 היי, מי נעימי זרן כהן ואני אעבור על ברודקאסט אופטימל 2 ראונד npc. זו קבל של חוון גרעי ובסילס זיקס. הסטין הוא סטיור מולטיפארטי קומפטטיישן, אוהב שיש סטיור פרטיסטים שרקפו פרוטוקול כדי להסתכל סטיור פרוטוקולים על פרוטיינפוץ. הסטיור פרוטוקול תמיד תמיד סטיור, אולי אם סטיור פרטיסט קולוד ותשאר את זה. סטיור פרטיסטי מלכות כתובילים והסטיור. אבל בגלל, אנחנו אוהבים סטיור פרוטוקולי כדי להסתכל. כשאם כל אחד הפרטיסט יתקטה, זה נכון שכל אחד יתקטה. ובספר הרבה כבר, סטיור פרטיסטי יתקטה, שזה נראה שאין מה שפרטיסטים יתקטים. האנסט פרטיסטים יתקטים את הותפים. אףו, זו הוא כבר נראה שאינטרסיה ואינטרסיה הרבה כתבלות שמיילה, פרנסות ולא נכון דברי לא יכול להתעריא כדי אלגר. אז השטנדרטי הסבאות הולכת כפי פרסת הלאה כמו שהצלחת הלאה של אינטרסיה הרבה כתבלות הוא עמוד לסבאות סבאות. במסקרות, אנחנו רציחים לצד קצת הצדה, אבל אנחנו אומרים על האדרסיטה לבוא את הקרוביטציה, אפשר לצליח את התלווה של קרוביטציה. קרוביטציה של קרוביטציה עוד הרבה מטעות, שהגרוביטציה הכרוביטציה של קרוביטציה היא קרוביטציה של קרוביטציה של קרוביטציה. In that case, it is guaranteed that either all honest gets the output from the computation or if the adversary attacks and the honest part is a boat, they will identify at least one of the corrupted parties. A weaker version is security with unanimous abort, where again either all honest parties get the output or all honest parties abort, but they don't necessarily identify one of the corrupted parties as cheated. Even weaker notion of security is called security with selective abort or non-unanimous abort. Here we no longer have the guarantee that all honest parties get the output or not, it could be that each honest party on its own locally gets the output or identify that an attack took place, but honest parties cannot reach to an agreement on whether they all got the output or not. A central question in the study of secure protocols is how many rounds do we actually need in order to compute a function? Clearly one round isn't enough because corrupted parties can simply wait, get the messages from all honest parties, and then complete the execution based on inputs of their choice, and this will break privacy. In the recent years it was shown that in the broadcast model where every party can reliably send a message to all other parties, two rounds suffice to compute any function. The first protocols in that line of work used every cryptographic assumptions like obfuscation or fully homomorphic encryption, but two very elegant works from your crypt18 by Garg and Srinivasan and by Ben Hamouda and Lin showed that the minimum assumption of two round oblivious transfer suffice. This assumption is minimal because if we have the ability to compute any function in two rounds we can compute oblivious transfer as well. While the cryptographic assumptions needed for two round NPC is shown to be optimal, it is not clear whether the usage of broadcast is optimal as well. This leads us to the main question in this work. A broadcast channel is an expensive resource and realizing it using a broadcast protocol will blow up the round complexity. So do we really need that assumption? Can we maybe use point-to-point channels instead of a broadcast channel and still get two round NPC? Can we somehow reduce the usage or the reliance on a broadcast channel? We are not the first to ask that question. Patrick and Ravi showed that any two round protocol that achieves unanimous abort must communicate over a broadcast channel in the second round, as long as there are no trusted setup assumptions. This lower bound, however, doesn't apply in a setting where we have a PKI or a CRS. On the other hand, several works showed that in the honest majority setting, selective abort can be achieved by a two round protocol that only communicates over point-to-point channels. We are now ready to state the main result on this work. We give a complete characterization of the trade-off between the usage of broadcast by the protocol and the achievable security guarantees. All of the lower bound will show hold facing any correlated randomness that is given to the parties, and all of the upper bound hold against any number of corrupted parties and rely on the optimal assumption of two round oblivious transfer. First, if both rounds are computed over a broadcast channel, we showed that the original protocols of Gargantz-Rinivasan and of Benhamudanlin that only claimed security with unanimous abort can be easily extended to achieve identifiable abort and catch cheating parties. Next, we show that unless both rounds are over a broadcast channel, namely if the first round is run over a point-to-point channel, then identifiable abort cannot be achieved in general. On the other hand, if the second round is actually communicated over a broadcast channel, unanimous abort can be achieved. If the second round is over point-to-point, unanimous abort can no longer be achieved in general even if the first round is over broadcast, yet every function can be computed with security with selective abort. But in that sense, the first broadcast round doesn't really bias anything in terms of feasibility, and security with selective abort can be achieved without relying on any broadcast channel and only communicate over a pairwise point-to-point channels. In the remaining of the talk, we will give a high-level overview of the positive and negative results, and we will start with the impossibility results. To recall the lower bounds that we show, given any correlated randomness, if a protocol achieves identifiable abort into rounds, then both rounds must be communicated over a broadcast channel, and if a protocol achieves unanimous abort, then the second round is communicated over a broadcast. It cannot be communicated over point-to-point. We will start by describing the function that was for the lower bound. This is a 3-party function, where party 1 has 2 input bits x1,1 and x1,2. Party 2 has 1 input bit x2, and party 3 has 2 input strings x3,1 and x3,2. The function that they compute first takes the first input bit of party 1 x1,1 and xort with x2. Take copies of that bit and xort with one of the input strings of party 3, where the which input string depends on whether the second input bit of party 1 is the same as the input bit of party 2. This is a weird looking function, and I'm sure that when you first see it, the first question that comes to mind is why, why do we use such a contrast looking function? The reason is that the lower bound turned out to be much more subtle than we expected, and just we used several properties of this function during the proof. In the high level overview, we will use the following two properties. The first is that in an ideal computation of that function, if party 2 and party 3 collude, they cannot force the output to be the old zero string. Stated differently, for any input values of party 2 and party 3, there exists an input value for party 1 such that the result will not be the old zero string. A second property that we will use is that if party 1 and party 2 collude, they cannot learn both inputs of party 3 using their inputs. So by giving their inputs to their inputs to a trusted party, they cannot, they will only learn one output value that cannot reveal both inputs of party 3. To prove the first lower bound, assume that we have a protocol that computes the function with unanimous support, and that protocol communicates over a broadcast channel in the first round, but over point-to-point channels in the second round. Clearly, if all parties are honest, then all parties must get the output from the execution of this protocol by correctness. Now consider a setting where party 1 is cheating, but it actually plays honestly. Party 2 and party 3 are honest and their view is distributed exactly the same as in the previous setting, so they must also obtain the output from the computation, just like before. Now consider an attack where party 1 plays honestly in the first round, but doesn't send the second round message to party 2. Because the view of party 3 is identically distributed in both settings, party 3 must obtain the output from the computation. By the unanimous support property, party 2 must also not abort and obtain the output. Now consider another attack where party 1 plays honestly in the first round, but doesn't send a message to any party in the second round. Now the view of party 2 is identically distributed as in the previous setting, so party 2 must output a value. By the unanimous support property, party 3 must also not abort an output, and therefore we can see that if party 2 and party 3 join forces and collude, they can actually obtain the output from the computation by the first round message of party 1. That means that the colluding party 2 and party 3 can play the protocol on arbitrary inputs, see whether the output is supposed to be 0, and if so, continue playing with party 1 on these inputs. Otherwise, they can change the input of party 2 and play the protocol with party 1 on the new inputs. This would force the output to be 0. So cheating party 2 and party 3 can force the output of party 1 to be the all-zero string, and as we just saw, that cannot be done in an ideal computation of the function. To prove the second lower bound, consider a protocol for computing that function that is secure with a identifiable abort, but doesn't communicate over a broadcast channel in both rounds. For what we just saw, the second round must be communicated over broadcast, so we can assume that the first round is over point-to-point, and the second is over broadcast. Now consider the following attack. Party 3 is cheating. It plays honestly towards party 1 in the first round, but doesn't send any message to party 2, and it ignores the message it received from party 2 when it computes its second round message. It plays honestly otherwise. There's a dual version to this attack, where party 2 is cheating, and ignores the message from party 3 and doesn't send anything to party 3 in the first round, and plays honestly otherwise. Looking at the view of party 1 under these attacks, we can see that the view is identically distributed in both settings. That means that party 1 cannot abort. Party 1 must output a value. If party 1 aborts, it must blame one of the parties, and at least in one of these settings, the party that party 1 is blaming is an honest party. Now let's see what an adversary that corrupts both party 1 and party 2 can do. The adversary will emulate the previous scenario towards party 3. That means that party 1 will send their first round message, but party 2 won't. After party 3 sends its second round message over broadcast, we can see that the adversary received all of the messages that party 3 will send without playing party 2. That means that now the adversary can play in its head party 2 on two different input bits. By the structure of the function, we can see that in that case, the adversary will learn both of the inputs of party 3, both input strings of party 3, and this is something that cannot be done in an ideal computation of the function. There are many missing details in this high level overview, so I recommend looking at the paper for all of the nice subtleties. It's a nice attack. The second part of the talk is about the possibility, the feasibility results that we have. Namely, we show that given a two-round oblivious transfer protocol in the CRS model, every function can be computed with identifiable abort by a protocol that communicates over point-to-point in the first round and broadcast over the second round, and every function can be computed with selective abort without using broadcast, by a two-round protocol over point-to-point channels. We first recall the structure of two-round protocols. These are very simple protocols. At the beginning, every party computes its first round message as a function of its input and random coins, and sends the message to all other parties. Given all of the first round messages and its input in coins, the party computes its first round message as a function of its input and random parties. Given all of the first round messages and its input in coins, the party computes its second round message and sends it to all. Finally, given all of the first round messages, second round messages, its input and its coins, the party can compute the output. Our constructions are based on the compiler from the work of an antithile that we mentioned earlier. They worked in the honest majority setting and compiled every two broadcast round protocol into a protocol over point-to-point channel that is secure with selective abort, and if the second round is over broadcast, secure with unanimous abort. The main idea is to guarantee that if any of the parties is cheating in the first round, then no party will be able to continue with the computation. We adjusted the compiler to the dishonest majority setting. At the compiler level, it only required syntactic changes, but we had to work a little bit in the proof. The main idea is as follows. First, given the two broadcast round protocol, every party computes its first round message and sends it to everyone over point-to-point channels. In addition, a party takes the next message function for the second round, hardwires its input and random coins, and garbled that circuit. The input to that circuit are all of the first round messages the party should receive. After garbling, the party gets the garbled circuit and the garbled labels, and for each input wires, it shares each garbled labels using an n out of n additive secret sharing. Finally, in the first round, the party sends to each of the other parties the corresponding shares for each of the garbled labels of the input wires. In the second round that is over broadcast, first the party receives all of the first round messages, then it broadcasts the garbled circuit, and for each input wire, the corresponding share according to the messages that it received. Once receiving all of the second round messages, the party can reconstruct the relevant labels, evaluate the garbled circuit for each other party, to obtain its second round message. Using those messages, it can compute the output. The main idea of the proof is that if in the first round all parties follow the protocol and send the same message to all others over point-to-point, then the parties can later on reconstruct the labels for each garbled circuit, and the security reduces to that of the original broadcast model protocol. If however, one of the parties sends different messages, inconsistent messages to different parties, then no party will be able to reconstruct the labels for one of the garbled circuits. In that case, all parties will abort. As we said, a similar compiler was used by Anant et al for the honest majority setting, but also by Garg, Ishae and Srinivasan in a semi-honest setting. In both this work, the simulation used specific properties of the original broadcast model protocol, so stated differently, the simulation was not a black box in the original protocol. We proved the compiler is secure for any broadcast model protocol using a black box simulation. To achieve the simulation, we had to come up with a new simulation technique of receiver-specific simulation, and I won't have time to go over it now, so I refer you to the paper for the details. Also in the paper, you will see how to achieve selective abort using the compiler when working purely over point-to-point channels. To summarize, I will put the table of the result. Again, it summarizes the results very nicely, and I will conclude here. Thank you very much for watching.