 Hi everyone, today I'm talking about Broadcast Optimum 2 Round MPC with an honest majority and this is a joint work with Ivan Damgar, Bernardo Manvi, Divya Ravi and Sofia Yakubov. So in this talk we are focusing on 2 Round MPC in an honest majority setting and what is our goal is to optimising the amount of broadcast that we need in this 2 Round. So let's start. In this talk we will first give an high-level overview of the MPC definition that we consider in our work, then we will give an high-level overview of our result and finally we will focus on a specific result and the tool needed to achieve this result. So let's start with the MPC definition. What is an MPC protocol? Well, it's a protocol between multiple parties, each of them has some inputs and they want to compute some function. Now completeness ensures us that if the parts behave honestly, then they will recover the output of the function but some party may be malicious and in this case privacy tells us that nothing except that the output of the computation will be learned by this party. Essentially, the input will remain private if the function allows so. So the MPC protocol is realised exchanging messages between the parties and at the point the adversary can just refuse to answer any more message. So we will say that the adversary abhorred the computation and if the adversary abhorred the computation, the honest party can do different behaviour and based on that we can distinguish a different notion of security. So the weakest notion that we can consider is the one of selective abort which says that if the adversary abhorred, some honest party may abort, some other honest party may learn the output of the computation. It is important to notice that even when the adversary abort, he can still retrieve the output of the computation. The next notion that we can consider which is the one of unanimous abort and it is stronger than the notion of selective abort says that when the adversary abort, all the honest party unanimous will abort. Also in this notion, the adversary is entitled to learn the output of the computation even if he stops the protocol. So the next notion that we can consider is the one of identifiable abort which is stronger than the notion before which says that if the adversary abort, then the honest party will all unanimously abort, moreover, they can identify unanimously the party that causes the protocol to abort. So also in this notion, the adversary is entitled to learn the output of the computation even if he is aborting the computation. Finally, the notion of fairness is incompatible with the notion of identifiable abort and in this notion, if the adversary learns the output, also the honest party will do so. But if the adversary abort the computation, we are not guaranteed to identify a cheater. So that's why it's incompatible with the notion of identifiable abort. Finally, we can consider the notion of guaranteed output delivery which says that no matter what the adversary does, the honest party will learn the output of the computation. We will proceed now to give a new view of our result. So let's start with some motivation. First of all, how many rounds do we need to compute an MPC protocol? Well, the answer is at least two because in one round we can always launch a residual attack. So, usually in literature, these two rounds are considered as two rounds of broadcast, but broadcast is expensive. So a natural question would be can we reduce the amount of broadcast that we need in these two rounds? And this question was already asked by Kona and Tol and they give some months work in the case of dishonest majority, which means that the adversary can corrupt N minus one party at most. So in our case, instead, we consider the honest majority setting where the adversary can corrupt at most Nf minus one of the parties. Let us start in giving an overview of our result where if we are in the broadcast setting, broadcast in both rounds, then we already know from the literature that the notion of guaranteed output delivery is possible and there is the protocol of Gordon et al. that achieves this notion in two rounds of broadcast. So now, moving on to another setting and going extreme, we don't want broadcast communication in any of the two rounds. So both rounds, it will be over peer-to-peer communication. In this case, we demonstrate in our work that even assuming a PKI as a setup, the best notion that one could achieve is selective abort. And there is a protocol of Nf et al. that give a construction for this setting. So then moving on on a loving broadcast in at least one of the two round, we can show that if we are lower broadcast in the second round, then the best possible notion that one can achieve is the one of identifiable abort, while achieve furnace is impossible. Finally, if we are lower broadcast in the second round, then the notion of GOD become possible again. And actually in our work, we show that given any protocol that is broadcast, and is GOD with honest majority and satisfy some extra property, this is also a protocol that can be run when the second round is over peer-to-peer communication. So this is our results. And now I am going to present the identifiable abort protocol, the one that is peer-to-peer in the first round, the broadcast in the second round. Coming back on the table, I am going to present this result, the one highlighted in green. And more precisely, what we are asking ourselves is that given the protocol that is broadcast broadcast, can we turn it in a protocol where the first round is over peer-to-peer communication? So can we compile a protocol that is already there in the literature in another one that uses just peer-to-peer communication in the first round? OK, so let's recall our setting. So there are our parties. And if the both round are over broadcast broadcast, then we have already a protocol from the literature. In the first round, they send the first round messages. And in the second round, they send the second round messages. Now, what change if the first round is over peer-to-peer? Well, if the first round is over peer-to-peer, the adversary can send different messages to different people. So if we collect in the second answer, different answer with the respect to different first round message. So this is a scenario that is not handled in the initial protocol. And so the adversary can actually learn some more information with respect to the one he was supposed to know in the initial protocol. So this protocol can be insecure. So we do need a mechanism to make the party agree on a same first round message. And the first idea that we can have in mind is just send this first round message of the underlying protocol in the broadcast round. But if we do so, then we don't have enough rounds to finish our competition. So this is not possible. So we need another mechanism. OK, what about sending the first round over peer-to-peer communication and then have a magic box that hide the second round message. And it's going to release it only if some particular condition happened. In particular, we can think that with this box is associating to some tokens. And these tokens are associated to the first round message. And so now if the honest party agrees on the same first round message from the adversary, then they have the same token. And then using this token, they are able to release the second round message. But if there is disagreement between the party, then no token is obtained. And the party cannot recover the second round message. So we do need a mechanism to distribute this token among the people and also a mechanism to make them agree on a same token. Since the protocol is symmetric, we can just focus on the magic box of grace. Well, what is the magic box of grace? It's a Yau garbless circuit, which has divided in the input and the randomness of place. And the circuit that it's computing, it's the second message function of the underlying protocol, the one that is broadcast broadcast. And it will take such input, all the messages of all the party with respect to the underlying two round protocol, broadcast broadcast. That is broadcast broadcast. So if we come back to the analogy with the magic box, we know now that this arrow that goes in this magic box corresponds to the wire of the Yau garbless circuit. So for each wire, we have two possible inputs, the input 0 and the input 1. So coming back to the token analogy, these tokens are just the labels for the wire of the Yau garbless circuit. And now the party needs to agree on the quarter label based on the first round messages of the party. So for instance, if the message is the message 00110, the party should have the first two blue token, then two green token and then a blue token. So to evaluate the Yau garbless circuit or the magic box, it's fundamental that the party has the correct token for each wire. And moreover, it is important that the adversary never gets two tokens for the same wire. Otherwise, the security of the Yau garbless circuit is violated. Let's assume that the first round message is just one bit for simplicity. And let's focus on the first round message of Bruce. Since the protocol is metric, the mechanism we go in the same way for all the other parties. So we are going now to show how the parties agree on the label, which means the token for the magic box of grace with respect to the first round messages of Bruce. It is important to notice that also all the other magic box given from all the other parties, they need to agree for the same bit of Bruce's message. So how we develop this mechanism and here it comes in place, our new tool that is the one or nothing secret sharing. Let's now see in more detail what is this one or nothing secret sharing and what are the properties that we need from it. So let's recall our scenario where there is grace which has two tokens and there is a bunch of parties that will compute the protocol and they will vote for one of the token of grace based on the bit that they received from Bruce. So they have also another option to vote for the symbol bot if they have no clue about the bit of Bruce. So what we want high level from this procedure? Well, we want that one of the token is reconstructed and that most one because if two tokens are reconstructed the security of the Yaw Garbre circuit could be violated and moreover we want that if no bit is reconstructed and the protocol did not go on then a cheater needs to be identified. So let's proceed slowly and see what are the property that we need from this one or nothing secret sharing. Let's recall better our scenario. Well, we have two rounds of the communication. The first one is peer-to-peer, the second one is broadcast. We have the Bruce that want to share one bit and based on this bit we want to that the party have one of the token of grace and the party will vote for the correct bit of grace in the second round while in the first round Bruce will send his bit to the parties. Let's start from a scenario where Bruce is honest. So he will send the same bit to all the rabbits and now he will also attach a signature to this bit and if he does so a malicious party now he cannot forge his signature so he cannot claim to receive the different bit from Bruce. The only thing that they can claim is that they didn't receive anything from Bruce. So in this case an honest party he doesn't know if Bruce cheated or this party cheated. So we need to reconstruct the correct token correspond to the bit of Bruce. And since Bruce is honest let's say that he has the bit to be equal to zero we want that by correctness of this protocol if the honest party voted for the bit zero then and the other party voted for both then we want that the blue token is reconstructed and this will be the correctness property of the one on nothing secret sharing. It's fundamental to notice that the vote procedure will happen in the second round and it's non-interacting. So a malicious grace cannot interfere with this procedure and trying to make the honest party casting their vote for a different bit. So let's proceed now to another scenario where Bruce is actually malicious and now if Bruce is malicious he can actually send different bits to different people. Even when there is seeing he can be caught in the second round but maybe this will be too late and he can still retrieve both token doing this. So we want when the property that actually prevents this behavior which we call it contradiction privacy and say that if parties voted for different bits then none of them will be reconstructed. So right now Bruce knows that he cannot send different bits to different parties and he also knows that if he send nothing to more than tea party it will be quoted but he can still send just to few parties nothing. And actually right now nothing say to us that doing this he can actually gain some information about the bit that he didn't send about the bit one in this case. So we need an extra property that we call it privacy that says that if no honest party voted for the bit one then no information about the green token will be revealed. So this concludes the summary of the property of the one or all things secret sharing which we realized in our work using two level of secret sharing and encryption. And this tool can actually be of independent interest. So realizing this mechanism this is the last part that we needed to complete our protocol. So one or nothing secret sharing guarantees us that the people agree on the correct token and then the garbage circuit can be evaluated or some cheating will be detected. I wanna leave you giving a summary of our results. So in our work we give both possibility and possibility result for the honest majority setting when we allow broadcast in one of the two round or in any of the two. In particular, we construct a protocol that actually is identifiable abort when we are allowing broadcast only in the second round and this is the best security guarantee that we can achieve. And in order to do that we use a new tool that is called one or nothing secret sharing which can be of independent interest. Thanks a lot.