 ‫בלכה, אני אראה שאתה עשית ‫בספר של השכחה. ‫זה נדעה על הדוק ‫בספר סמונטניה, ‫בספר סמונטניה ‫בספר סמונטניה, ‫הוא מתחיל את יאלקו שילבץ, ‫עכשיו אני לא אעשה ‫את היטב של הפרסיטה. ‫מה זה הדוק, פרסיטה, ‫הבספר סמונטניה וריאל גבינסון? ‫אז זו פרסיטה, ‫אנחנו חושבים ‫בספר סמונטניה ארה induf these npartys only kpartys, set S of kpartys not-kown in advance will participate in the actual computation, the queue computation of some function S. And for simplicity we'll assume that S is symmetric. So what are the motivations for this? One is very relevant to what will happen in the front in two days. It's voting. There are many possible voters. Out of them, only some of them will vote. ואחר נדה, יש שם הרבה אנשים, אבל only two of them will come and will want to see if they match. So again there is a big universe and a small number of parties that will participate. In the standard MPC model this question is simple, the parties will communicate, will find out who are the parties, and then execute the usual MPC, but the question is can we do that without adding coordination and without adding communication rounds, and we will consider this question as the simplest possible communication model of a private simultaneous message protocol introduced by Seigir Kylian and Oran Ishaen Kushilevitz, so this is again the simplest communication pattern possible, there are n-parties, each one holds an input and there is a referee, the goal of the referee is to compute some function of the input and each party sends one message independent of the other messages of the other parties and will have a correctness and security and for that we will need that the party will have a shared randomness, so they will have a shared random screen, for efficiently reasons we think about it as correlated screen where each party holds part of the shared screen, but this is only efficiency, it's not a security requirement, so we can use only a shared correlated randomness. And again we have two requirements, we have the correctness, the referee should learn the output of the function, the correct output of the function, and the security says that the referee learns nothing besides the output of the function. So this is the PSM model, let's speak about ADOC, PSM, so again we have n-parties and they have the correlated randomness, but exactly k-parties will show up, in this example k is equal to and p2 and pn will show up, and in this case the goal of the referee is to compute f of x to an xn, the participants are not known in advance, so for instance instead of pn it can be that p2 and p3 showed up, this shouldn't change the message of p2, and p3 will not know that p2 is the other party, so each party is not aware of the other party that will participate in this ADOC PSM model. Let's speak about some assumptions and variants, in the basic model we assume that exactly k-parties will show up, if less than k-parties show up the referee should learn nothing, and if more than k-parties show up we don't guarantee any security, so this is the basic model, we also consider a model where we require security even when more than k-parties show up, notice that if more than k-parties show up even in the ideal world the referee can compute the value of f of any subset of size k of the parties that send messages, so in the best possible security for sets of size bigger than k will require that the referee learns these values of f are nothing else, so again we have the basic model and the best possible security model, in this talk we'll assume that f is symmetric, the function does not depend on the identity of the parties that will show up and not on the order that they show up, we can also consider non-symmetric functions, but for this talk we'll only consider symmetric functions, the set s is not known to the parties, but in the basic model we do not guarantee anonymity, the referee will know the set s that send messages, we can also consider require anonymity, but in this case where we need the channels to be anonymous, and the last point that we consider two models of security, we consider information for retic security, IT security, and computation security. Okay, so what are our results? We construct a few other PSM protocols, especially we show that every function has an information for retic ADOC-PSM, not necessarily efficient, but it exists, all the functions that are known to have an efficient information for retic PSM protocol also, we show that this function also has an efficient information for retic ADOC-PSM protocol, and we show that all polytime functions computed in polynomial time have an efficient computation ADOC-PSM assuming runway function, so again these are functions that are known to have a computational PSM using your Garbled circuit, so they will have also an efficient computational ADOC-PSM. We also show a connection of ADOC-PSM with ADOC-Primitive, we show that we can construct order revealing encryption for two messages with information for retic security from an information for retic ADOC-PSM protocol, we show the connection between ADOC-PSM and a non-interactive MPC introduced in the previous paper, these are PSM that are tiered bus, they are secure even if we can collode with T-parties, so we show that NIMPC exists even if best possible ADOC-PSM exists, we show that best possible computation ADOC exists if and only if IO exists, and we show that the connection between ADOC-PSM or simple function to point function obfuscation and the further point function obfuscation, so these are the results, what I want to give now examples of two ADOC-PSM protocols, the first one is a very simple one for the difference where K is equal to, the referee should learn XI minus XJ mod P, and the common randomness is the random element in ZP, and the protocol, every party, each one of the two parties simply send its XI plus the random element, and the referee takes MI minus MJ, and the R is cancelled, so it gets XI minus XJ, so this is the correctness, the security, what the referee gets, it's simply two elements through the difference in the output of the function, so this review of the referee can be simulated from the output of the function, so this is a very simple example, now a more complicated one, ADOC-PSM for the sum, before we present the ADOC-PSM for the sum, I want to recall the PSM for the sum, so again we have N parties, each one has an element in ZP, and the referee should learn the sum of the XI mod P, so the randomness N, random element in ZP, whose sum is zero, and each party computes a message XI plus RI mod P, and send it to the referee, the referee simply sums the messages that he got, which is simply the sum of the XI plus RI, which are cancelled, so this is the correctness, and for the security, it simply gets N random element whose sum is the output of the function, so this is the PSM for the sum, and we want to use the ideas of this PSM to use the ADOC-PSM, where only a set of size K will show up, and if we will try to generalize it, we will have that the sum of every K, the K elements should be zero, so we will have to have all the RI being zero, and we cannot use it, so we cannot use the idea simply, and we have to use another tweak, so we will construct the ADOC-PSM for the sum of K, so we should get the sum of XI for the set X, which is not known in advance, so for the randomness, we first generate N random element whose sum is zero as in the ADOC-PSM, and in addition, we share each J using a K out of N secretarian scheme, and we generate N shares, and PI receives RI, and the IF share of every RJ, so it gets one element and N minus one share, and the message that PI sends is the same message as before XI plus RI, and all the shares that it goes. What is the output of the referee for set S of size K? For every I in S, it knows XI plus RI, for every J not in S, it got K shares of RJ, so it can reconstruct RJ, there are three sums of this information, and again, the RI, they cancel themselves, and we have that sigma, so we get the sum of XI only of the set S. As for the security, note that for every I in S, PI doesn't send the share of RI, so for each such I, the referee gets only K minus one share in the K out of N secretarian scheme, so RI is hidden from the referee, and the view of the referee is exactly the view of the referee in the protocol, in the PSM for some, where the input of each PJ not in S is zero, so the security follows from the security of the PSM, let's move more details into results, so we said we have a construction of ad hoc PSM, so the starting part of this work for the trivial ad hoc PSM, simply execute the PSM for every set of size K, so this will give an overhead of N truth K compared to the standard PSM, the advantage of this PSM, ad hoc PSM is that it achieves best possible security, and it shows that every all functions have an inefficient ad hoc PSM, the disadvantage is it's highly inefficient, so our goal was to design a more efficient protocol, so for every symmetric function F, we show that there exists ad hoc PSM protocol with overhead which is exponential in K, but logarithmic in N compared to the standard PSM for F, so notice for K equals two, the overhead of this protocol is log N compared to N in the trivial protocol, and for bigger values of K, they prove it is much more dramatic, for instance, this protocol will be efficient when K is the order of log N, so this is the first construction, the second construction is the construction of the ad hoc PSM for F from a PSM for related function energy, and by the properties of the function G, we achieve two corollaries, all functions not to have an efficient information for erratic PSM, basically the functions that have some type of branching program also have an efficient information for erratic ad hoc PSM, and since all function G have an computation PSM, so this implies that all poly time functions have an efficient computation ad hoc PSM, again assuming one function, so these are constructions, the last construction is similar to the construction of the ad hoc PSM for the sum function, as the application we get the order revealing encryption, so an order revealing encryption is the private key encryption scheme encrypted with a comparison of port ado who gets encryption of two messages, and it returns one, if and only if X1 is a small law equal to X2, and the encryption should not leak any additional information except for the order between the inputs, so we show that IT ad hoc PSM implied order revealing encryption, and we use an ad hoc PSM for the greater than function with n equal to the lambda parties and k equals two, where lambda is the security parameter, we know that the greater than function has an efficient PSM with complexity polynomial in L, when L is the length of the spring compared, so we're using our construction, it has an ad hoc information for ad hoc PSM with complexity log n times polynomial, where n is exponential two to the lambda, it will be lambda to the polynomial, so we strongly use the fact that our protocol is logarithmic in the number of parties, and using this construction we achieve a statistical information for where to execute order revealing encryption for two messages, and the complexity of the ad hoc PSM, which is lambda times polynomial, and for more than two messages, we can generalize the construction, but the leakage will be one of the polynomial and not negligible, so this is the ad hoc PSM from order revealing, and let's talk about the best possible ad hoc PSM, in the previous work with Ariel Gabinson, which we showed that multi-input function encryption implies a distribution design, and in turn it implies the computational best possible ad hoc PSM, we showed that best possible ad hoc PSM implies NIMPC, and which was shown to imply IO, which was shown to imply a multi-input function encryption, so this shows that best possible ad hoc PSM exists if and only if IO exists, for this result we need ad hoc PSM for relatively complicated functions, and the question is, can we construct ad hoc PSM protocol for simple functions, so we showed that best possible computation ad hoc PSM for the N function implies point function obfuscation, and best possible computation ad hoc PSM for the special function implies a fuzzy point function obfuscation, this primitive is known only to exist under the assumption that IO exists, so conclusion that best possible ad hoc PSM requires stronger assumption, with our current knowledge, so let's summarize, we present construction of ad hoc PSM, every function has an ad hoc PSM, all functions don't have an efficient IT-PSM protocol, it has an efficient IT-ADOC PSM, and all poly-time functions have an efficient computation, ad hoc PSM assuming PSM, and we show connections of ad hoc PSM to order revealing encryption, non-interactive multiparticle mutation, IO, point of function obfuscation, and the obvious open problems, more protocol improves complexity and parameters, more connection with other primitives, especially for the best possible security, a specific question is how do, even if we want a protocol that for K equals two, that is secure even if a free party will show up, this is open, and if we'll have some construction that will have an order revealing encryption, that is secure even for free messaging. So these are the results, thank you.