 Welcome to this talk. This work is about unbounded multi-party computation for learning with arrows. I'm Zhong Zhongjing from Johns Hopkins University. This work is joined with Propagia and Nance, Absek Jian, and Julio Malavota. Multi-party computation is a multi-round protocol between several parties. Each party has some input Xi. And the goal of the protocol is to have these parties to jointly compute some function F. For security, we request that, at the end of the protocol, all these parties can only learn the output of the function F, and anything else about their inputs X1 to Xn are hidden. Previously, there is a long line of works starting the round complexity of multi-party computation. And it is known that two rounds are both sufficient and necessary for MPC. Then a natural question is, what's the dream version of a two-round MPC protocol? First of all, the dream version should be in the plan model. It shouldn't require a trusted setup or a CRS, and it should satisfy the following unbounded party's property, which means the number of parties is not a priority bounded, or its first round message should not limit the number of parties that can be involved in the computation. For the second round message, it should satisfy the following ad hoc computation property. It requires that any subset of parties can join the computation. For example, let's say F is a function that is only both X1 and X3. And the first party holds X1, the third party holds X3. Then to jointly compute F, only the first party and the third party need to be involved in the second round. Finally, its first round message should be reusable. Namely, let's say the computation for some function F is finished. And there is some other function G that these parties want to jointly compute. Then what these parties need to do is not generate a fresh first-round message. Instead, they can reuse the original first-round message for this new circuit G. In this work, we call the MPC that satisfies all these properties as unbounded MPC. Such a notion is in fact subsumed by the previous work of Bernhard Moda and Lin in 2020, where they constructed Mr. MNISC that satisfies all the properties we required. On the previous works, by Mercury and Wix in 2016, they construct two-round MPC, where the first-round message is reusable. However, their construction is in the CRS model, and they don't satisfy our definition for unbounded MPC because we require the protocol to be in the plan model. More recently, the work by Anans Jin and Jin, and also by the work of Batusek, Garg, Mensini and MQG in 2020, they constructed reusable MPC in the plan model. However, in their construction, the first-round message found the number of parties can be involved in the computation. So, they also doesn't satisfy our requirement for unbounded party computation. Then the only prior work that satisfies all the properties we require is the work by Bernhard Moda and Lin in 2020, where they show a construction of Mr. MNISC that satisfies all the properties we required. But their construction is from binary maps, and the binary maps are not post-content secure. So, in this work, we studied the following question. Can we construct unbounded MPC for learning with arrows? And here is our result. We built the first two-round semi-malicious secure unbounded MPC in the plan model for learning with arrow. Now, I'm going to show you more technical details on how we achieve our result. Our key ingredient is the following attribute-based secure function evaluation, or short as ABSVE with public decryption property. Such an ABSVE with public decryption is a two-party protocol between a sender and an authority. The authority holds some input x. Then in the first round, the authority generates some public key pk, which encodes this input x, and it sends it over to the sender. Next, both parties receive some common public circuit c. Then, the sender can use this public key pk and the circuit c to encrypt some message m and obtain some ciphertext. On the authority side, he can also use his private state and this public circuit c to generate some hint h. Finally, anyone with the ciphertext and the hint can decrypt to the message the sender encrypt if c of x equals to 1. We further request that the first round message which contains a public key is reusable. It means that after the protocol exclusion for some circuit c1, if both parties want to exclude the protocol for some another circuit c2, then what they need to do is not to generate a fresh public key. Instead, they only need to reuse the original public key for the circuit c2 and we allow the both parties to reuse this public key as many times as they want. For security, we require both the sender security and the authority security. For the sender security, it means that if c of x equals to 0, then the message m is hidden from the authority. On the other hand, for the authority, we request that the public key and the hint h should reveal nothing else beyond c of x about his input x. Now, let's assume we already have an ABSFE with public decryption property. How do we build an unbounded MPC protocol? Our starting point is any two round MPC protocol pi. Note that we do not require any additional properties of this protocol pi. Then we use it to build the following unbounded MPC protocol. Our starting point is in fact a three-round protocol where in the first round, all these parties doesn't do anything. Then in the second round and the third round, all these parties exclude the original protocol pi. Then we will apply a round compression technique using the ABSFE with public decryption property. In this way, we can compress the second round and the third round to only one round and obtain a two-round protocol. In more detail, instead of computing the second round message of pi in the third round, we gobble the second round message function using our gobbling scheme and output the gobbled circuit with the first-round message of pi in the second round. Now we will encounter a problem. To evaluate this gobbled circuit, we need to obtain the label of this gobbled circuit. But how do we obtain the labels? So the idea is to use ABSFE with public decryption to deliver these labels. More specifically, we will have each party generate a public key which encodes their own input xi. And we have these parties to publish these public keys in the first round. Now we have each party play through as the sender of ABSFE. In this way, they can use ABSFE to encrypt the labels where the function is set to be the first-round message function of pi. To decrypt these labels, we also have each party play through as the authority of the ABSFE. So they can generate the hint where the function is also the first-round message function of pi. Now, after the second round, every party obtains these several texts and the hint of ABSFE. So we can use them to decrypt the correct labels for this gobbled circuit and compute the second-round message function of pi. And this completes the protocol. For more details, you can refer to our paper. In the rest of the talk, I will show you more details on the construction of ABSFE with public decryption. First of all, let me recall the homophobic commitment scheme. In such a scheme, there is a commitment key k, which is a matrix. To commit a bit xi with the commitment key a and the randomness ri, we compute a times ri plus xi times g, where this g is a got-get matrix and ri is a small matrix. Then, given any circuit f, one can do a homophobic evaluation of f over the commitment. And obtain a new commitment of f of x and the randomness is ri rf. Note that this new randomness rf can be deterministically commuted from ri. Given this homophobic commitment scheme, our construction of ABSFE with public decryption is as follows. In the first round, we have the authority to generate the public keys, which contains the homophobic commitment of xi. Then, given the circuit f, both parties can do a homophobic evaluation of this public key and obtain a new commitment of f over x. Note that the authority knows the randomness ri, so he can deterministically compute some rf, which is the randomness of the homophically evaluated commitment. Next, our key observation is that if you concatenate the matrix a with this homophically evaluated commitment, this new matrix has a trapdoor rf, because the norm of rf is small. Moreover, the authority can compute the trapdoor rf. So on the center side, to encrypt the message n, we firstly sample LWE secret vector s and LWE noise vector e, and we compute s times af plus e. And then we take a CDD extractor to extract enough randomness from the LWE secret vector s, and we use this randomness to encrypt this message n. On the authority side, we sample a basis of the dual lattice that is specified by af using a trapdoor rf. To publicly decrypt the self-text, given the self-text and the hint, one can efficiently recover the LWE secret s, since the hint is the basis of the dual lattice of af. Next, once we know the LWE secret vector s, we can recover the message n using the extractor. Finally, let me show you the key idea to prove the sender's security. Recall that the sender's security requires that if f of x equals to 0, then the message m encrypted by the sender should be hidden from the authority. To prove this, our key observation is that if f of x equals to 0, then the term s times af plus e becomes something close to s times a plus e1, concatenated with s times a plus e1 times rf, where this e1 is some coordinate of the LWE noise e. Now, this means that this term can be approximately simulated by using s times a plus e1. However, these forms are LWE samples. Then by the LWE assumption, this means the secret LWE vector s is hidden from this term. Then we can argue that the self-text hides some information about the secret vector s. So, by using the randomness extractor, we can prove the message m is hidden from the authority. In our paper, we actually prove a stronger security notion, which is semi-malicious security. We prove this by slightly modified construction using the ideas from Brechtke and Dauding in 2018. For more details, you can refer to our paper. For the authority's security, we prove it using the security of the basis sampling. This basis sampling algorithm can hide the trapdoor rf. Thanks for watching. For more details, please see our full paper.