 Okay, so thank you for introduction. So I'm a Susumu, and I'm gonna talk about exact round of versity of composable two-part computation. So this is a joint work with Sanjum Garg and Omkan Pandey. Okay, so let me start from the introduction, and since this work is about two-part computation, let me first introduce what it is. So in Secure two-part computation, we consider two parties who has a secret input, and our goal is to design a protocol that enables them to compute a function on the secret input. And of course, the requirement is that they can compute function securely. So for example, we require that they compute, they can compute the function correctly, their input remain hidden, or they choose input independently of the input of the other party. Okay, and formally, we define the security of two-part computation by using simulation paradigm. So we consider the real world in which the function is computed by a protocol, and we also consider the ideal world in which the function is computed by a trusted third party, and we define security by requiring that for any adversary in the ideal world, they exist a simulator in the ideal world, such that the ideal world simulator can simulate the view of the ideal world adversary. So this means that we require that any attacks in the ideal world can be simulated in the ideal world, so this guarantees that the real world has the same level of security as the ideal world, okay? And in this talk, we consider two-party computation protocol that sets for a stronger notion of security called the concurrent security. So in concurrent security, we consider two parties who execute many sessions of the protocol concurrently, and actually we also allow them to execute a session with another party, okay? So here, two parties, P1 and P2, execute three sessions concurrently, and P2 also executes a session with another party, P3, okay? And the concurrent security requires that the security hold even in this setting, so in particular, we require that the simulator exist even in this setting, okay? So clearly, concurrent security is more general than the standard standard security, and actually, it is also more realistic because on real network like the internet, protocol indeed executed in concurrent session, okay? However, a drawback of the concurrent security is that it is hard to obtain, and in fact, in the case of a security party computation, it is known that achieving a concurrent security in the prime model is impossible. So this means that if we don't have any trust set up, such as a common reference string, then we cannot construct concurrently security party computation, okay? Then because of this impossibility, many researchers have tried to find a way to bypass this impossibility, and in particular, several researchers have proposed an alternative relaxed security definition on which this impossibility doesn't hold, okay? And in this work, we focus on one of these definitions, so namely, we focus on super polynomial time simulation security or SPS security, okay? So now what is SPS security? So in SPS security, SPS security is actually almost identical with standard simulation base security, but here we allow the simulator to learn in super polynomial time, okay? So here, the idea of our simulator is much, much stronger than the real world adversary, okay? So clearly, SPS security is weaker than the standard polynomial time simulation security, but it is still guarantee meaning security in many cases, and this is because SPS security guarantees that any attacks in the real world can be simulated in the idea world in super polynomial time. So if idea world is secure against the super polynomial time adversary, then SPS security guarantee meaning security. And indeed, idea world is secure against super polynomial time adversary in many cases, such as when computing commitment functionality or water functionality. And in such a cases, we can use SPS security with no problem, okay? Then, let me explain what is known about concurrent SPS security party computation. And actually, we already have a lot of positive result about concurrent SPS 2PC, and in particular, it's asymptotic ground complexity has been extensively studied. So in fact, for now, we know that we can construct constant-land concurrent SPS 2PC under the standard assumption such as the top of the permutation and the collision resistance function, okay? So regarding asymptotic ground complexity, we know how to achieve optimal ground complexity under the standard assumption. So however, even though asymptotic ground complexity has been extensively studied, it's exact ground complexity is not very studied. So in fact, previous work focuses only on asymptotic ground complexity, and the exact ground complexity of the protocol has a large constant, such as the 20, okay? And this is very in contrast to the standard setting because in standard setting, exact ground complexity is also very studied. And we already know that only five-land is optimal for security party computation. So this means that regarding exact ground complexity, there is a gap between the standard-land SPS 2PC and the concurrent SPS 2PC, okay? So motivated with this gap. In this work, we studied the problem of constructing concurrently secured SPS 2PC that has a good ground complexity. So in particular, our goal is to close the gap between the exact ground complexity of the standard-land 2PC and the concurrent SPS 2PC, okay? So now I'm ready to explain our result. So what is our result? So in this work, we show that we construct five-land two-party computation protocol that is secure in that set of concurrent security in the SPS setting, okay? So this means that we show that even in the concurrent setting, the same ground complexity as the standard one is sufficient for obtaining two-party computation, okay? And the assumption we use in this work is a standard cryptographic primitive, such as trapdoor permutation and the loss-interaction. And additionally, we use three-land non-marible commitment that satisfies some extractability property, okay? And we know that from previous work that such non-marible commitment can be constructed from one-way permutation that is secure against a cross-polynome-time adversary. So our result can be based on such a cross-poly-hard one-way permutation, okay? And there are some remarks about our result. So first, our protocol has a five-round in the setting that both party get out of it. And if we consider setting where only one party get out of it, then we can reduce ground complexity further, and in particular our protocol has only four-round in such a setting, okay? And next, currently our main result require cross-polynome-time is harder one-way permutation because we need three-land non-marible commitment. But if we increase the round complexity to seven, then we can remove such a cross-polynome-hard assumption and the protocol can be based on polynomial-hard assumptions, okay? But currently it is open, further we can obtain five-round under the polynomial-time assumption, okay? And finally, I know that unlike in standard setting, currently we don't know whether five-round is optimal for two-party computation in the concurrent SPA setting. So in particular, if we use a stronger assumption such as a sub-explanation-hard assumption, then less than five-round might be possible. So this is also another open question. Okay. So in the reminder of this talk, I'll explain our technique, okay? So first of all, I have to say that unfortunately, our 2PC protocol is quite complex and in particular our protocol is based on a lot of primitives such as a gavel circuit, drop the permutation for round zero-nature argument, blah, blah, blah. So, you know, leading all of this primitive is already hard, so of course we cannot explain, I cannot explain all the detail of here. So in this talk I only explain our technique informally, okay? And also, in this work, to make our protocol as simple as possible, in this work we only consider a simplified setting in which only one party gets output and each party's role is fixed in all the sessions, okay? So in particular in this talk, we consider the setting that the party P1, oh, okay. So in particular we consider setting that P1 gets the output in all the sessions, okay? So, and in this setting, our protocol has only four round and actually we don't need to use normal commitment in our protocol. So if we consider setting which both parties get output, we need to get one round, we need to add one round by using standard technique and if the roles of each party is interchangeable, then we need to add normal commitment to our protocol. But in this talk we ignore this issue, okay? So now let me explain our overall approach. So from previous work, we know that we already have four round two party protocol in the standard single output setting, okay? And we also know that there exists a compiler from a standalone two party computation to the concurrent SPS secure two party computation. So our overall approach is quite straightforward, so we combine these two results and in particular we try to apply the compiler of the concurrent SPS two party and concurrent SPS two Pc to the four round two Pc standard protocol, okay? And however of course we encounter a lot of problems when doing this and I will explain the main difficulty from the next slide. So let me first recall the concurrent SPS compiler of GGJS or GARG, Goyao, Jane, and Sahai, okay? So the compiler of GGJS takes a standard on two semi-on two party computation, type two Pc and compile it by adding a trap the setup phase and witness indistinguishable proof of knowledge in which each party proves that they behave honestly in the two party computation part or they know the trapdoor that is set up in the trapdoor setup phase, okay? And then the simulator of GGJS works by extracting trapdoor by brute force from trapdoor setup phase and give a double eye proof by using trapdoor so that it can simulate the two Pc part, okay? So actually, so the compiler of the simulator and the simulator of GGJS are relatively standard and so they are not so difficult. However, what is difficult in GGJS is the indistinguishable proof between the real world and the idea world, okay? So in particular, since now we consider super polynomial time simulation, the simulator run in super polynomial time. So if we consider a naive reduction that's internally emulated simulator, such a simulator would run in super polynomial time. So we cannot use such a reduction to show the indistinguishability between the real world and the idea world, okay? Then the key idea by GGJS is to overcome this problem by considering a polynomial time hybrid between the real world and the idea. So in particular, they consider hybrid experiment in which the simulator obtain trapdoor in polynomial time by using a rewinding extraction rather than the brute force extraction, okay? Then by considering such hybrid, we can first show that the idea world is indistinguishable from hybrid and because the only difference between them is the way to extract trapdoor and anyway we can show that the same trapdoor is extracted in the hybrid and in the idea world, okay? And we can also show that the real world is indistinguishable from hybrid and a key point here is that both the real world and the hybrid run in polynomial time so we can design reduction in a standard way, okay? So of course they are much more technicality in the external proof but the most important idea by GGJS is to consider polynomial time hybrid between the real world and the idea world, okay? Then let's consider what will happen if we apply the compiler of GGJS to the standard four-round two-party protocol of Cuts and Ostrowski or KO, okay? So first, I know that actually designing a super-polynium simulator for the KO protocol is not so difficult. So the KO protocol consists of a semi-homeless standard two-party protocol and coin tossing and we just indistinguishable proof and the zero-native argument and the simulator work by extracting trap we extract witness from the WIP for zero-native using its argument of knowledge property, okay? So we can design super-polynium simulator by modifying the original simulator to extract witness from WIP or the argument by proof force, okay? So we can easily obtain the super-polynium time simulator for them. So however, even though we can easily obtain super-polynium simulator, we cannot show the indistinguishability in a straightforward way, okay? So in particular, we encounter problem when showing the indistinguishability between the real world and the hybrid. So let me explain what is the difficulty. So to see the difficulty, let's consider what will happen if we change the real world into hybrid in a session by session order. And in particular, we consider setting that the adversary is party two and the two sessions are executed in this specific order, okay? And what is important is this red part and the other part is illustrated in a simplified way, okay? So then, since we change the, when we go into hybrid in a session by session order, we first simulate the session one. And in particular, we change the witness in the WI proof, simulated to party computation part while extracting witness from the argument by rewinding it last to round, okay? And actually, at this point, no problem happen and we can still show the indistinguishability at this point, okay? However, a problem occur when we try to simulate session two, okay? So in particular, when we rewind the zero argument in session one, the WI proof in session two is also rewind because they are executed in a concurrent way, okay? And because of this rewinding, we can no longer use the WI property of this witness indistinguishability, okay? And this is problematic because if we try to simulate the session two, we need to change the witness in this WI proof. So if we can't use witness indistinguishability here, we cannot show the indistinguishability, okay? So you might think that for this specific example, you can solve this problem in some way, but in general, this problem is not so easy to solve. And essentially what we want is witness indistinguishability proof of knowledge that satisfies some witness indistinguishability and even when it is rewind, okay? And you might think that we can use the reset W witness indistinguishability proof here because it guarantees exactly this kind of witness indistinguishability. However, since we also require proof of knowledge property, we cannot use the reset WI here in a direct way, okay? Then we solve this problem by observing that we need to change the witness in the WI proof only on the main thread, okay? So recall that what we want is a witness indistinguishability that holds even when it is rewind, okay? So this means that even if there's a many threat of execution like this, and the WI proof is given in each thread, we need some kind of witness indistinguishability. And our observation is that if we change witness in all the threads, on all the threads, then we need a reset WI. But if, but for in our setting, actually we need to change the witness only here, only on the main thread. And on the other thread, we don't need to change the witness, okay? And this is because we now consider super polynomial time simulation. So the ideal world simulator doesn't use any rewinding. So the ideal world has only the main thread. So you are the words only the hybrid use rewinding. So in the hybrid, the full simulation is needed only on the main thread. And we don't need to do full simulation on the other thread because they anyway disappear in the ideal world, okay? So what we actually want is witness indistinguishable proof of knowledge that's why witness indistinguishability in this setting. And we construct such a witness indistinguishable proof of knowledge by combining ZAP, which starts with WI and the extractable commitment, which starts by extractability, okay? So I want to say the detail of this one. So if you are interested, please see the paper, okay? And there are many, many other technicality in the proof. And each of them is not so significant, but taking care of each of them is not so easy. So you need to pay special attention to this technicality, okay? So this is summary. So our result is a five-round concurrent secure two-party computation protocol. And what is important is that even in the concurrent setting, we use the same round of complexity as the standard one protocol, okay? So this concludes my talk. So thank you very much. We have time for one or two questions. What if you relaxed the three round to the four round? So you have a, so you can use. So yeah, but actually we need some kind of public-coin property also on normal commitment. And I know there's no public-coin for under normal commitment. If we have them, we can relax the round of complexity to four.