 This talk is on communication efficient asynchronous multi-party computation with adaptive security. My name is Martin Hirt and this is joint work with Anik Jobar and Jenda Ljuzon. First very briefly, what is MPC? We consider M-parties, T of them are corrupted. The parties are connected to these bilateral channels. And the goal of MPC is to evaluate the circuit where each input is given by one of the parties and the output is revealed to entitled parties. In the literature one considers several models with respect to the network. One distinguishes synchronous channels and asynchronous channels. In synchronous channels the delay of the channels is bound by an unconstant whereas in asynchronous channels messages can be delayed arbitrarily. Messages can even overtake each other. The adversary can control the delay of messages. With respect to corruptions one distinguishes static corruption and adaptive corruption. Static corruption means that all parties are corrupted right at the beginning of the protocol. Whereas in adaptive corruption the adversary is allowed to corrupt parties during the protocol execution and he chooses the parties to corrupt depending on information gathered so far. With respect to security one distinguishes computational security and information theoretic security where computational security usually is based on some hardness assumption and the adversary is assumed to be polynomially bounded. Whereas in information theoretic security the security is unbounded without assumption. In this work we consider the asynchronous network model and we allow the adversary to adaptively corrupt parties and we are after computational security. In this model the best possible corruption threshold is T-small at NOV3. A little bit of history. Asynchronous protocols with T-small at NOV3 were first introduced by Mino, Kellerman and Raybin. They achieved adaptive security at some communication complexity which was very high. Later on myself Nielsen and Schütateck presented a statically secure asynchronous NPC protocol that communicated N to the 3 per multiplication gate and we improve this later to N squared. Patra, Houdari and Rangan presented an adaptively secure NPC protocol that communicates N to the 5 and Houdari and Patra presented a statically secure NPC protocol in the asynchronous model that assumes somewhat homomorphic encryption and communicates only linear per multiplication gate. This was further improved by Korhan by assuming fully homomorphic encryption where the overall communication complexity does not depend on the circuit size. Houdari presented an adaptively secure asynchronous NPC protocol that communicates O of N to the 4 per multiplication gate. As said in this work we focus on adaptive security and what we achieve is adaptive security against a cryptographic adversary. We achieve standalone security and we do not assume somewhat of fully homomorphic encryption. We have two protocols in the paper. The first protocol tolerates T-small at NOV3 which is optimal in that model and communicates O of N squared per multiplication gate. Note that this is the same communication complexity as is needed for static security if you don't want to assume somewhat homomorphic encryption respectively fully homomorphic encryption. Our second protocol tolerates slightly less corruptions and it has linear communication complexity and it assumes secure erasures, non-interactive serial knowledge proofs and atomic send. Atomic send means that the party can send a message to all other parties where if the party is honest then the message arrives at all other parties. If the party is malicious then the adversary chooses what happens but the adversary cannot corrupt the party during the send operation. We follow the CDN approach which means that we assume a homomorphic threshold encryption scheme and we assume that the secret key of that scheme is initially shared among the parties. Then in order to provide an input to the computation the party would encrypt the input and send the encryption to everybody and prove plain text knowledge. Addition of course is for free by exploiting the homomorphism of the encryption scheme and for multiplication we will employ some sub-protocol. In order to output we use threshold decryption towards the entire parties. So first each party encrypts its input, proves plain text knowledge and then we go through the circuit. Additions for free multiplications with the protocol. Finally we have an encryption of the output which is then threshold decrypted towards the entire parties. We employ circuit randomization by beaver which means that in some preparation phase which is independent from the concrete circuit the parties prepare a bunch of triples ABC. A triple ABC are three encryptions where the plain text of the first two encryptions multiply to the third encryption. And then of course in the computation phase we can use these triples for addition which is just the homomorphism of the encryption scheme and for multiplication in order to multiply two values to encryptions X and Y the parties pick the next triple ABC and then they encrypt X minus A and Y minus B and one can see that the product X times Y can be written as a linear combination of the ciphertext ABC which can be computed non-interactively. So this means that multiplication boils down to two public reconstructions. Now how do we prepare these triples? So first of all the parties generate the random A. Therefore each party Pj produces a random HA encrypts it and pro-casts asynchronously that means A casts big HA. Furthermore the party starts bilateral proofs interactively to prove plain text knowledge of HA. Then the party run an agreement on a core set protocol in order to find at least N minus T parties who did the first step correctly that is each party votes for a party to be in the core set if the party received the A cast from that other party and also accepted the proof of plain text knowledge. Then all the parties compute A as the sum of the HA's from the parties in the core set. Then the parties produce the B and the C simultaneously for the B the parties just follow the same approach as for the A and for the C as now the A is known already each party provides a Cj which is the Bj times A plus some randomization so the Cj will contain a plain text which is the product of the plain text of A and the plain text of Bj. Again the parties start bilateral proofs of plain text knowledge of Bj and multiplication proofs of Cj. Then the parties run again a core set agreement protocol to find a subset of at least N minus T parties who did step 4 correctly and then they compute B as the sum of the Bj's in the core set and C as the sum of the Cj's in the core set. One can easily verify that this triple ABC is now a correct multiplication triple and that the adversary does not know the plain text of A or B and of course not of C neither. About the communication complexity the first step requires all of an ACAST operations then in the second step we have one ACS, steps 4 and 5 equivalently and now by running this protocol multiple times in parallel we can amortize the costs of ACS and of ACAST so we have two ACS's overall at the cost of ACAST ACAST if the message so if we want to ACAST multiple messages at the same time then we can amortize the cost of ACAST and we can have linear cost which sums up overall then to cost N squared times kappa. Now we want to achieve linear communication complexity first thing we do is replace the bilateral proofs by non-interactive serial knowledge proofs which means that each party will just ACAST one big message furthermore we assume that in the setup two committees are given to set C1, C2 random subsets of the party sets where the size of each committee is approximately k each party knows if it is in a committee but part is not in a committee to not know who is in the committee and now instead of having each party provide a random HA we have only parties in the first committee provide a random HA and then the sum of the HA still is A and will be known to everybody but only the parties in CI provide an HA we do exactly the same thing for the BJCJ pair here just to use a different committee and here we use the fact that the parties just need to send one message and they use atomic send in order to do that this means that if a party is honest, if a party in the committee is honest then it will actually broadcast a valid message with correct non-interactive serial knowledge proofs in it so this brings down the communication complexity instead of NA costs we have now kappa A costs and the costs for NA costs by using a risen paper by blue metal we have costs of poly and kappa times N which then sums up to overall communication complexity O of N times poly of kappa which by just standard techniques can be shown to be equivalent to O of N times kappa now in the computation phase as said before for input the party would just encrypt x A costs x and proofs and x knowledge then exploit the homomorphism multiplication we consume one triple and we need two public reconstructions and then for the output we just reconstruct Y to entitled parties now for these public reconstructions we use the technique by Darmgart Nielsen of O7 namely we reconstruct N minus 2T encryptions at the same time in parallel therefore we first expand these N minus 2T encryptions with a linear error correction code to N encryptions and now each encryption is reconstructed towards one party and the party will then send the plaintext YJ to everybody and everybody then receives a whole bunch of such YJs applies error correction and can reconstruct the values X1 up to XN minus 2T the communication complexity of this protocol is N squared but as we reconstruct O of N ciphertext at once this amortizes to O of N per multiplication now is this adaptively secure? well of course it's not if an honest party provides some input this means that it A costs an encryption of the input now in the simulation the simulator does not know that input if the party is honest and the simulator would just present a random encryption to the adversary but later the adversary could corrupt that party and then the simulator needs to explain how this encryption contains the value the input value of that party and of course the simulator cannot so this is not adaptively secure in order to achieve adaptive security we use this trick by Darmgart Nielsen of O3 the basic idea is that a setup assumption we assume to have a constant encryption of 1 we call this K and then in order to encrypt the message M with respect to this K we just multiply K M times and we add an encryption of 0 in order to randomize so clearly this gives an encryption of M if K is an encryption of 1 however in the simulation we will in the setup assume that K is not an encryption of 1 but K is an encryption of 0 so thereby in the simulation all values are 0 the inputs are encryptions of 0 outputs everything is encryptions of 0s so this is pretty easy to simulate right? however one problem we have now of course is that in the simulation the output Y will always contain 0 and this is not the same as in the real world so what we do here is we will not reconstruct the output Y but we will reconstruct the value Y plus M where M is constructed in such a way that in the real world M is an encryption of 0 and in the ideal world M can be chosen by the simulator the basic idea here is to assume an additional value R to be part of the setup where R in the real world R is an encryption of 0 and in the simulation R is an encryption of 1 and then the parties will encrypt some M with respect to R where this M is somehow I will not explain here how chosen by the simulator now clearly ER of M in the real world contains 0 because R is an encryption of 0 so in the real world this does not change the output whereas in the ideal world the simulator can choose in his contributions Mj in such a way that M will contain the plaintext he wants and thereby can open the output value of the computation as desired now there is a second problem if all encryptions contain a 0 then of course the inputs given by the adversaries cannot be extracted so the simulator cannot find the inputs that the adversary gives into the computation in the real world and so he cannot give these inputs to the functionality but this can easily be solved by just adding a UC commitment to the input stage so if a party wants to give an input not only he needs to provide an encryption with respect to K of that input but in addition the party also needs to use the commit to that input and prove in zero knowledge that the commitment contains the same value as the encryption let me conclude we have presented two protocols the first protocol is for the asynchronous network with the GIFs adaptive security and it communicates N squared per multiplication this is as efficient as the best known protocol not using SHG or FHG but our protocol is adaptively secure then we have presented the second protocol still asynchronous network adaptive security and with linear communication complexity here we have to pay a price on the corruption threshold so T is slightly smaller than NOV3 we need to assume eracious non interactive zero knowledge proofs and atomic send it's an open question to achieve adaptive security with linear communication complexity in the standard model