 I'm Sam Dittmer and this is joint work on authenticated garbling from simple correlations with Yuval Isha'i, Steve Lu, and Ravya Strausky. Our aim is to improve the concrete efficiency of constant-round malicious security party computation built off of garbled circuits and later authenticated garbling work. The technology that underlies this is what we call simple correlations. Namely, simple correlated randomness that can be generated silently with sublinear communication and with good concrete efficiency. The authenticated garbling work of Wengadal and Kassadal extended Yav's garbled circuits using an oblivious transfer-based form of wire authentication to give malicious security party computation using free XOR in Wengadal and then the half gates of Zahara at all in the follow-up work. We will replace that of T-Machinery with our simple correlations. In the short talk, I will describe a little bit more about what authenticated garbling is and which simple correlations will be used as well as which of the details of the construction from Wengadal and Kassadal survive recognizably into our work and which didn't. And then, as a very quick aside, I will mention the slicing and dicing work of Rosalek and Roy from last year. And it is an open question whether or not this 1.5 table rows per AND gate can be transferred into authenticated garbling. Now, this truth table and the garbling in the semi-honest setting may or may not look recognizable, but the lambdas represent masks that hide from the evaluator the value of the wires. And then additionally, the evaluator will learn exactly one of the wire labels, LA0 or LA1, LB0 or LB1, which allow them to read one row of the table. Now, a malicious party, A, the garbler, could cheat either by mis-malforming the table, or once you add a zero-knowledge proof that the table has not been malformed by a selective failure attack because you are only going to open one of the zero-knowledge proofs based on which wire labels you hold. So, to guard against both of these attacks, you make the values lambda, A, lambda, B, lambda, C, that are the wire masks, to be held as secret shares by both parties. And then you have to authenticate shares of both all the wire labels, or all the wire masks, and then all of the AND gates. Now, the simple correlations we're going to use are vector oblivious linear evaluation of vector OLE or VUL, which machinery has been studied a lot recently and improved for the purpose of a new branch of full-based zero-knowledge proof. As well as multiplication triple-style randomness, which is much more classical, but only recently has been able to be generated silently and efficiently based on ring LPN. I'll mention quickly that there are a number of variants of VUL type and MT type randomness, which can be understood as sort of forming a correlation calculus when described in the full version of this talk. Now, for our construction versus the old construction, we continue to generate shares of authenticated bits, and authenticated shares of AND gates. The authenticated bits can fall naturally out of a silent VUL generation. The authenticated generation of AND gates is more complicated and differs in each of our three constructions. We need various machinery for each of the different constructions we have. Some of them are just improving efficiency, like this one that allows us to pass between statistically secure authentication and computationally secure authenticated bits efficiently. For NISC, we need a conditional disclosure of secrets, functionality in order to authenticate the evaluator's inputs, which is natural for a NISC setting. Additionally, because we are reducing the number of rounds, we can no longer have back and forth communication to authenticate the circuit garbling, and so we have to sort of combine the free XOR technique of Wang et al and the Zahar half gate technique of Katz et al to get the garbling right. And I'm going to discuss one aspect of our construction in a little bit more detail for the VUL type randomness where we change the way these wire masses work. So in the standard construction, B generates N distinct wire masses for each of the N AND gates. Here we generate only L, capital L, where L is a small parameter, based on the statistical security parameter, and then generate all of the remaining wires as a public linear combination of the sort of truly independent wire values. For security, we sort of notice using some combinatorics that if you have row or fewer of these B star entries, they'll all be linearly independent, and so the L security proof goes through that if A were to crop more than row at table entries and almost surely B would abort no matter what. These are our results on this page and the next, and we compare our work not only to Wang et al and Katz et al, but also to those, to the approaches of Katz et al where you sort of graft in some of these simple correlations adding in VUL or empty style randomness and speeds in kind of a naive way to show. So, versus the OOT approach, we are at least five times faster with our best protocol, and around two times faster using our techniques versus a sort of naive application of this correlated randomness. And we get eight times faster the semi-honest cost in the NIST setting. Thank you for your attention.