 So, thank you for the introduction and good morning everyone. My name is Ni, I will present our work. This is the new Private Set Intercession Protocol from our SPARS OT Tensions. And this work with Ben Ni and Avishe from Bayer Island University and Mike from Oregon State University. So maybe you attended another PSI talk a few days ago and might know what is PSI, but I also want to go through a simple scenario of PSI. So here we have two parties, Alice and Bob, each has a set of items and now they want to compute the intersection of their set on the way that they don't want to leave any information except for the interactions. So PSI has many applications and my favorite one is private contact recovery. In this scenario you have, we have Alice with the phone and a list of her friends. On the other side we have Bob who is the Skype server provider and he has a list of users. And now Alice wants to find out which of her friends use Skype so that she can chat with them. Obliviously, we want to compute the intersection of their database without revealing anything. So they have many and many PSI applications like DNA testing, online advertising, or botnet detection. So before going into our protocol, I would like to discuss about communication complexity of PSI from General Shumpsons. He one-way function and OT hybrid. So the naive solution, you need to compare every item of X to every item of Y. So clearly the complexity is N squared and later several works use hash scheme to map the item into bin and now compute PSI bin by bin, introduce the cost to N log N. A few years ago with Google hashing, the communication cost is upper linear, little omega N, it's still not linear. And this works is the first linear communication PSI protocol from the General Shumpsons, I mean one-way function and OT hybrid. And the work of four novel and Ostrich keys is the concurrent work. So I will discuss about the comparison in more detail later. But for now here is the outline of my talk. First our protocol is based on a P version first. So I will present its functionality and how we use it for PSI. And then I will present our past OT PSI constructions and its experimental numbers. So for simplicity I want to present the random OT where Alice input is just one bit and she receives the OT value which corresponds to her choice. On the other side we have Bob, he receives two OT values from the protocol. And the important thing is that if Bob doesn't know Alice, Bob doesn't know Alice choice bits and Alice doesn't know another OT that Bob has. So this is the functionality of random OT. And now I want to show you how we use it for PSI but it's not a correct protocol that we want to use. So this one is for the PSI with a small domain and the basic idea is that the party will run as many OT instances at the size of the domain. So it means that here we have domain A so we have eight random OTs. And for example if Alice has number one, number three and number eight and indeed her input to the OT depends on her set. So with the domain, so look at first random OT, you can see that Alice has number one. So her input to this first OT is a big one and she receives the M11 corresponding to her choice. On the other side Bob receives two random value OT. So now for the second OT because number two isn't in her set. So her choice bit to the second OT is zero and she got M20. The same thing for number three with the choice bits is one so on and so forth. So now if Bob has number two, number three and number four. So Bob only look at the blue values M21, M31 and M41. And the next step if Bob will permute the value and then send this value to Alice. So Alice also only look at her red value and now there's the comparisons. And you can see that M31 show up in two sets. So number three is the interactions. So this is the just example for PSI using random OT but they have two problems. Only each OT needs communication. And the second one you need to use the OT for every item in the domain. And this one is impractical for the big domain. So how to handle these problems? So I will go to our, I will tell you our solutions using our SPARS OT. But before that I want to like tell you about OT tensions, which is first proposed by Beaver already two decades ago. So the OT, OT is very expensive if you've seen public keys. But now you can have a small number of public keys OT and then extended it to get many OTs as you want using symmetric keys. So that one is very efficient in terms of computations. But you still need to pay 128 bit per each OT. And I also want to go a little bit more detail about how OT tension works. So first party run a small number of base random OT and this one you put the key. And each party gets some random output that they use as a seed. And the next step the party will locally extend their seed to many values through PRG. And the length of the total length of the expansion is the total number of OT instances that they want. So now looking at the OT instant I, Alice somehow can compute her OT output. However to help Bob, our book hits OT values. Alice has to send the OT correction values, which is the value PI here, which looks random to Bob. So having PI Bob now can compute MI0 and MI1. So this is how OT tension works. And now for example, if Alice has number 3, number 7 and number i, she only cares about the red value here, number 3 and number 7 and number i. Similarly, if Bob has number 5, number 7 and i, he only cares about the blue values. So if you use the current OT tensions, you have to send all the PI values for every item i in the domain. And this is expensive, so we want to avoid it. So we have two questions right now. The first question is how to send PI without revealing i. And the second question is we need to generate many OT, many number of OT, but we only care some of them. So we have a new idea to avoid sending the HEAL metric. So Alice puts all of her PI values into the polynomial. So for example, this polynomial goes through the point 3 and P3, where 3 is the in her set. Similarly, 7 and P7 and i and PI. Alice sends the polynomial to Bob. So it's easy to see that if Alice has n items, this polynomial has n coefficients. So it means that sending the polynomial is equivalent to sending n values. So now having the polynomial Bob interpolate that one at the point P to get P5, at the point 7 to get the P7, the OT correction value and i and PI. And the main observation is that if both parties had the same items, first number number 7. So Bob will get the correct correction OT values that Alice has. So with P5, Bob can compute his OT values, M51 and M50 and M51. With P7, he can compute M71 and the same thing for MI. And now on the other side, Alice can compute M31, M71 and MI1. So the parties compare the OT values in the clear. And you can see that both parties have M71 and MY1. So it means they are in the intersections. So we are done with the first questions using the polynomial. And now we are going to the second questions. So recall that both parties have to use PRGs to send their seed to many values. However, we only care some of them. So very simple solution is we replace PRG with the PIF. And we have several tricks to compute this PIF efficiently. But you can see the people how to do it. So we are done with our protocol. For the security, the view of Bob is the polynomial over the correction OT values. And Alice, you heard inputs to interpolate this polynomial. You can see S1, S2, and S3 here. However, because all the PXE randoms. So this polynomial looks random to Bob. Therefore it hides the Alice input set. For the view of Bob, also for the view of Alice. I think the item Y isn't in her set. So Alice never interpolates over this point. You can see Y and PY, the correction OT value PY here. But the point she interpolates is something like here. So we show that if the capital P and small p e4 in the meaning of hamming distance. So the size of the view size should be around 3.5 security parameters. And now the OT magic and Y1 looks random to Alice. So the proof is a bit complicated. So just see the paper for more detail. And the bottleneck of our construction is the polynomial operations. The reason is, you can see, it has the heel degree and the heel size is very big. So similar to previous works, we use hash to be scheme to map the items into the bin. So we have many small degrees polynomials and one per bin. So it's very efficient to interpolation. However, we need to pet the dummy item to hide the actual bin size. So this one increase the communication cost. So we use a specific new hash scheme so that the number of dummy items is only 2% of the set size. So for the comparison. So our protocol, we have two protocol variants. The first one have the big polynomial and the second one is the small polynomial with the hash scheme. So for the first one, we send the big polynomial, which is equivalent to sending n value. So here we have n value to send and n value to receive. So the communication cost is about 500 bits per item. For the second variant, because we use the hash scheme, so they have 2% in number of dummy items. And we use two hash functions. So we have 1.0n sent and 2n received. And the communication cost is about 600 bits per item. Compared to OT-based PSI, their protocol somehow needs to use about 1.5n of private membership. And in which 50% is the dummy items. And they need to use 3 hash functions. So it means they need 1.5n sent and 3n received. Their communication cost is about 500, or about 1,100 per item, which is 2 times more than our protocol. So for Delfi-Helman-based PSI, they need n sent and 2n received. You can see the protocol finger. And their communication cost is about 576 bits per item, which is still more than our protocol. And we are the best, our protocol has the best communication cost. So in summarize, compared to Delfi-Helman-based PSI, our protocol is 10 to 20 times less communications. And we have 2 to 7 times faster in the term of training time. Compared to OT-based PSI, our protocol is 4 to 40 to 50 times less communications. 6 times slower in LAN setting, but 2 times faster in one setting. But our protocol is the cheapest in the measurement of computation and communication cost. And we use Amazon Web Service price for this one. And our protocol is the first linear communication protocol in OT-hybrid and one-way half functions. And the work of four, Noble and Ostrowski is the concurrent work. So if we put our two variants in the computation and communication graph, one variant is here with the loud communications. And another variant with the fast in term of training time. And compared to our previous work, our protocol is cheapest one. So for the LAN setting, we are in this zone. And for the warm setting, we are in the dark zone. So for the future work, you can see that the bottleneck of our protocol is the polynomial operational term. So any alternative solution for that one? And this talk is for semi-honest setting. So can we have a linear communication PSI, but for malicious setting? And the last question pointed out by a reviewer that can we use our SPA OT as the multi-query OPF? Yeah, it's done with my talk. Thank you. Any questions? If you want to further compute on the intersection, is it easy to generalize? Yeah, so right now we send all the OT value in the clear. So this one allows the receiver check whether the, that's one review the intersections, right? So I don't know, I mean, maybe you have another way to send the polynomial. So the party can check the intersection, intersection in some circuit or whatever. So the party will learn the share of the bit, whether they are in the intersection or not. Yeah, thank you. Any other questions? Okay, let's thank the speaker again. Yeah, thank you.