 Hello everyone. Today I will talk about multi-party reusable non-interactive secure computation from LWE. My name is Ilan Komorgotsky and this is based on joint work with Fabriz Benhamuda, Irish Jane, and Rachel. The motivating scenario for the talk is the following setting. Imagine four parties, one, two, three, and four, that each of them has a private input or private database, X1, X2, X3, and X4. And they want to be able to perform joint computations on their input and they want to make sure that the computations are private. So for instance, party one, two, and three can come together and decide that they want to perform some study on their joint inputs and learn some function F on their respective inputs. And we can imagine that this is done by a single message that is being sent from each of the parties to the public evaluator. You can think of these messages as some magic encoding of the database. And the encoding should not reveal any information beyond the output of the function that you want to compute. And in some later stage, it may happen that some other subset of parties want to perform another computation on their joint inputs. And maybe even at a later stage, new parties join the game and they now want to compute something together with some other party. So we want to support this complicated scenario and allow every subset of parties to perform computation on their joint inputs. And we want to allow parties to join at any point in time. So this sounds like a great thing, but the problem is that even if we think about the simplest setting where there's only three parties and they're fixed and each of them wants to send just one message alpha to the evaluator, then it's already pretty well known that it's impossible to achieve the standard definition of security where only the output of the function on the respective inputs is leaked. Because imagine that one party is malicious and it colludes with the evaluator, then this party can imagine in its head that its input was something else, some x1 prime. And then if this was its input to begin with, then given the two messages of the other parties, it could have learned the value of the function f on a new set of inputs. Which includes the new input as if imagined x1 prime. So this is clearly not something that we want to have. And therefore we need to somehow add something more to the protocol in order to be able to guarantee security. And the solution is actually not that complicated. The minimal thing that is required is to somehow force each party to commit on its input before the beginning of the evaluation. And intuitively this should prevent parties from imagining that their input was something else and thereby learn the value of some function on a new input. So imagine that each party would, before it starts to evaluate functions on its respective inputs, each party publishes on the public bulletin board some encoding of its input. Think of it as a cryptographic commitment, some hiding commitment. So this commitment is already published in the sky. And each party can remember for itself some secrets associated with this commitment. And now these messages that are sent to the public evaluator can be generated as functions of those encodings that are already written to the public bulletin board. And this completely prevents an adversary from imagining that the input was something else. Now with those public commitments in the sky, you can imagine that more parties will can join the protocol even after some of the evaluations had already occurred. And this party can commit on its own input, publish it on the public bulletin board. And at that point it can readily start performing computations with any of the existing parties. So this is in a very high level how multi-party reusable non-interactive secure computation works, which we'll call shortly MRNIST. Slightly more formally an MRNIST protocol will consist of three phases, two of which are going to be phases where MSNG is outputted. And the last phase is just a computation phase. So the first phase, each party will commit on its input. The commitment will output a public commitment that is going to be written to the public bulletin board. And it will also output some secret state that is going to be used in the later computation phase. In the computation phase, a subset of parties is given a function F that they want to compute on their joint inputs. The computation phase of each party will take as input the function, the commitments on the inputs of all of the other parties, and also its secret, its own secret state. This phase will output some public computation message. And then there will be a public function, public evaluation function that will generate the output of the function that we want to compute. This public evaluation function will not use any of the secrets of the parties because it can be made completely publicly. So we'll only use the public commitments and the messages, the computation messages that were sent by each party. And importantly, we want correctness even for parties that join throughout the game, even after some of the parties may have already performed several computation phases. And therefore, we also want the input encoding to be independent of the set of parties that exist in the system. For security, we will consider a standard notion of security, of simulation security. For simplicity, you should imagine a semi-honest adversary, but our results will apply even for semi-monitious adversaries. We will consider static corruptions, namely the adversary commits on the set of corrupted parties ahead of time. And we are in the setting of dishonest majority. In other words, it may be a little bit more convenient to just think of MRNIST as a special type of two-round MPC where the first message of each party is reusable. Namely, it can be reused with multiple round two messages. And also, the set of parties is completely dynamic. Namely, the first round message doesn't depend on the number of parties, their identities or anything like that. What do we know about this problem? So we have a handful of results from various assumptions and various properties. The very early constructions of two-round MPC protocols actually can actually be shown to satisfy the general structure of or the general properties of MRNIST. But the problem is that they relied on somewhat strong assumptions, like IO and witness encryption, which we know how to instantiate based on well-founded assumptions, but still they are highly inefficient and still rely on a collection of assumptions. More modern two-round MPC protocols, for instance those based on multi-KFHE or homomorphic secret sharing, they don't support the dynamics of parties and therefore they do not implement an MRNIST. The notion of MRNIST was brought into spotlight about a year and a half ago by Ben Hamouda and Lin, who showed the first construction from a single standard assumption and they did it from a 6DH. And in this work and the concurrent work by Anant et al that you're going to hear about next, we achieved an MRNIST from LWE. Technically what we do is we identify a complete functionality for MRNIST and we show how to implement it by using LWE, namely we identify a primitive called reusable functionality, which is a very specific form of MRNIST. We show how to bootstrap this specific form of MRNIST to full-fledged MRNIST and we also show how to build this specific protocol, specific functionality from LWE. And as an application we observe that you can use an MRNIST to basically thresholdize every multi-KFHE by using an MRNIST to implement the threshold decryption phase. And as an application we obtain a construction of threshold multi-KFHE scheme with better parameters than what was previously known or better assumptions than what was previously known. So in order to overview the construction let me tell you a little bit about how previous constructions worked and what they needed to assume. So the first two-round MPC construction was based on obfuscation or invisibility obfuscation. And then people observed that if you don't really need the full power of obfuscation, you need something much weaker, you need garbled circuits and some form of witness encryption. So Gargital protocol from 2015 used the witness encryption for NP and the more recent work of Ben Hamoud and Lin, they observed that you only need witness encryption for a particular language and they were able to implement this witness encryption scheme from a standard assumption. And in this work we relaxed the additional assumption on the garbled circuits even further and we showed that you don't really need a full flash of witness encryption but you can actually work with a seemingly weaker primitive that we call reusable functionality. And we implemented using LW. Let's explain a little bit better how IO or witness encryption are used to get a two-round MPC. The main idea in most of these works is to take a general MPC protocol that could have L rounds where L is bigger than two and compress it to just two rounds with the following recipe. In the first round you just commit your inputs with some commitment and in the second round instead of running the second round of the original protocol you obfuscate a circuit that essentially simulates what every party would have done in the previous protocol. Then you obfuscate a circuit that gets all of the previous messages that were sent in the protocol and it generates the next message that the party would have generated if it had seen these messages in the protocol. And GLS-15, notice that you don't really need the full power of IO. You can just garble a circuit that does whatever you want to do, namely simulate the code of each party and you only need witness encryption to intuitively to give the right labels to the other parties so that they could evaluate the garbled circuit. So here it is in a little bit more detail. Let's just assume IO for simplicity. Let's assume the original L round protocol works as follows. You compute the next round message given your input and randomness. You generate the first message and then to generate the second message you collect all of the messages that you saw in round number one and you apply some function next on your input, your randomness, and all of the messages that you saw and you do this until the end of the protocol. How would you translate this to a two round protocol? So the first name idea would be to compute the first round message. That's easy, you can do it. But then instead of sending the second round message, you can't send the second round message because you don't have all of the inputs which are the first round messages of all of the other parties. So you just output a circuit, an obfuscated circuit that has your secrets embedded inside. It gets as input all of the second round messages, all of the first round messages from the other parties and it outputs your second round message. And each party does the same thing for each of the rounds of the protocol. This is clearly insecure because it's only a one round protocol. So what you actually need is to also have a first round where we first commit on your input and then you need to make sure that every message is also associated with the proof that things were done correctly. And so namely now each circuit will get a collection of proofs. It will verify that these proofs were generated honestly and it will generate the next round message along with the proof for the next circuits to verify. So this is how most of these protocols work. And the question is how do you implement this obfuscation and how do you implement the zero-knowledge proof and how do you implement the commitment? Since we are talking about a reusable protocol where the commitment from round one is reusable, you actually want the first round message to contain not a single piece of randomness but a PRF key from which you can derive as much randomness as you would like when you use it in the second round message. Let's try to understand what's the weakest primitive that we can imagine that suffices for construction of MRNs. We call this primitive reusable functionality and it's basically a label exchange functionality. Imagine two parties, Alice and Bob, where Bob has already sent his message so it computed based on the public messages on all of the public information that was sent by now together with its private input X2 and K2 where K2 is the PRFC. It sends a message B to the sky or to the as the next message. And now everybody wants to compute the next message of Alice. What Alice will do, Alice will actually compute garbled circuit that takes as input Bob's message and it will output the second the next message that it would have sent given Bob's message. But Alice will not give this circuit in the clear. It will not use infuscation. It will just use garbling and garbling outputs two sets of labels for the inputs. And what we want is actually for Bob to learn the right set of labels corresponding to its input. So if B was the B0, we want to learn L0. If B is 1, we want to learn L1. So this is indeed the minimal functionality that you need in order to implement the approach that we had with garbled circuits. And this is, we call this primitive as I mentioned, we call it reusable functionality, which is just a special case of MRNIST for two parties. So here again is what we want. We have two parties, Alice and Bob. Alice's input is denoted as X1. Bob's private input is denoted as X2. And we want to output a bit and another string, L sub B, where G1 is some public function of X1 and it outputs two strings L0 and L1. You can just think of these as labels. And B is a bit, which is the output of some public function G2 of X2. So this is what we want. We want to compute an MRNIST for this specific functionality. So this is just a two-party functionality. The idea for the construction is actually very, very simple given previous works. Bob will commit to X2 using the fully homomorphic commitment. So if you can first commit on X2, and now anybody can compute publicly a commitment to G2 of X2, namely to the B to B. And what Alice will do, it has two strings, L0 and L1. It will encrypt both of them with a special encryption scheme that can be decrypted by whoever has a proof that the commitment C sub G2 is a commitment to the right bit. So if B is, let's say, 0, then whoever has a proof that the commitment is a commitment to 0, for example, has an opening, then this person can also recover L sub 0. Bob knows a legal proof that will allow him to open L sub B, the right L sub B. But the problem is that an A proof will just contain, let's say, something like X2, which essentially reveals Bob's input. So Bob will actually need to provide a zero knowledge proof, attesting to the fact that he knows that CG2 is a commitment to the right bit. The way we implemented it is that, first, we implement the commitments as GMSW commitments, and we create this special encryption scheme and proof scheme using ideas from homomorphic commitment literature and the recent two-round statistical standard OT of nuclear scan docking. In slightly more detail, if you remember, the commitments look like a homomorphic commitment looks like AR plus XG, where X is the bit that you want to commit to, and the homomorphic commitment looks like A times some new R, that's a function of G2, plus something that looks like 1 minus B times G. And the important point is that whoever has the opening for the original commitment can also compute an opening for the new commitment. And the encryption is going to be very easy. It's generating LWE sample with a secret SB, and you mask L sub beta with LW secret. And the zero knowledge proof is going to be just a short basis for a specific lattice. By setting up the parameters correctly, you can show that for the right value of B, Bob can indeed find a short basis for this lattice and therefore recover S sub beta. And if B is not the right value, then the linear noisy equation is lost, and therefore most of the information about S sub beta is lost. So this is in a very high level how we build this reusable functionality from LWE. Let me conclude. What we did is we identified a complete primitive for MRNIST. We called it reusable functional OT. It's somewhat analogous to OT in standard secure computation. We also were able to construct a reusable functional OT from LWE, and we have applications for threshold multi-key FPG. One clear open problem is to build a reusable functional OT from something like DDH. This is still open. Finally, I wanted to mention a new work on Eprint, constructing the first maliciously secure MRNIST. This is joint work with Rex Fernando and Eush Jane. Please see Eprint if you're interested. Thank you very much for listening.