 Hello everyone, my name is Eurus Manio-Tacos and I'm going to talk about resources to the cryptography and the visiting MPC bound to the proof of work area. This is joint work with Juan Garay, Aguilos Kegas, Rafael Ostrowski and Vasily Zikas. Secure multi-part commutation has been studied since the 80s in what we're going to call the traditional MPC setting. In this setting the number of parties is fixed and their identities are known. Parties are synchronous secured channels, the adversary is unbounded or probabilistic polynomial time, and parties may set some set-ups such as a CRS or a PKI. Set-up functionalities can be further separated in two categories, public state set-up and private state set-up. Both functionalities sample a string from a predetermined distribution. Now in the case of public state set-up everyone learns this string and as an example you can think of a CRS, a common random string. On the other hand in the case of private state set-up different parties learn different parts of the sample string. Here an example is a PKI. In a PKI everyone learns the public keys but no one learns all the secret keys. Obviously public state set-up functionality can be emulated by private state set-up functionality and thus public set-up is a weaker set-up assumption. This distinction between public state set-up and private state set-up was further highlighted in the MPC literature. So first we know that assuming a private set-up and that the majority of the parties is honest MPC is possible. On the other hand assuming a public state set-up and that one third of the parties can be corrupted it has been shown first that broadcast is impossible by paper from Borderdine in 1996 and since fully secure MPC implies broadcast MPC is also impossible in this setting. This result can be further strengthened by assuming private channels, the existence of enhanced raptor permutations or random miracle. Now to be clear I'm not saying anything new here. All these results were shown more than 20 years ago. Now in the last 10 years we saw the development of proof of work based blockchain protocols such as Bitcoin. These protocols typically implement a transaction ledger which is a primitive related to broadcast and have been shown to be secure assuming that the majority of the parties is honest as long as they have the same computational power and as long as they have access to a fresh CRS set-up that is a CRS that becomes known to all parties including the adversary at about the same time. Now this result seems to be contradicting the impossible result we mentioned before since a fresh CRS is a form of a public set-up. To aid confusion all these results were shown in what is called the permissionless setting where communication is not authenticated and the number of parties is not fixed and similar results have been shown by restricting other resources parties have such as space. So the question we pose here is the following. Does this MPC impossibility result we mentioned before still apply in the traditional MPC setting under this resource restricting paradigm? Now while there has been a lot of attention in resource restricted cryptography in the last 10 years it in fact has a long history. America in 1976 used moderately hard functions to do key exchange and work an hour in 1992 used them to mitigate spam attacks. Time-release crypto was invented by Eriber Samir and Wagner in 1996 and a bunch of papers tried to use this concept to deal with fairness issues. Now in all these works many different resources were considered such as sequential computational power, parallel computational power, space and stake. Here we take a more abstract approach and consider network access as our resource. In more detail we model restricted network access as a functionality wrapper. This wrapper has three properties. First probabilistic access that is a new message is sent with some probability P. Second bounded access that is at most Q send attempts are allowed per round. Finally free forwarding that is if I receive a message or have sent a message before then I can forward it to any other party for free. While this filtering wrapper can wrap different types of networks in this work we will focus on authenticated ones. Next to see if the filter network functionality is an appropriate abstraction of real models we implemented in the proof-of-work setting of Baldercher, Maurer, Chudy and Zikas. That is assuming an axis bounded random model functionality, a fresh CRS, a global clock used for synchrony and authenticated communication channels. We implement the filter network functionality in the UC framework. Next I'll give a high level description of our protocol. Our protocol is inspired by Bitcoin proof-of-work mining. So whenever a party tries to send a message M it queries the axis bounded random oracle with the CRS, a message and a nonce value. And if the resulting hash is smaller than some target it sends the message, the nonce and the hash value through the authenticated network to the other party, to the designated party. Now the fact that parties have a limited number of queries per round budget to the random oracle implies that the number of new messages they can send is bounded as the filtered network functionality dictates. In order to resend the message now they just have to forward these three values, the message, the nonce and the hash. And obviously this forwarding is free in this implementation. So what we did next was to revisit the broadcast and possibilities out of bordering. A protocol implements broadcast if it satisfies three properties. First validity, that is if the sender is honest then all parties should decide on the sender's input. Second agreement, that is all honest parties should decide on the same value. And finally termination, that is all honest parties should eventually terminate. Now the possibility result we mentioned assumes that a third of the parties can be corrupted. We'll briefly describe the attack strategy of the impossibility result for three parties, A, B and C, where A is the sender sending B and one of them is corrupt. The possibility results proceeds by defining three scenarios, sigma 1, sigma 2 and sigma 3, such that no protocol can satisfy all broadcast properties in all three scenarios. In the first scenario party C is corrupt, it drops all communications with party A while in the eyes of B it acts as if A was broadcast in one. In reality in this scenario A is broadcast in zero and thus by validity since A is honest B should output zero. Symmetrically in the second scenario B is corrupt and drops all communications with the sender. In the eyes of C B acts as if A was broadcast in zero. Again in reality A is broadcast in one and by validity C should output one. Finally in the third scenario A the sender is corrupt. In the eyes of B it acts as if it was broadcast in zero. In the eyes of C it broadcast as if it was broadcast in one. Now we can show that in the eyes of B sigma 3 and sigma 1 are indistinguishable while in the eyes of C sigma 3 and sigma 2 are indistinguishable. Hence in sigma 3 B and C should output the same values they output in sigma 1 and sigma 2 respectively. Hence they should output zero and one and thus agreement no longer holds. Now observe that in the third scenario the adversary simulates two honest parties A broadcast in zero and A broadcast in one. Our idea is to use the filter network functionality to make this strategy infeasible by making simulating parties costly. Assume now that parties have access to the filter network functionality and for the moment assume that P equals one. That these parties can send new messages with probability one and they can again send the most Q new messages per round. Now consider the protocol where the sender sends the first round Q different messages each containing its input B. Honest parties can run this protocol with no problem since they can send Q new messages per round through the filter network functionality. On the other hand A in scenario three of the attack we described before has to send Q messages for simulating broadcasting zero and another Q messages for simulating broadcasting one. Obviously this is possible since he can send the most Q messages per round and thus he cannot launch this attack. We can generalize our protocol for any noticeable P. The difference is that we take a bigger set of rounds that depends on the parameters P and Q of the filter network functionality and we change the number of messages the sender has to send. Then using a turn of bound we can solve that with over one probability A cannot launch its attack. Concluding we saw that there is a protocol such that the broadcast and possibility attack is not feasible anymore even though the adversary can corrupt a third of the parties. What it seemed like a contradiction is explained by the fact that the adversary only has limited resources. So having shown that the bordering broadcast and possibility attack does not apply in the resource restricted setting Our next goal is to implement secure NPC with honest majority in public setup. As our first step we implement registration functionality that allows parties to register keys like in a PKI. We're going to talk a bit more in the next slide about this. Assuming the filter network functionality and signatures and because all our work is in the UC framework we next take advantage of all the results to achieve NPCs. So first due to a paper from Kanet in 2004 we implement the certification functionality that allows to link messages to parties starting from the registration functionality and the signature functionality. Then due to a paper from Hirt and Zikas in 2010 we can implement the broadcast functionality starting from the certification functionality. And finally due to a paper from Kramer, Damkar, Zbowski, Hirt and Drabin in 1998 we can implement the NPC functionality starting from broadcast in the Secure Tunnels model. Now all these implications hold against adaptive adversaries hence all our results are against adaptive adversaries. And our final theorem looks like that we can implement the NPC functionality in the UC setting, in the UC framework Assuming that we have a filtering network functionality, signature functionality, Secure Tunnels and the global functionality and assuming that the majority of the parties is honest. Moreover by taking advantage of the result we mentioned before that is that we can implement the filtered network functionality starting from a bounded access random oracle and a fresh CRS. We get a corollary saying that we can do NPCs starting from the bounded access random oracle, signatures and fresh CRS. Next I'm going to talk a bit about the registration functionality. The registration functionality takes two commands. First submit command together with a string that each party can issue once and when issued the registration functionality stores the submitted string together with the identity of the party that submitted it and secondly a retrieve command that when issued the registration functionality response contains a list of identities and register strings. Now there have been some previous attempts to implement the functionality. The first one by Katz Miller and C in 2014 and the second one by Andriy Hovchenczybowski in 2015. Unfortunately these attempts are not good for our goal. First because they're the keys, the register strings are linked to pseudonyms and not to the actual identities of the parties. And secondly because security there is in the standalone framework and not in the UC one. Now our protocol builds on the approach of Andriy Hovchenczybowski. Next I'll give a high level overview of our protocol for p equals 1. That is messages are sent through the filter network functionality with probability 1. So in the first round parties generate a signature key pair, let's say sk prime vk prime and send Q distinct messages containing the verification key vk prime through the filter network functionality. This way it's established that the adversary cannot create more identities than the number of parties it can corrupt. Secondly they sign with the secret key the string they want to register together with their identity and send the message through the authenticated network. This way they link the string they want to register with their identity. Now of course stopped here the protocol would not be secure because the adversary can easily break the consistency of this registration functionality as follows. It can for example sign with the secret key two strings s and s prime and send it to different parties. Then these parties would not agree on the string that this party pi prime for example has registered with functionality. So in order to deal with this problem we use a form of graded agreement so that parties agree on a common key set. I'm not going to go in more details about this. Next as before we can generalize this protocol to any noticeable P by having parties send more messages in a bigger set of rounds that depends on P and Q. And finally while the filtering functionality we implemented earlier assumes a fresh CRS, we can implement a weaker form of this functionality based on traditional CRS where the adversary can learn the CRS string a lot earlier than the honest parties. Concluding we saw that resources through cryptography once more challenges long established MPC impossibility results and that's why it deserves further research. We have identified a couple of interest directions. First implementing the filter network functionality by restricting other sources that parts may have such a space as well as unifying older works under this filter network abstraction. Secondly, revisiting other MPC lower bounds and seeing whether they still hold in the resource restricted setting. Thank you all and keep safe.