 Hi everyone, this is Jaspar and in this video I will be presenting our paper titled Large Message Homomorphic Secret Sharing and Applications. This is a joint work with Lance Roy at Oregon State University. The talk would be structured as follows. I will begin by introducing the notion of homomorphic secret sharing, also abbreviated as HSS and its traditional security definition, followed by a summary of all known results for two-party HSS from the research literature. Next I will present a general framework for the design of HSS protocols and following which we will essentially give our own proposed HSS construction and finally before concluding I will present a couple new applications for our HSS construction. Let's begin by the introduction. Traditional definition of HSS consists of three algorithms share, eval and decode. The share function is used to secret share the input x with the two evaluating parties. The evaluating parties run the eval algorithm which takes as input a share of x and the program description p. The output of eval can be fed into the decode function which outputs p of x which is the evaluation of the program p on the original input x. Security of HSS requires two requirements to be met. One is correctness and secondly privacy. Correctness ensures that the decode output is correct while privacy requirement states that each share xi should hide x. HSS can also be seen as the two-party relaxed variant of FHE or fully homomorphic encryption where servers can homomorphically compute on the secret input x under the additional constraint that the servers are non-colluding. We will specifically be looking at 1-p HSS constructions where the correctness is allowed to fail with some probability p. Another interesting variant of HSS is the one where the decode function is a simple addition operation. We call such a construction HSS with additive decoding. The simplistic decode function opens up a large number of applications in crypto where HSS could be a viable solution. Including our work, most research literature on HSS has focused on the restricted multiplication programs as the model of computation also known as the RMS model of computation. These programs allow for initialization of a certain number of memory values where each memory value is bounded above by a parameter m and it allows for the following operations. So we could initialize any memory value by a constant 1. We could output any memory value which would essentially be part of the output of the RMS program. We could add any two memory values into another memory value. We could multiply any memory value by a public constant. And finally we could do a restricted multiplication which essentially means that you can multiply any input x with a memory value y to store that as a memory value z. Due to the restricted multiplication, this model of computation certainly does not capture general circuits. Yet this computation model is pretty expressive since it does capture branching programs and locked-up circuits at least. In this session, I'll present the known research literature on the problem of homomorphic secret sharing for the RMS model of computation. In 2016, Boyle, Kailbo and D'Shy initiated the line of work on secure computation from HSS, the construction based on divisional DPL min assumption. On the timeline on this slide, below each work is mentioned the time complexity of running the RMS program using the given HSS scheme. Here n represents the number of steps in the RMS program, m is a bound, and p is a net error probability. Note that the security parameters treated as a constant and hence not reported when presenting these complexities. For BGA 16, the running time is order m n square by p, hence m has to be polycyzed and p has to be an inverse polynomial. In a follow-up work for Zylo et al, they construct a similar HSS scheme based on pi a encryption, which is based on the divisional composite residual solution. They achieve the same complexity as BGA 16. In a work due to Denier, Keller and Klein in the following year, they improve the asymptotic complexity of the DTH-based HSS construction due to BGA 16. They reduce the running time of the program to square root m by p into n raised to power 3 by 2. Note that this still only gives us an inverse polynomial error and polycyzed message mark. These limitations were finally removed by work due to Boyle, Kailbo and Scho, which uses lattice base cryptography. Their scheme is based on the LWA problem and achieves homomorphic secret sharing with exponentially small correctness error and exponentially large message space. The running time of the protocol can be estimated to be order n times log square by p, hence n can be exponentially in security parameter and p can be negligible as well. In this work, we introduce a new HSS construction based on Damocard Zerich retrosystem, which is based on the DCR assumption as well. Our HSS construction managed to achieve negligible error probability and exponentially large message spaces without relying on stronger lattice-based assumptions. Furthermore, unlike all the previous works, we do not need any circular secure encryption scheme or any circular security assumptions. We also present two new applications of our HSS construction, which include a two-server constant bandwidth malicious secure owner and a tractor hash function. Concurrent work due to Orlandi, Shawl and Yakubov also propose an HSS with negligible error probability for exponentially large message space. There are two versions of the protocol. One requires a circular security assumption and the other uses a circular secure encryption scheme and the Raketsky-Goldwasser encryption scheme. PA has a smaller plaintext size limit than Damocard Zerich. This forces them to chunk the input into smaller pieces and they need to chunk in at least six psychotext for their scheme to work. Raketsky-Goldwasser depends on breaking the key into bits and they end up with one chunk per L bits in the key. However, we only need a single psychotext to import the input to the circuit. Hence, our HSS shares are either a constant factor or a theta of L times shorter than theirs. Next, we present a general framework for HSS constructions that encompasses all the HSS constructions from the literature including ours. HSS is based on the interplay between two homomorphic schemes, an additively homomorphic encryption scheme and an additively secret sharing scheme. Encryption is represented by square brackets. It holds the inputs to the HSS program. Hence, the share function on input X outputs the encryption of X to both evaluating parties. Since the encryption scheme is homomorphic, given cybertex of X and Y, we can generate cybertex with speed reps to X plus Y and to C into X, where C is any constant. The additive shares are used to represent the register or memory values of the RMS program. We see a value Y stored in the program if the parties have additive shares of 5 times Y, where 5 is the private key of the encryption scheme. Although 5 times Y is the difference of the shares to the parties, it's conventional to call them additive shares instead of subtractive shares because they are additively homomorphic. Similar to the encryption encoding, given additive shares of 5 times 6 and 5 times Y, we can get additive shares of 5 times 6 plus Y and 5 times C times Y, where C is a constant. There are of course multiple encryptions or shareings of the same value. See equality here essentially means that they represent the same value. They don't need to be exactly the same cybertex or shares. We will next look at how NHS scheme evaluates each RMS operation given the encodings that we defined on the previous slide. To initialize a memory value with 1, the servers use additive shares of the private key 5, which was given to them as the output of the share function. To output a value X, the decode functions can subtract the additive shares of 5 times X and divide it by the private key 5 to obtain X. Addition of memory values and multiplication by a constant follow directly from the properties of the additive shares Hence the key challenge that remains is in how to perform a restricted multiplication. That is multiply and input X with a memory value Y. The essential difference between different HSS protocols is in how they compute the RMS multiplication operation. Next we will discuss a high level approach for how RMS multiplication is carried out in all HSS constructions. This is where the two homomorphic schemes interact. Each party locally raises the encryption of X to their additive shares of Y. By the properties of the encryption scheme, parties hence end up with multiplicative shares of the encryption of XY raised to 5. That is there is some kind of a pioneer mapping between additive secret shares and additively homomorphic encryption. Here we define the multiplicative share of Z to be element Z1 and Z0 and by the two parties such that Z is Z1 by Z0. Hence the challenge of an RMS multiplication now reduces to converting multiplicative shares of the encryption of X times Y raised to 5 into additive shares of 5 times XY. Now note that the decryption algorithm for most additively homomorphic encryption schemes involves exponentiation by private key. For example for YA, when we raise the psychotext of Z to the private key 5, it outputs Psi of Psi Z where Psi is a homomorphism from the plaintext space to the psychotext space defined as Psi of Z is equal to 1 plus NZ. And for L, homomorphism Psi would be defined as Psi of Z is equal to 1 comma G to the Z. From the homomorphism property of the encryption scheme, you also have that Psi must be homomorphic. That is Psi of U times Psi of V will be equal to Psi of U plus V and Psi of U raised to power C would give us Psi of C times U for any constant C. Note that in the challenge problem we have the psychotext of X into Y raised to power 5 which is the first step in the decryption process. Therefore we just need to do the second decryption step which is inverting the homomorphism Psi but on the multiplicative shares. Hence the challenge problem is now to convert the multiplicative shares of Psi of 5XY into additive shares of 5XY. To convert these multiplicative shares into additive shares, we use what's called a distance function that satisfies the following property. Distance of C times Psi of C minus distance of C should be equal to Z probably be at least 1 minus epsilon where C is any psychotext and Z is any plane-text. Given the distance function satisfying this property we can make the two evaluating partners compute the distance function on the respective multiplicative shares of Psi of 5XY. Now note that by the definition of the distance function the difference between the outputs of the distance functions is exactly equal to 5 times 6Y. This describes the complete process of all HSA schemes before precisely how the distance function is completed and it's the epsilon error in the correctness of the distance function that is the cause of the error in the correctness of the HSA scheme as well. Next I'll present our proposed distance function which has negligible error probability for Pi A and Democrat Z-eric psychotext. Next we have our main construction. In our HSS construction we use the Democrat Z-eric public key crypto system to encrypt the input values. This crypto system is based on the addition of length x to multiplication of cyclotix and on its inverse function log. These functions are analogous to e raised to the power nx and log base e raised to the power n but x is defined modulo n to the s less one and log is defined modulo n to the s. Power Cs in nx can have hat max s non zero terms modulo n to the s because the power of s term will be a multiple of n to the s. Hence the Taylor series for log and x become finite sums. Using the finite sums it can be proven that x and log are inverse functions of each other and are homomorphisms. This is analogous to how properties of e to the x and actually log of x over the real numbers can be proven using the Taylor series. These homomorphisms are then used to define the Democrat Z-eric homomorphic encryption system. Each algorithm takes as input the security parameter kappa then samples two primes v and q and outputs the public key n equals v times q and the private key phi equals minus one times q minus one which is the output of the Euler-Dotion function on input n. The size of the primes v and q is chosen to ensure that the Democrat system has kappa bits of security. The encrypt function applies the homomorphism x on the input x and then hides the plaintext by multiplying it by r raised to the power ns which is the random perfect power of n to the s. The decrypt function exponentiates the psychotext with the private key to cancel out r raised to the power ns and then it applies the log function which is the inverse of the x function. Finally, the output of the log is divided by phi to extract the plaintext. To prove correctness of this reposition we note that the Euler's theorem exponentiates the psychotext of x by phi, removing the randomness giving just x for phi times the plaintext. This means that x is Democrat Z-eric's equivalent of the homomorphism psi. The x function is easy to invert using the efficiently completed log function which would also be important for the addition function. Computing the log and dividing by phi must then give the plaintext which proves correctness. The C-P security of Democrat Z-eric reposition can be reduced to the standard DCR assumption. We propose a addition function based on the efficiently computed by log function in Democrat Z-eric encryption C. In particular, we define the addition as the log of the psychotext C divided by the output of a function common on input C. Individually we want the addition function here to capture the addition between the plaintext of C and its common point. For this to work, we need the addition function to be well defined and for both parties to find the same common point hence the name common point. To show it's well defined, we need to show that C by log C is in the domain of the log function. Further, to show that the two parties end up with the same common point, we need to show that the common point for psychotext C is the same as for the psychotext C times x for C. Previous DTH or DCI-based HSS constructions take common of C to be the addition of random work where they have a tendency to pick some elements more often than the others. This improves the chances that both parties end up with the same common point assuming that the points are nearer. That is, C is small. However, the error at the DCI is non-inclusive. The output of DCI is always incorrect whenever the two parties do not end up with the same common point. Instead, we propose to set the common function to be the modulo in operation. For this common function, C is well defined. Log is defined for numbers of the form 1 plus nx that is, we need its input to be 1 modulo n. That's exactly what dividing by C modulo n ensures. Furthermore, the common point for both parties will be the same since x for C is 1 modulo n, making C x for C modulo n equal to C modulo n. To state it again, addition function is defined as follows. It's nothing but log of C divided by C modulo n. We next show how the proposed addition function is defined. It essentially follows from the fact that the denominators in both the log functions are the same, and furthermore, log is added to the homomorphic form. Note that we have only shown the thickness of addition function modulo n to the s. A construction may in fact need to convert its output to be integers as it will output additive shares. These additive shares will be used by subsequent modifications. That is, they will be used as exponents. And there is no way to consistently convert the power that is only defined modulo n to the s, because the multiplication order of the psychotext row does not divide n to the s. Next I'll use an example to show when using addition function will actually give correct shares over integers and when it will not. As shown in the figure, consider the case where the two parties have shares of x as 2 and 7 respectively. Taking the difference of the shares modulo n to the s gives 7 minus 2, which is equal to 5. Hence, in this case, the shares modulo n to the s gives 3. At the opposite end, another example is to let the two parties have shares n to the s minus 8 and n to the s minus 3. This is actually taking the difference of the shares modulo n to the s, gives n to the s minus 3 minus n to the s minus 8, which is again equal to 5. Hence, in this case too, the shares modulo n to the s gives correct shares over integers as well. However, if the two parties have shares n to the s minus 2 and 3, then taking them as shares over c This wire is the directness of the addition function. Note that this occurs when one of the shares wraps around n to the s while the other one doesn't. That is, the interval representing x crosses 0. More precisely this occurs when x plus the first shape of x exceeds the bound n to the s. This means that the first shape of x must be close to n to the s for this error to occur. We can bound the probability of this occurrence by x by n to the s for a random shape of x. When x is bounded, we can make this probability of error negligible by choosing n to the s to be sufficiently large. When the error does not occur, the modulus does not matter and the addition function will successfully output in future shares of x. Next, I'll summarize our entire HSS construction using the addition function that we just defined. To share and input x, we output democrat's euric encryptions of x to both evaluating parties. When evaluating the R-instructor, we get addition of memory values and multiplication by constant for free because each memory value is essentially nothing but the additive shares of y times y, where y is the memory value. To multiply and input x with a memory value y, the parties exponentiate an encryption of x to additive shares of y. This gives the parties multiplicative shares of x of y times x of y. Applying the addition function on these multiplicative shares, the parties obtain additive shares of y times xy over integers with 1 minus nil is your probability. And to decode a memory value z, we subtract the additive shares and then divide it by the private e5. So, we introduced two new applications for our HSS construction and the proposed distance function. Firstly, we propose a two-server malicious secure ORAM with constant bandwidth low. So, we get by defining what's an oblivious RAM and ORAM consists of two protocols, a setup and an access. Using setup protocol, a client can outsource a set of data blocks, particularly n data blocks to one of those servers. And in the access protocol, the client can input any index i and it can access the i-th data block by interacting with the servers. The security requirement of ORAM essentially requires two constraints to be met. Firstly, correctness, which states that the ORAM data structure that is maintained by the servers is updated correctly after each client read and write access. Secondly, we want privacy to be implemented. That is, the client index i should be hidden from a malicious server. Our proposed ORAM construction is based on a single server, anion ORAM construction. Due to lack of time, I won't have time to tell you all the details of anion ORAM and our ORAM construction. But here I'll present a high-level invitation for three-based ORAMs, which is essentially the class of ORAMs that anion ORAM belongs to. So, for three-based ORAMs, the ORAM data structure consists of a tree where each node in the tree is a bucket. Each bucket in the tree consists of a match of fixed number of real or data blocks. And to access a specific real block, the client essentially scans one specific path which contains that data block. And after accessing, the updated data block is placed in the top bush bucket. So, to ensure that none of the buckets overflow with real data blocks, all three-based ORAMs have what is called as an eviction algorithm, which involves percolating data blocks towards the leaves to avoid overflow. Particularly using an efficient eviction algorithm and using server-side computation, anion ORAM achieves constant communication overhead for blocks of size at least locked to power 6n. In our two-server ORAM, we essentially secret-share the anion ORAM tree data structure among the two servers. Here, the secret-sharing is essentially analogous to the memory values of the RMS program computation. Hence, to implement each ORAM operation, which includes setup, access and evict, we essentially propose RMS circuits, which can be evaluated using our HSS construction. So, all these ORAM operations have a select sub-protocol as the key-building block, which I focus on from now on. So, essentially, in this sub-protocol, the server holds m-additive shares of y1 up to yn, and the client inputs an index i. And we want the protocol to output additive shares of y sub i to the servers while hiding i from the servers. And we manage to do the select operation by just sending a single ciphertext from the client to the servers. And essentially, we send an encryption of the index i. The servers can interpolate a polynomial through the points i comma yi. And the servers essentially need to evaluate p of i, which would essentially output a share y sub i. Furthermore, note that polynomial interpolation is a linear operation. Hence, we can use an RMS circuit to evaluate p of i. Specifically, to keep the bound of our RMS program small, we specifically use the Newton's polynomial interpolation method. And essentially, to evaluate Newton's polynomial interpolation method efficiently, we keep an efficient RMS program, which is based on a modification of the Horner's rule. And to sort of conclude, based on this optimized select operation, we propose a two server malicious secure ORA based on our HSS construction, which achieves constant bandwidth lower, but for blocks of size, at least log to the forend. We next present an application of a distance function called random hash functions or TTS. So, this is a generalization of the usual notion of TTS to support linear functions over ring elements instead of bits. Tractor functions like one party generate a key pair from a linear function f, where the public key must hide the function f completely. Public and private keys can be used to compute secret shares of the output of the function, even though the key's owner is only given a hash of x. Dateling et al. use tractor hash functions to build rate one oblivious transfer. If a single fi is set to one and the others are set to zero, and the second party reveals its share e at the end, the first party receives the single element xi. If public e pk is used many times, its fraction of communication goes to zero. Similarly, if h is used for many different public keys, the fraction of communication for h goes to zero. Combining these two ideas makes the protocol have a rate one, as the communication is dominated by e, which is at the same size as the output. Using this protocol recursively, do it like et al constructed an efficient PIR as well. We can construct a tractor hash function based on a DC function. It depends on the defi element problem being hard modulo n square, which follows from the DCR assumption. This requires the factors of n to be kept secret. So essentially, we need a common reference that is democrat Zuri public key, where nobody knows the corresponding private key. In the public key, ga raised power secret key is used to hide the function coefficient fi. This is roughly an lgmal encryption of fi, where sk is a private key. Hash is the usual discrete log hash function, masked with a random value r to make sure that inputs are completely hidden. For correctness, first notice that if all fi's are zero, then they are doing a defi element key exchange to get the input to test, but with an extra group elements. Four parties will end up with the same group element, so this will essentially produce shares of zero. For non zero fi, x of fi will get multiplied into PKI. This will get exponentiated by x i and so contribute fi into x i to the final result. Previous constructions of tractor hash functions from TCR have non negligible correctness error. When f uses the ring zn to the s, we have no correctness error. For other modular, we can use the modular removal trick from before, which gives negligible correctness error. To conclude, essentially construct a new HSS scheme from democrat Zuri encryption scheme, which gives negligible error probability and allows for exponentially large message spaces. We define a new distance function, which is based on the algebraic properties of the psychotext group of democrat Zuri. And we also give new applications for additional function and HSS construction. Specifically, we design two server oblivious RAM scheme and we also design a new tractor hash function. A few things from the paper that we couldn't cover in the presentation are essentially we give a two-part HSS scheme to support additive decoding as well. And secondly, we extend the traditional HSS definitions to account for a few new properties of HSS schemes, which includes proving that the shares are authenticated. That is, if one of the evaluating parties was malicious, then the decode algorithm will be able to detect inconsistent shares and fail in that case. Further, we extend the definition of eval, which not only take as input the entire program P in one group, but we also allow for K by KT evaluations of our RNA circuit. This makes HSS suitable for online algorithms like oblivious RAMs, then O-RAMP will use both these new properties of HSS to prove our security. Thank you.