma circuit. So given these gamma circuits every party can locally evaluate then to obtain the output A and B and then using this randomness they can recover the label corresponding to A and B and then obtain the third round output A and B. Seems fine just for this 5th round now the question is how do we compress the wrong confidence in the algorithm. For this purpose let me just focus on the days of three parties again but it generalizes to last year's number of parties and they will consider any MPC protocol in the following order. So in each round a single party computes a circuit C1 on its private input and the messages that were received seamlessly and then communicates the output to the other two parties. So let's say the first round the first party computes a circuit C1 on its own private state and then updates the output and communicates it to the other two parties. In the second round let's say the third party computes a circuit C2 on its private state and the message that was received in the first round and then communicates the output to the other two parties. And this goes on for three rounds. It is very easy to see that any MPC protocol can be transformed into this one. So in order to compress the complexity of this protocol we will again use the same idea where we implement each round using a set of garland circles but now we enhance this talking and listening capacity so that they work for the arbitrary circles of a single team. The idea is very similar to the single team setting. I think we had a time to go over the details of how to be generalized and then let you to look at it. So this is how we compress the round of complexity of an arbitrary protocol and this helps in achieving the desired result of constructing a two round MPC. So to conclude we gave a two round protocol for secure managing party computation from any two round MPC and this is the minimum assumption from which we can construct the MPC protocol. In a follow up work which is going to appear in this year's crypto we gave a protocol where the number of public operations is independent of the circuit size that is being computed. All the previous constructions including the construction that we just described add a property that the number of public operations grows and that is something that we want to avoid. Here we have construction that has number of public operations independent of the circuit that is being computed. So some of the open questions from our work are can we improve the communication of MPC? So currently the communication of MPC grows with the computational MPC of the protocol that we are compressing. So it is not clear whether this is necessary so can we improve the communication of MPC? Another interesting open problem is to have concretely efficient two round MPC protocol that would have a great effect in practice and that's it. Thank you very much.