 and there we'll give a tour. Okay. Can you hear me? So, today I will talk about paper entitled, How to Surconvince 2-Separatex Lower Band for linear governing schemes. This is a joint work with Kamin Kenfuka and Kotaro Suzuki. All belongs to NTT Corporation. Here's the agenda of this talk. The first, I introduce a lower bound and briefly explain our result. The first, let's get started by introducing the governing scheme. The governing scheme is a mechanism to evaluate a circuit without knowing truth values. For example, we consider governing single and gate, single and gate. The left side is represented as plain and gate and the right side is a garbled and gate. If each truth values is encoded to the K-bit random values, K-A-Z and K-1, and this is a random value so one cannot inverse the truth values. And in this example, garbled gate contains four ciphertext. Each ciphertext contains one of output keys and one can decrypt one of ciphertext in evaluating the circuit, in evaluating garbled circuit. For example, the input is zero and one, the output is zero and in the garbled circuit, the input is K-A-Z and K-B-1 and one can decrypt the second ciphertext so obtain K-Z zero. In the classical scheme, proposed by Yao, contains four ciphertext per gate and each element is K-bit, so this contains four K-bit per gate. There have been several studies to reduce the ciphertext size. For example, GRL3, GRL2, FreeX, Fracture and recently, the Howl, Roselack, Evans propose a half gate scheme that is the most efficient. This cost two K-bit per gate and zero bit per extra gate. In addition to propose a half gate scheme, the Howl et al also propose a lower bound of the size of garbled circuit. They first define the linear garbling scheme that captures all practical, efficient garbling schemes and they say, they propose a lower bound that says a linear garbling scheme must have two K-bit ciphertext per gate and of course, as shown in the previous slide, half gate achieves the bound so half gates seem to be optimal from the lower bound. However, in this paper, we propose a linear garbling scheme that requires three less than two K-bit ciphertext per gate. You may think that this result is a contradiction of the lower bound but we think that this scheme does not contradict but rather circumvent the lower bound because the proof of the lower bound implicitly assumes that each element, each ciphertext is a K-bit but our scheme requires only one K-bit element but actually do require four two-bit ciphertext so the total is five ciphertexts. So we think that our result is not break but circumvent the lower bound. Over the next, we want to explain how to garble single AND gate. Before I explain precisely, I'd like to introduce one basic observation. In a garbling scheme, we often use a K-bit element as a key and ciphertext and so on. And K-bit element can be regarded as an element in not only a GF22K but also the subscript 22K. It means that we can use two operations on K-bit elements. The one is an operation in D22K is a bitwise exclusive or it means that for example, there's a 11 or plus there's a 11 equals or zero. And the other is integer addition. For example, there's a 11 or plus there's a 11 equals zero, one, one, zero. Which is different from the other. Okay, we explain the setting of the garbling single AND gate. We will try to garble single AND gate with one with single K-bit ciphertext, G. And for the efficiency reason, we want to, all operations consist of hash function, plus and or plus. Okay, the next, I explain how to garble AND gate is. We give an illustration of evaluating and garbled AND gate. The first, there are four cases in the input 00 keys and 01 and 10 and 11. These keys are evaluated with ciphertext G and finally, one obtains the output key. For now, we consider AND gate is, so the three of four input cases should be mapped to the one value and the last case when the input is 11 should be mapped to the case one. So the first is, we want to define the input up keys and evaluation function, satisfying this map. Otherwise, using a fully XOR like definition. We first define the one key is zero key or plus delta. And the evaluation is hash function. If we define so, the second case and the third case map to the same value because K0 or plus KB1 equals K0 or plus KB1 equals K1 or plus KB0. And in addition, to map the first cases to the same value we set the ciphertext C as this. If so, this hash value is canceled and mapped to the same value. Okay, at this point, the mapping is constructed but however, this scheme is clearly insecure because from the K0 and KB0, both output keys can be generated because of course K0 and KB0 can be evaluated to the KC0 and KC1 value is equal to the hash of KA0 plus KB0 because this equation holds. To avoid this problem, we use plus instead of O plus in hash, we redefine the one key as zero key plus D. If so, and the inside of hash function we use plus. If so, the one key is to be the hash of KA0 plus KB0 plus 2D that cannot be derived from the KA0 and KB0. This construction avoids the previous problem but that is still be insecure because the ciphertext G is only used in the first case. So if the ciphertext G is used, advertiser may know that the input is 00. So the next idea is I use the ciphertext G in evaluation with probability half. We additionally introduce a choice bit B0 and B1 and the output key depends on this choice bit B0 and B1. If so, all evaluation procedure is performed as plus input keys, hash in that and O plus ciphertext G with probability half. So this procedure does not read the information of the input. This scheme is almost secure but the remaining problem is that choice bit of another case should be kept secret. For example, B0 is distributed uniformly random but the joint distribution of B0 and 1 minus B0 is not uniformly random. So we have to hide the another case or the choice bit of another case. To solve this problem is very easy. Just covering B0 and B1 by classical technique that is introduced in the first slide. Classical governing scheme requires four ciphertext but each of them is not K bit but two bit because each ciphertext contains BI and the per meter bit that is used for the per meter for ciphertext. So then the resultant governing algorithm for single and gate is the first is set input keys and per meter bit as this. One key is zero key plus D and to the per meter bit and then define the case output keys by using the choice bit B0 and B1 and finally encrypt B0 and B1 and next per meter bit by using the classical governing scheme. This governing scheme finally output all keys and the ciphertext, five ciphertext. K bit element is only the first element and B0, C gamma, B1, C gamma and B2, C gamma, B3, C gamma is all two bit ciphertext. So this governing scheme contradicts the lower bound. Okay, next we explain the case of governing multiple gaites and other types, for example or our NAND or something. Let's consider this circuit for input and gate. Input and gate means that one of input wire of the gate is also the input wire of the circuit. If so, we can choose the difference D and apply our technique as a single and gate. So one K bit ciphertext per input and gate. So this number means that the number of K bit ciphertext and for the other gate we call mid and gate. We cannot choose the difference D because D is already defined as a difference of the output keys. So we have to adjust the difference to divide one to the other using another ciphertext E. So for mid gate, require the two K bit ciphertext. Next we consider the other type of gate. I don't explain precise, but or an X or NAND and other standard gaites can be governed in a similar way. And if the governing an X or gate, we can further reduce the ciphertext by using the free extra technique. The result is no ciphertext per input extra gate and single K bit ciphertext per mid extra gate. Security is only for this rate. Our scheme achieves a simulation-based privacy that is defined by the RRF1 log away. In the paper, we prove the security in the random model. Actually, our scheme may be proved by assuming a variant of correlation robustness, but this assumption is very complicated and very artificial, so we prove the security only in the random model model. So the final is efficiency comparison. The first is comparison in plane setting. And plane setting means that the topology of circuit is public and the type of gate is also public. In this case, the most efficient scheme is half gaited scheme. This requires the zero K bit ciphertext in extra gate and two ciphertext in AND gate. Oh, sorry. For simplicity, we consider the gate is that consist of AND gate is or extra gate is two type of gate is. If so, in half gaited scheme, you cost zero ciphertext extra and two ciphertexts for per AND gate is. And totally, two times K times the number of AND gate. And in this work, zero or one K bit ciphertext for extra and one or two ciphertext per AND gate. And finally, we obtain the total bits of gavel circuit here. The left side is mean that two bit part of our governing scheme. And the right side is a K bit part and one K bit, one K bit two element is required for the input AND gate. And two ciphertext is required for mid AND gate is and one K bit element is required mid extra gate. So, comparing this result, our scheme is more efficient than half gaited if this equation it holds. But this equation intuitively means that the number of input AND gate is larger than the number of mid extra gate. And I don't sure, but I think most realistic circuit this equation does not hold. So I think half gate may still be the most efficient in the plain setting. And the next comparison is in a semi private function setting. Same private function means that the topology of the circuit is public, but the type of gate it means extra or AND or NOAA or something is private. In this setting, the most efficient scheme the most efficient known scheme is GRL3. This requires totally three times K times the number of gaited and this work cost this one. That is always good, better than the GRL3. So the SPF setting, our scheme is the most efficient scheme. And we know that for theoretical sense, our scheme cannot govern an identity gate. Identity gate means that pass through the one of inputs. Such circuit is meaningless, but classical scheme and GRL3 scheme can govern such a gate. This is a time variable result, which is a governing scheme that circumvets the lower band. Guard on the gate contains less than 2K bit, but instead contains additional four to be stifled per AND gate. And efficiency depends on the structure of circuit. And in plain setting, half gate scheme may still be the most efficient scheme. And in SPF setting, our is the most efficient scheme. Thank you for listening. So any comment or question? For question, is it possible to have like garbling, but using both representations for different part of the circuit. So for example, you have a part of the circuit that has a lot of AND gates, you push to your representation. And then once you get to a part that requires more XOR, then you switch to the half gate approach, which has, could this approach work? At least now, I have no idea. Half gate scheme is very complicated and optimized to use free XOR techniques. So it is good, I think. Well, I mean that you're outputting labels at some point, then those labels now use them for the half gate approach instead. Oh, for now, I don't show how to read. Okay, thank you. Do you have any ideas on how to sort of restore the free XOR freeness? Like for XOR is in the middle of the circuit. That would kind of make your scheme a winner unequivocally. So right now in your scheme, the XOR gates are only free if they're at the inputs. Do you have any ideas on how to make them free everywhere? For now, I don't have an idea. Sorry. That's fine. I think it is difficult because the difference is automatically defined as a difference of the output key. The output key is distributed, distributed uniformly random. So I cannot control the difference for now. Okay, any other questions? Okay, let's thank you. We are okay.