 So this is joint work with Manjit Kumar Hassan and Srinivasan Raghuraman. So as in the previous talk, the task we're interested in here is secure multi-party computation, where end parties want to together compute a joint function of their inputs without revealing anything except the output value. The protocol should be secure in the face of an adversary who controls at most T of the end parties. So we have a variety of protocols for secure multi-party computation, both in the honest majority setting, and also in the setting we'll be interested in in this talk where more than half of the parties are allowed to be corrupted by the adversary. The protocols we know for oblivious transfer for multi-party computation in the dishonest majority setting rely on the functionality of oblivious transfer, where Alice has two input values, X0 and X1, and Bob wants to learn one of them. There are two security requirements. Bob should only learn one of Alice's values and not the other value, and Alice should not learn which value Bob receives. In order to achieve oblivious transfer, the protocols that we have for secure multi-party computation in the dishonest majority setting rely on public key operations, which are substantially slower than symmetric key cryptography. And there's evidence that this dependence on public key operations may be inherent in light of the result of impagliazzo and Riddich that we cannot obtain oblivious transfer from one way functions in a black box way. The question we ask here is whether we can improve the efficiency of multi-party computation by relying on some kind of special infrastructure between the parties. The infrastructure that we're interested in is based on oblivious transfer. So Killian showed that if the parties in a network can perform oblivious transfer, then that's enough to securely compute any function at all. As long as every pair of parties in the network can compute oblivious transfer. The question that we ask is what if only some pairs of parties can compute oblivious transfer and others are not allowed to? Can we still get secure multi-party computation? So here's the model. We have n parties, and every pair of parties is assumed to be connected by secure point-to-point channels. But some pairs of parties have these special oblivious transfer channels represented by edges. A pair of parties connected by an oblivious transfer channel can compute oblivious transfer securely as many times as they want. So why is this a reasonable model? First of all, the protocols, the way that we know how to get MPC in a dishonest majority setting is through oblivious transfer. Also we can achieve oblivious transfer not only from computational assumptions such as public key crypto, but also even in a world where public key cryptography is impossible, we can still get oblivious transfer from trusted hardware, from special purpose hardware in the form of noisy channels. Also oblivious transfer, the cost of oblivious transfer can be amortized. We can perform, a pair of parties can perform a one-time setup phase where they run oblivious transfer several times on random values, and subsequently in a very fast online phase relying only on one-way functions, they can perform additional oblivious transfers under computational security. So this means that it makes sense to consider a network where some pairs of parties have invested a one-time computational cost to establish the ability to perform efficient oblivious transfer, and other pairs of parties maybe that just joined the network or something don't have the ability to perform oblivious transfer efficiently. So the question we ask is given a network where some pairs of parties can perform oblivious transfer, can we still perform secure MPC in the network? And in particular, which edges can we add to the network? Which other pairs of parties can perform oblivious transfer? So the starting point of our investigation is a paper of Harnak Ishaian Kushi Levitz who showed that if 99% of the parties are allowed to be corrupt, there exists a particular sparse network that allows every pair of parties to perform oblivious transfer securely. And there are also some lower bounds, which I'll discuss in a couple of minutes. Our result is generalized as the result of Harnak Ishaian Kushi Levitz, rather than just talking about a particular graph in which it's possible to get OT. We give a complete characterization of when it is possible to get oblivious transfer between a pair of vertices. So given a graph, we give a categorization of exactly which edges, which oblivious transfer edges can be added to the graph, which pairs of parties can perform oblivious transfer in an information theoretic setting. So before we get into the details, let's peek ahead and look at what's out there. So let's look at a few examples of four-party graphs where two of the parties are allowed to be corrupt and see in which cases we can get OT and in which cases we can't. So in each of these examples, we're going to ask, is it possible to get oblivious transfer between party A and party B? In this first graph, there's only a single oblivious transfer edge. And it's between two parties that are not the parties that want to do OT. And it's even possible that both of those parties are corrupt. So it seems like there shouldn't be anything we can do. But it turns out, as we'll see later, that it is possible to get oblivious transfer between A and B. So here's another graph that looks very similar. But instead of C and D being connected by an edge, we have OT between one of the parties we're interested in and party D. And even though this looks almost identical, in this setting, we cannot get OT between A and B. So here's another example where we actually have two OT channels. So this seems like it should provide us more power. But still, we cannot get OT between A and B. So here's another example where the two OT channels meet at party B. Party B has both of these OT channels. And in this graph, we can get oblivious transfer between A and B. And finally, if the two OT channels meet at one of the parties other than the party we're interested in, then we can also, in this setting, get OT between A and B. So from these examples, we can see that it's not just the number of OT channels that are present in the network or whether each party is connected to an OT channel. That's relevant. The exact structure of the graph of OT channels is necessary to determine whether or not we can compute securely. So the key condition that we're going to be interested in is one of splitting, splits, which may be familiar from those of you who are watching the Olympics. So given a pair of vertices A and B, an N over 2 split is a balanced cut in the graph. So a partition of the vertices into two sets of size N over 2, so that there are no edges from one set to the other set. So this is an example of an N over 2 split. But if we add an edge between these pair of vertices, then an edge crosses the cut so it's not an N over 2 split. More generally, we define a case split to be a pair of sets of size K with no edges from one set to the other set. So we can have edges inside each set. We can have edges from either set to the remaining vertices. But there are no edges from one of the orange sets to the other orange set. So this is an example of a 4 split. And again, if we add an edge between the two sets, then we have an edge crossing the cut, so it's not a 4 split. And we say that a graph is K unsplittable if it has no K splits. This brings us to our main result. In the dishonest majority setting, a pair of parties can perform oblivious transfer securely exactly when the graph is N minus T unsplittable. So let's look at what this means in two parameter settings. If half of the parties are allowed to be corrupt and the other half are guaranteed to be honest, then we can perform secure oblivious transfer as long as for every balanced cut in the graph, there's some edge crossing the cut. And if there's a balanced cut with no edge crossing, then we cannot perform oblivious transfer securely. At the other extreme, we can look at the case where all but one of the parties are allowed to be corrupt and we're only guaranteed a single honest party. So here, the condition is about one splits. So there's only one vertex in each set of the partition. And the requirement is the trivial requirement that we can only perform secure oblivious transfer if that pair of parties was already connected by an edge. So even if we have an almost complete graph with a single edge missing, then that pair of parties cannot perform secure oblivious transfer if all but one party is allowed to be corrupt. So just one word about security. In this work, our protocols achieve perfect information theoretic security against adaptive semi-honest adversaries. And we can compile this using zero-knowledge proofs to obtain computational security against adaptive malicious adversaries. So now I'd like to talk for a couple minutes about lower bounds. So in the two-party setting, where we have no special channel between the two parties, the work of Chiran Kushi Levitz and of Impagliatso and Rudich tells us that we cannot achieve information theoretic security. We cannot achieve oblivious transfer with information theoretic security between A and B. And what's more, we cannot achieve computational security from one way functions in a black box way. So building on this, Harnak Isha and Kushi Levitz considered this three-party graph below and reduced it to the previous case showing that oblivious transfer between A and B and this three-party graph would give us a protocol for a two-party oblivious transfer. And so it's impossible in the same settings. So more generally, we can look at a graph that has a split between a pair of vertices. That has an n minus t split. So we have two sets of size n minus t with no edges from one to the other. And if we assume, if we had a protocol for oblivious transfer between A and B in this graph, then we could use it to obtain oblivious transfer in the three-party graph. By basically, by party A in the three-party graph simulates one set of the partition. Party B simulates the other set of the partition. And party C runs the protocol for the remaining vertices. So this would give us a protocol for OT in this three-party graph. And consequently, it's impossible to get oblivious transfer in a graph that has an n minus t split. And this gives us a lower bound due to Harnacky, Chey, and Kushi Levitz, that in the dishonest majority setting, if a graph has an n minus t split, then we cannot achieve oblivious transfer between A and B. Our main result is a matching upper bound. So we show that for any graph, if it is n minus t unsplittable, then we can get oblivious transfer between A and B. Before I get into the details, let me mention one technical tool, OT combiners. So let's say we have K candidate protocols for oblivious transfer. And none of them is quite secure. But they're almost secure. So for any set of corrupt parties, a majority of the K protocols is secure. Then we can compile them to obtain a single protocol that's secure for all sets of corrupt parties. So this is a way of taking some simple ideas and combining them to get more complicated protocols. So it's a very nice tool for building protocols. So now I'm going to talk about our protocol in the case when half of the parties are corrupt and the other half are known to be honest. So the protocol will have three main phases. First, for every pair of OT channels that meets at a vertex, we're going to obtain the third OT channel completing the triangle. Second, by iteratively applying this step, we're going to take each connected component in the OT graph and turn it into a clique. And finally, given a graph that's a disjoint collection of cliques, we're going to obtain a protocol for OT. So the first step of completing triangles uses some simple protocols and combiners. Obtaining cliques is done by iterating the triangle completion protocol. And I'm going to focus on the third step, that of turning a graph that's a collection of cliques, taking a graph that's a collection of disjoint cliques, and obtaining oblivious transfer. So first, let's look at a graph that consists of a single clique plus the two vertices we're interested in, a and b. So in this graph, since we know that oblivious transfer is enough to get secure multiparty computation, if we have a complete graph, we can run secure NPC on this clique. And we can have, as long as one party in the clique is honest, then the clique can simulate a single trusted party. Using secret sharing and NBC techniques. So as long as a single party in the clique is honest, then the clique functions as a trusted party and can mediate oblivious transfer between a and b. So this lets us get OT between a and b. So now we have a graph that is a collection of disjoint cliques. And we're going to define a series of protocols. So for each party i in the graph, define, let protocol pi i be an execution of the clique protocol I just described on the graph consisting of the clique containing party i plus parties a and b. And then this gives us n protocols, one for each party in the graph, and we're gonna run a combiner on these n protocols. So for each protocol, we know that the clique protocol will be secure if the corresponding clique contains some honest party. The full protocol will be secure as long as a majority of the protocols we're combining are secure. So in particular, whenever i is honest, protocol pi i is honest because there's an honest party in the corresponding clique. So in order for the combined protocol to be insecure, for every dishonest party i, a protocol pi i needs to be insecure. In order for this to be true, every clique containing a dishonest party must contain only dishonest parties. So if the protocol is insecure, honest parties must be connected only to honest parties and dishonest parties must be connected only to dishonest parties. And there are n over two of each. So this means that if the protocol is insecure, then we have n over two honest parties and n over two dishonest parties with no edges from the honest parties to the dishonest parties. And this gives us exactly an n over two split in the graph. So what this means is if the protocol is insecure, then there's an n over two split in the graph or said the other way, whenever the graph is n over two unsplittable, then the protocol is secure. So this gives us a protocol, a matching upper bound for the case where t equals n over two. We get a secure oblivious transfer whenever the graph is n over two unsplittable. Now let me talk about the general case when the number of clapped parties is greater than n over two. Our approach here is we'll be to take a graph, an instance of the problem, and break it into many smaller instances. Basically, we're gonna try removing each possible vertex and running recursively running a protocol on the smaller graph. So to do this, we need to argue two things. We need to have that when we remove a vertex, we preserve the splitability criterion so that we can recursively apply our protocol to the smaller graphs. And we also need that in a majority of the smaller graphs, we will have one fewer corrupt party so that the smaller protocols are secure. I'm not gonna go into the details here, but we have both of these conditions, and then we run a combiner on the n smaller protocols. And this gives us a protocol, inductively, this gives us a protocol for the dishonest majority case. Where our base case is the protocol I just described, where half of the parties are honest and half are corrupt. Okay, this gives us a protocol, but what about efficiency? We're taking a graph and we're breaking it into n smaller graphs and then we're recursing. So each of these smaller graphs is broken into smaller graphs and so on, until at the bottom we get many, many instances of the base case. So this gives us two t minus n levels of recursion. So in general, it will not be computationally efficient. But in the special case, where n over two plus a constant parties, where the number of corrupt parties is n over two plus a constant, then we can obtain, the protocol will be quasi polynomial time with perfect information theoretic security. Or using OT extension, where we can obtain a protocol that is polynomial time with computational security. We also have a second alternate protocol that I didn't describe that will be, that is polynomial time if almost all of the parties are corrupt. What about in between? In general, it won't be efficient. But the property, but actually our theorem condition of testing whether the graph is splitable is not something we know how to test efficiently. In general, it's NP-hard to determine whether the graph has a split. It's a special case of subgraph isomorphism which we know to be NP-hard. So let me close by just restating the main result and combining it with what we know in the honest majority setting. So a pair of vertices can perform oblivious transfer in an OT network. If and only if, either we have an honest majority or in the dishonest majority setting, if the graph is N minus T unsplittable. Thank you.