 Hi everyone, I am Michele Ciambi, and I'm going to talk about Threshold-Gerber-Circuits and Adox-Secure-Computation. This is a joint work with Bipol Goyal and Raphael Ostrowski. The private simultaneous model was introduced in stock 1994 by Fage et al. In this work, the authors wanted to consider a model that would allow the parties to securely evaluate a function with just one round of interaction. So we know that this is not possible in general unless we put some restrictions or we change the model. And that's exactly what the authors did. And they consider a setting where there are two types of entities. So the first is the evaluator, which wants to understand the output of the function. And then there are a set of parties that are the only parties that have inputs. A protocol in this setting has three main algorithms. The first is the setup algorithm that generates some correlated randomness. And we will denote the randomness that each party gets with a red R. So after the setup phase, each party has its own correlated randomness. And now each party can create an encoding using this randomness and using the input. An encoding of the input for the party Pi we denote with Ci. After the encoding phase, we go to the online phase, which is the phase where the parties actually provide their encodings to the evaluator. The evaluator now can use an algorithm that we call eval for evaluation. And branding this algorithm on input the randomness R0 and the encodings of the end parties, he can compute the output of the function F. So what we want here is that the adversary must not learn more than what can be inferred by the output of the function itself. Very connected to this setting is the notion of garbage circuits. Using this notion, it's easy to realize a secure protocol in the model we just described. Just a quick recap on garbage circuits. So garbage circuits has a garbling algorithm that takes as input a description of a function F and returns the garbling of this function, which we denote with capital F, and a set of labels, two labels per Y. So if we have such a garbage circuit and during the setup we run the garbling algorithm, we can give to each party one pair of labels in such a way that when it comes to do the encoding, now each party can select the label that he likes depending on what is his input and send these labels to the evaluator, which he can later run the evaluation algorithm of the garbage circuit to compute the output of the function. A stronger notion, but very connected to the one we just described is the notion of non-interactive multi-party computation. In addition to the previous notion, this allows the evaluator to collude with a set of parties. So what we require here is that the evaluator should not learn more than what he can infer from the residual function. The residual function is the function that keeps fixed the input of the honest parties, but where the input as lots of the function that corresponds to the corrupted slot can be queried with any value the adversary likes. And the question, another question is whether the garbage circuit instantiation is secure in this setting. And as you can imagine, the answer is no, because in this case an evaluator, a corrupted evaluator might get multiple, two labels for the same Y and this might in general actually compromise the security of the garbage circuit. And actually what BIME a little shows is that the notion of non-interactive multi-party competition implies in this selfish video of Huskish. The work of Bahamoud et al. in Grip to 2017 shows that this notion is achievable relying just on one way functions if the number of corrupted parties is just constant. Moreover, they require the input of each party to be just one bit. Another interesting model is the ad hoc private simultaneous message model. In this model, we still have n parties during the setup phase that receives the correlated randomness, but the function the evaluator wants to compute is a K input function. Indeed, we do not require here all the parties to participate in the online phase, but only a subset of parties of sides K. So what we want here is again that, well, we can, the honest evaluator can evaluate the output of the function and moreover that nothing more than the output of the function itself can be computed. In this notion only the evaluator can be corrupted. Also in this case, the garbage circuit-based construction does not help to achieve this notion because, well, unless we have at least one label per wire, we cannot run the evaluation algorithm of the garbage circuit. As our first contribution, we consider a new notion that not only combines the previous two notions we have seen. So in this one, that we call threshold non-interactive MPC, not only we allow the evaluator to collude with other parties, but also we do not require all the n parties to be participating in the online phase. In particular, we denote with K again the input sides of the function that you want to compute and we require only key parties to be participating in the online phase. The first thing we will do is to show how to construct a scheme that satisfies this notion. Our construction is based on a standard non-interactive MPC protocol and on a new notion of a secret sharing that we call position on secret sharing. The way we construct this tool is by relying on standard k out of n secret sharing that we now revise. We have a special party Alice in this case that has a secret x. Now Alice, she could run a sharing algorithm that's obtaining n values and shares, distribute those among the n parties and in such a way that the evaluator, only if he gets like k shares or more, he would be able to reconstruct the secret of Alice. And if he receives less than k shares, then nothing is revealed about the input of Alice. In our new notion, Alice does not have just one input, but she has multiple inputs. And the sharing algorithm as before takes the secret, or the secrets in this case of Alice, together with her position, position 4 in this case, and distributes the shares among the n parties. The idea here is that if k parties, if less than k parties participate into this online phase, let's say, or if the evaluator has less than k shares, as before, nothing is revealed about any of the input of Alice. On the other hand, if k shares are provided to the evaluator, and we order those shares following the ordering of the indices, and the share of Alice is in position j, then only the secret xj is revealed to the evaluator. Let me give an example. We have only 10 parties here, and let's say that the evaluator only gets the contribution from the second, the seventh, and the eighth parties together with Alice's share. So if we order the shares following the indices, then the share of Alice occupies the second position. And our definition says that only the secret, the second secret, which is x2, is revealed to the evaluator. In this other scenario where p1 does not speak, does not participate in the online phase, but the party p5, p9, and p10 do participate, the share of Alice is in the first position. This means that the evaluator will get only the first among the four secrets. In this other scenario instead, the evaluator will get only the third secret, and nothing more than that. So the way we construct a positional secret sharing is the following. So the sharing algorithm will do something for each of the secrets of Alice, but in this slide here, I just want to give an example of how the sharing algorithm works in the case for the input x2, and for the simplified scenario where the index of Alice is 2. So the sharing algorithm does the following. First of all, it creates a three out of three secret sharing. That's creating what we call a left share, center share, and a right share. Then for the left share, we create a one out of one secret sharing. The same we do for the center share. And for the right share, we create a one out of two secret sharing. We run a similar process for x1 and x3, and we arrange the output that we get in the following way. So the idea is that if, for example, the evaluator gets the share s1, s2, and one of s3 or s4, that's what the star stands for, then we have that the capital s1 contains the one out of one secret sharing of the left share. So we can reconstruct the left share. Alice contributes with the center share, which is the pink share. And now, no matter whether the evaluator has s3 or s4, given that it is possible to reconstruct the right share with using a one out of two secret sharing, well, we can basically reconstruct x2 because we have all the three shares. If, for example, we are in a situation where we have only s2, s3, and s4, it is easy to see that the information that we have here are not sufficient to reconstruct x2 because we have missing the, or to be precise, we have no way to reconstruct the left share here, given that s1 is not in the hands of the evaluator. So for our construction, we use the positional secret sharing scheme I just mentioned, and a standard non-interactive multi-particle competition protocol, which let me remind you, it's a protocol that allows the parties to be colluding with the evaluator. So at a very high level, our protocol works in this way. So assume for simplicity that we have a function of cardinality 2, and that we have only three parties. So what will happen here is that we have three parties, but only two of those will be participating in the online phase. So the first thing we need to describe is the setup. During the setup, we create an encoding for all the possible inputs that the function f could get. To be precise, we have a function that has two inputs, and we know that the input of each part is just one bit. So for the first input of the function, we create an encoding of zero using the randomness r1 of the non-interactive MPC protocol, and then an encoding of one using the randomness r1. We do the same for the second input of the function. Now I will not go into the detail of this. By using our position on secret sharing, we can create a set of shares that we distribute among the parties. So the idea is that each part now, depending on the input, can decide which set of shares to send to the evaluator. In this case, the input of the first party is zero, and so he will send the set of the blue shares, let's say. Whereas the third party, which is the only other party that will participate in the online phase, has one as its input, so he will use the red set of shares. The idea here is that because of the security of the position on secret sharing scheme, the evaluator will be only able to reconstruct an encoding of zero for the first input of the function f, and an encoding of one for the second input of the function f, where the encodings are with respect to the non-interactive multi-party computation problem. At this point, the evaluator can just run the evaluation algorithm and get the output of the function. So what happened in the case where the third party, for example, is corrupted and is colluding with the evaluator? Well, in this case, of course, they can share everything, they can share the correlated randomness, so in this case, the evaluator might be able to evaluate the function by switching the second input. But this is fine because we assume that the underlying non-interactive multi-party computation protocol is secure against this type of attack. Moreover, we can prove that because of the security of the position on secret sharing scheme, the fact that the third party is sharing its randomness, everything he knows with the evaluator, does not leak anything about the encodings for the first input of the function. In this example, as long as the party p1 is on us, the blue party, the left party here, it is guaranteed that the encoding of one that we denoted with c11 is protected. So the adversary, in some sense, he cannot compute the output of f on input 1 and 1, for example, or on input 1 and 0. As a second contribution of this work, we consider the notion of kt secure dock private simultaneous message. So this notion doesn't allow corruption of parties other than the evaluator, but it has the natural relaxation that the number of parts that could be aligned is not fixed. So in the previous example, we had n parties and only a subset of k parties might be participating in the online phase. As in this notion, any subset of sites t can be participated. So, unfortunately, for genetic parameters of tk and n, this notion implies obfuscation, and this thing should be obfuscation. And what we do in this work is showing that if actually we want to compute k input function, and the number of parties that participate in the online phase is k plus c, where c is some constant, then we can still get a secure protocol. In our construction, the input of the parties are strings that, compared to the previous construction, we were able only to achieve a protocol secure in the case where the input of the parties are just single. Another question is whether the previous construction satisfies already this notion whether there is need to do some work. So, to give an example about how challenging is this task, consider the case where we have, again, a k input function, but now k plus one parties might participate to the online phase. And in this case, for example, we have the party from p1 to pk plus one to be contributing with their input. Another evaluator can evaluate the function on the first k input or in the last k input. So, by discarding the first one and by redoing the computation of the last k values. And now this is problematic because the inputs might be such that by doing this shift of one position in the input that go in the evaluation of the function, it might be that all the inputs now change. So, in this example, let's say that the input of the parties can be described in this way. Let's say that they are just bit right. Now, the adversary can compute the output of this function, but he can compute also the output of this function where all the input in all the positions like have been switched. And there is no way that we can argue security in this setting by relying on an interactive NPC protocol that allows only the corruption of a constant number of parties, because here it's like all the parties have been corrupted. And so the adversary can change the inputs in all the positions of the function. So what we do in our work is that we prove that our scheme, positional secret sharing scheme enjoys a stronger security notion. And we show that together with the learning with error assumptions, we can achieve this notion where, again, like we allow k plus c parties to be aligned where c is not known, but it must be constant and where the input of all the parties are strings. So, in conclusion, we have introduced a new notion that allows both corruptions of the parties and allows the evaluator evaluating a function without having all the end parties being online. And we provide a construction in the secure adopt private simultaneous message model for the case where the parties that can be aligned is cardinality of the function plus some constant. And in this way, we solve a problem that was left open in the work of Bayman et al. in Eurocrypt 2017. So this construction, although relies on the learning with errors assumption, whereas the previous construction of the threshold on interactive NPC, just relies on one way functions. And with this, thank you very much.