 Hello everyone, my name is David Gratzler and today I'm going to talk about a paper of ours called a generic compiler for publicly wear FIPL COVID multiparty computation. This is a joint work with Kamita Saj from the Bailan University, as well as Sebastian Faust in Benjamin Schlosser from the Technical University of Darmstadt. I will start with a short overview of what I'm going to talk about. My talk will begin with some background and motivation. Next I will give an overview of our contribution. This is followed by the presentation of our compiler, in particular how to compile any semi-honest protocol to a PVC run. And afterwards I will talk about our security proof and in particular how you can incorporate reductions to time-lock passes into simulation-based security proofs. And finally I will give a short conclusion. So let's get started with background and motivation. I think you are kind of familiar with multiparty computations, so I'll just give a high-level overview. Suppose there are two parties, Alice and Bob. And Alice has the recipe for Pepsi, where Bob knows how to make Coke. And they run to combine the recipes to some super potion. The cool thing is they even know how to do so. However, they cannot send the input to the other party because like leaking the recipe for Coke is a huge financial loss. So what they do is they apply multiparty computation. This primitive allows them to evaluate a function on joint inputs without leaking privacy of those inputs and still ensuring correctness of the output. An interesting approach of multiparty computation is to split the protocol into an offline and online protocol. Again, we have to talk to these two parties, but now they run an offline phase in which they do not really insert inputs, but only some randomness, and they get some boost out of it. These are typically like beaver triples or garbled circuits. And then some later point of time, they use these inputs to execute an online phase which becomes much faster. In this online phase, they provide the actual private inputs and get the final output. Also another primitive used in our compiler are time lock puzzles. I will also give just a high level overview over time lock puzzles. These allow some party to insert some secret into a puzzle which is then distributed to other parties that start solving these puzzles. And the time lock puzzle guarantees that no one can solve them before time t, while even like the honest parties will not need much more time than t. And this is achieved by requiring puzzles to be solved sequentially. Such the parallel computation, like buying a lot of computers, does not give you anything or speed up the solution finding of this puzzle. And finally, I want to look into security models, in particular how public web fiber covert security is positioned in like the spectrum of security models. Originally, there have been semi honest security and malicious security. In semi honest security, the adversary follows the protocol description, but in malicious security, the adversary is allowed to act arbitrarily. And while malicious security, obviously gives much stronger security guarantees, it's typically also not that efficient. So Alman and Nindal proposed as the middle ground covert security. Covert security and adversary is again allowed to act arbitrarily. However, he has some chance to break the security guarantees. On the other hand, there's also a chance that he will be detected while trying to do so. This chance is called a deterrence factor. And the idea behind this is that parties might be in your periodical relationships and they execute this multi party computation again and again. And if they're in a business relationship and someone detects them cheating, this means financial losses for them. So they do not risk to be a detective cheating. As an attention, there is publicly rare fiber covert security. This does not only allow parties to take cheating, but only to get improved misbehavior when detected cheating, which can be transferred to any third party to prove cheating, for example, at charge. However, currently, there are only foreign specifications for two party computation. And we want to present compiler, which allows to compile any semi honest and party protocol to a publicly rare fiber covert one. This directly leads us or me to our contribution. First of all, we present the compiler, which allows to transform a semi honest protocol into a PVC one. This is the first formally specified and proven PVC and PC protocol. There has been some prior work with which provides kind of an intuition how to extend their approach to multi party setting. However, they did not specify it. Also prior work, the intuition of prior work had some restriction on the deterrence factor, the detection probability of cheating parties, but we do not have something like this. Also, we incorporate time-locked parcels into a simulation-based security proof and to the best of our knowledge, we are the first to do so. And finally, we formally specify rare fiber time-locked parcels, some extension to time-locked parcels. Okay, so now let's get to the real content, our actual compiler. I will start with presenting how to get covert security from semi honest security to get a good understanding of what follows later. So we focus on the offline online setting, because this is like the easier to understand if you're interested in how to compile protocols that cannot be split into offline online, you can look into our paper. So actually we do not really change the online version because the online version is fast anyway, even for malicious security, so we can just take a malicious online version. However, we have to adapt the offline version a little bit. We take a semi honest one and adapt it a little bit such that it can fit into our compiler. First of all, we de-randomize it, which means that all randomness in this offline version is derived from some predefined seeds. Secondly, we require some form of public transcript. And thirdly, we kind of need to extend the output. For example, if you think about secret sharing multi-party computation, the malicious online version requires max on the B-Vertraples, while the semi honest one does not. So we need to extend the semi honest one to also generate these max. OK, how are these protocols then used in co-executive protocols? And first of all, Alice and Bob commit to two random seeds in exchange to commitments. And then they execute two instances of the semi honest protocol or the adapted semi honest protocol in which they derive all of the randomness from these committed seeds. And they get some transcripts out of it as well as some boosters. Pre-computation. Next, they execute a shared coin tossing protocol. Suppose for now, the coin is R equals 1. And then they exchange the seeds of the first instance determined by this coin. And now having these seeds, this party can emulate the protocol instance due to this demodernization we applied earlier and get a new transcript out of it. And if this transcript does match the one of the real protocol execution, everything is fine. Otherwise, there was some cheating in this instance. And due to having exchanged the seeds of this instance, they can no longer use the pre-computation of it because the private information in this pre-computation is leaked. So it goes to the trash. However, they can use the outcome of the other instance for the online phase to accelerate the online phase. In this setting, the detection probability is 1 half because there have been two instances and one of them is checked. And in general, if there are T instances and T minus 1 of them are checked, the detection probability is T minus 1 divided by T. OK, so now how to get to a publicly rare fiber-covert security? What's the difficulty? Can't be just add signatures. So execute a shared coin tossing protocol, then exchange the seeds. And when exchanging seeds, just put signatures on the seeds. Does this work? Actually, it does not work because there's something which we call a detection-dependent board. Which means that an adversary learns the result of the coin toss. That vessel learns if she will be detected and abort if otherwise before sending the signatures. So there's nothing to prove. Previous REC tried to solve this using a previous transfer. However, this has some shortcoming, which means that in a previous transfer, each party selects the instances it wants to open individually. Which means that parties might check all instances. For example, Alice selects via a previous transfer that she wants to open instance 1, and Bob wants to open instance 2. And in the end, both pre-computations of these instances need to go to the trash. And there's nothing left for the online phase. So in this setting, the detection probability at the deterrence factor is kind of bounded because we require that the number of instances is larger than the watch list times the parties, which again means that the deterrence factor is bounded by 1 over n. There are some workarounds for the two-party setting. And also, this can be improved via protocol repetition. But we are interested in how we can achieve this for the multi-party setting without needing something as cumbersome as repeating the whole protocol. And actually, we can do so. We achieve publicly verifiable covert security without bounded detection probability. And our approach is quite simple. We go back to the covered idea to have just one watch list for all parties. And we use time lock puzzles to prevent detection dependent on board. And also, time lock puzzles are then our only additional security assumption. OK, so how does our protocol look like? Again, we have Alice and Bob, and they execute two semi-honest instances. But next, they execute some malicious secure MPC protocol in which they input their seats and some coin share. The malicious secure MPC protocol outputs a time lock puzzle of the coin, which is just the x of the coin shares, together with the corresponding seats. Then parties exchange signatures on the transcripts, as well as the time lock puzzle. But now, they do not know which value is actually locked in this time lock puzzle because the time has not elapsed and they have not been able to solve it yet. And then in some second round output, after the signature has been exchanged, parties receive the clear of this coin as well as the seats. This way, they do not really have to solve the time lock puzzles, but they can still ensure that signatures are exchanged earlier. And afterwards, they can just check these instances again. If there has been some cheating, they publish the signature of the other party together with the time lock puzzle and the transcripts, which is enough information for everyone else to check if some party misbehaved. Otherwise, they can do the same as before. And proceed with the online phase. What happens if an adversary aborts before the second round output has delivered? The other parties can just open the time lock puzzle. And why can we just apply malicious security here in this time lock puzzle generating protocol? This is because the complexity of this protocol is independent of the overall protocol complexity, which means it doesn't matter if we generate five B-Vertriples or 10,000s of B-Vertriples in this offline phase. The complexity of this TUP generation is always the same. And here, now, the detection probability, if we have T instances, is T minus 1 divided by T because, actually, all parties have the same watch list. This coin points to the same instances that should be opened. Yes. Of course, there's something missing, some minor details, which I left out due to presentation issues. So in semi-honor security, we actually want parties to use really random seeds. But here, we allow parties to pick their randomness themselves. And this is why you can extend this protocol by some mechanism which allows parties to pick a private seed share. And the other parties generate a public seed share, and then these shares are combined to the actual seed, which is then really random. Also, what happens if we have more instances? We just open our board run. For protocols that are not offline online, we can apply the player virtualization or party virtualization paradigm. For more information, you can look into our paper or prior work, which introduced paradigm. Also, currently, the charge has to solve full-time-locked puzzle, which is time-consuming. However, we introduced this notion of rare-fibre time-locked puzzles, yet is primitive, which allows some party that has already solved the puzzle to also generate a proof that can be transferred to a third party to prove the result of a time-locked puzzle efficiently without actually needing time t. And currently, these certificates contain huge transcripts, potentially huge transcripts. However, this problem can also be solved quite easily by applying a micro-tree structure to these transcripts and then using micro-tree proofs to show that some transcript has been a wrong message. And finally, an obvious question is, isn't creating puzzles inside multi-party computation too expensive? And actually, it is. However, we extended our protocol such that all parties insert something like zero puzzles into the NPC protocol, which are then summed up to a fresh zero puzzle, and then the NPC protocol applies the secret to this fresh zero puzzle, such that the NPC protocol doesn't generate a puzzle itself, but just combines puzzles and still allows these puzzles to be secret. And we enable the charge to detect if there have been inconsistent zero puzzles such that no party can screw up this certificate. However, if a party inserts a wrong zero puzzle, it needs to do this before it knows if it will be detected or not. So this abort is kind of independent of whether that whether it will be detected or not, which is okay in PVC. Okay, this brings me to the final content-wise point of my presentation, and this is the part of our security proof. So we did a simulation-based security proof and this typically works like this, that there's an ideal world and a real world. And both worlds have the same address in honest parties, but in the real world, they communicate directly while in the ideal world, the address communicates with the simulator, which again communicates with the ideal functionality and then which again communicates with the honest parties. And then there's a distinguisher which tries to distinguish views from a real world from an ideal world, and some protocol is secure. If the distinguisher cannot distinguish ideal world and real world. And as it's often hard to show directly that these two worlds are indistinguishable, people typically apply a sequence of hybrid experiments and show indistinguishability between each two experiments. And this is often done via reduction to primitives. In our case, at some point we want to reduce to the security guarantees of time lock puzzles. And yes, suppose a setting in which we have two hybrid experiments. In one, the protocol is executed with some random coin R in the time lock puzzle. Then the behavior of the address is determined. Then the simulator actually rewinds to the beginning and forces a new coin R prime. Determines again the behavior of the address and repeats rewinding until the address behaves the same. If the address behaves the same, rewinding is stopped and the simulator continues just as the protocol defined it. And then there's a second hybrid experiment which is actually exactly the same. The only difference that now the same coin is used in the main thread and the rewind thread. And we want to show indistinguishability of those two and we want to do this via reduction to the time lock puzzles. There is a naive idea how this could work. We have now a dark addresser which is an attacker on the time lock puzzle security game and on the right hand side, the challenger of the time lock puzzle security game. And the dark addresser just executes this hybrid experiment, the first one and forces a random coin R. Then he runs to the beginning, selects a new random coin R prime and sends them tuples which should be put into this time lock puzzle in the protocol to the challenger one containing R and one R prime. And then the challenger picks a random coin and sends back at the corresponding time lock puzzle. And now the dark addressery continues with the receive time lock puzzle. And you can note now that if C equals one, then R prime is in the time lock puzzle. So we have exactly experiment one. If C equals two, then R is in the time lock puzzle and we have exactly the experiment two. Which means that now the dark addressery can just give this view to this distinguisher which says, okay, we have experiment two or one and the result can be given to the challenger of the time lock puzzle security game. And now if the distinguisher can distinguish between experiment one and experiment two, then the dark addressery has an advantage in the security game which contradicts to the time lock puzzle assumption which again means that if the time lock puzzles are secure then there's no distinguisher between experiment and experiment two. However, there's a problem. And this is that this just doesn't work because the dark addressery is bound to be executed in time T where the distinguisher might take much more time. So we cannot apply this direct reduction. Instead, we need to do some tricky observations. The first one is that the experiments are indistinguishable right before the second rewinding because at this point the addressery is simply see some execution both containing a coin once R and once R prime. However, R and R prime are just uniformly random. So you cannot distinguish these views. Next, the probability of each behavior is independent from the coin locked within the time lock puzzle. This is actually an observation we can prove via reduction to a time lock puzzle which we'll follow next. And this means that each behavior is chosen with the same probability of both experiments in main and rewind thread. And this again means one and two together means that the experiments are indistinguishable right after rewinding because like when the decision of rewinding is made they are indistinguishable shown by one. And also like the rewinding is stopped due to based on the behavior. However, the behavior is also independent of what is actually within the time lock puzzles. So what happens earlier? So if the behavior is independent then stopping rewinding is also independent. So diffuser also indistinguishable right after rewinding. And together with observation three that all steps after the rewinding are the same in both experiments. It follows that the experiments are indistinguishable in total. So how do we prove the second claim? Again, we have the dark addressery and the challenger, the dark addressery executes the instances and the main thread. He also executes one rewind thread, selects a new random coin R prime, sends both to the challenger as before, gets a puzzle out of it as before. And then he continues with this puzzle and as before if C equals one the execution equals experiment one and if C equals two the execution equals experiment two. But now instead of going to the distinguisher he observes the behavior of the protocol addressery. And if the protocol addressery behaves the same as in the main thread, the dark addressery simply returns C prime and otherwise sorry the dark addressery simply returns one and otherwise the dark addressery returns two to the challenger. And now we can see that if the protocol addressery can change its behavior dependent on the coin within the time lock puzzle then the dark addressery has an advantage in the security game which on the other hand means that if the time lock passes are secure then the behavior of the protocol addressery is independent of the coin locked within the puzzle which is actually what we wanted to show which proves our claim too. Okay, this is the interesting part about our simulation proof. If you want to see details about this you can contact us or look into the paper which leads me to the final topic of my talk I'm giving a short conclusion. Yeah, I just want to recap our contribution. We presented this compiler from Sermi Ernest to PVC security for multi-party protocols. We showed how to incorporate time lock puzzles into a simulation based security proof and also we specified these way fiber time lock puzzles. There's also some interesting future work. So first of all, currently we apply some general purpose MPC to generate these time lock puzzles and it would be really interesting if this can be improved, if there's maybe some tailored MPC protocol to generate these puzzles even more efficiently. Also our charge currently has to emulate a hood protocol instance and we wonder if this could be achieved more efficiently. And finally, our transformation currently needs some form of public print script and it might also like we wonder if it's possible if you can also achieve justice out of public transcripts. I think these are interesting directions for future work. So yeah, thank you all for your attention and if you have any questions feel free to contact me or my colleagues. Thanks for listening.