 Hello, welcome to this teaser for a correlated suit around in this from expand accumulate codes by a let boyle. You feel boa. You bother shy. He's a call myself Nicholas rash and Peter Scholl. So this talk concerns multi-party computation when we have say two parties house involved each holding their own private inputs, but unfortunately don't trust each other. However, together they would like to communicate back and forth such that they can compute the value of some function f applied to their private inputs. But they want to do this in such a way that nothing more is leaked about their private inputs. Okay, and for this talk, I'd encourage you just to think of the case of two parties. So this work will fit into the NPC with pre processing paradigm. So what is this basically has been known for many years that if Alice and Bob were given some pre shared randomness which satisfies the useful correlation say from a trusted dealer. And then we could obtain very fast even information theoretically secure NPC protocols, basically by going gate by gate through a circuit describing the function they wish to compute and consuming the randomness as required. However, unfortunately, the traditional methods for actually sharing this required pre shared randomness are very inefficient. And this is actually the main bottleneck and these protocol designs. In the last six or seven years, a new idea has emerged where basically instead of requiring full pre shared randomness, we try to compress it in such a way that maybe after decompressing it, it's only pseudo random, but then this compression of the required pseudo randomness can be much more efficiently shared. So, let's make this a bit more concrete. So, firstly, it was suggested to construct or called pseudo random correlation generators, or basically the idea is that Alice involved. It could use some sort of protocol to share very short C's SA and SB, and then silently with no more communication, they can expand them into longer strings, and these longer strings that will have many instances of the required correlations that they can then use when running their protocol. Now, just as you know, we can go from pseudo random generators to random functions, we can also go to pseudo random correlation functions here basically Alice and Bob will get to keys, K and KB, and then they can get point wise access to say an exponentially long string with a whole correlated randomnesses which they can use while running their protocol. Now, notice that the pseudo random correlation generators all the work is done in the offline phase whereas in pseudo random correlation functions pretty much all the work is done in the online phase, when they have to actually obtain the pre shared So in this work we suggest sort of a more equitable distribution of the work between the offline and the online phase, constructing what we term offline online PCG. So here Alice and Bob will initially share what we call offline keys and then run some silent offline algorithms, which expand their short offline key into some long strings why and why be. And this can be done very efficiently ideally more efficiently than what would be done for a PCG. So for these strings why and why be that they construct are not actually of the desired target correlation. However, when they do need some, some of the randomness from the desired target correlation, they can run a very fast online algorithm, and these online algorithms only require about, you know, say looking up 10 coordinates from why a. And again these online algorithms are done without any communication. So the online phase is also much faster than would typically be the case for a PCF. I'll try to give a brief hint as to how we could construct these things. So let's focus on what we call the bull a correlation, which essentially means that Alice and Bob have an additive secret sharing of a scalar vector product. And it's been known, it's known how to actually compress this. So long as the vector a here that Alice receives is guaranteed to be sparse. So we have some sort of black box, which fits out vectors a C not C one and be satisfying B times a equals C not plus C one. And furthermore a is guaranteed to be sparse, but aside from that they look uniformly random, they look as random as possible. Okay, so what can we do to try to convert this into a genuine bull a instance. Well suppose that we have some linear math age, and we apply it to all the vectors that we obtain. Notice that the output then will still satisfy the be times a equals C not plus C one correlation. And furthermore, assuming H is you know, not to structure doesn't have any weird behavior. So it's just to suspect that H times a will look uniformly random. And indeed this is exactly what the LPN assumption tells you if H is chosen uniformly at random. However, we can try to be a bit more aggressive you know we have some desires in terms of constructing these PCG in terms of efficiency. How could we add maybe some structure to H, while still making this whole thing work. So this is exactly what we do we construct what we call expand accumulate codes, which have very nice desirable properties. So firstly, in the offline phase we just need to basically compute a prefix sum of the vector which we have received, which can be done in parallel and in a very manner by prefix sum I mean the prefix of mod two. So this is a very fast operation. And then later when we need to go online all we have to do is look up say 10 coordinates from the pre computed vector this accumulated vector, and then output there some. So this is a very fast online operation with the locality. For there are more we give some security analysis to say that even if this vector here is farce once we apply this matrix H to it, we have reason to suspect that it looks uniformly random to a computationally arbitrary. Okay, that's all I have time to say. Of course there's some more results in the paper you can view the ICR e print if you like, or I alternatively come see me at crypto and I'd be happy to answer more questions and of course the longer talk will have more details. Thank you.