 Hi everyone, my name is Irana, I'm a restructur of protocol lab and in this talk I'm going to present Monza that is a new two-party protocol for secure computation of functions that are defined over the ring such in the KAA. And this is a joint work with Dario Catalano, Maria di Ramon and Dario Fiora. So we look at this problem, we have two parties, Iris and Bob, with private inputs and I want to compute a public function F over this input without revealing the inputs. And the way we solve this is design an interactive protocol for Iris and Bob such that even one of the two parties corrupted and does not follow the instruction of the protocol, the protocol stays as secure as sending inputs to a trusted party that computes the output and returns only this to Iris and Bob. So this is the standard MPC problem just for the very specific case of two parties only. And there are a lot of MPC protocols that solve this problem and usually this protocol they consider the function F as a binary circuit like for example Yau scheme does this or add a circuit over a finite field. In this work we take a different approach and we assume that the function F is represented as an aromatic circuit but over a ring specifically the ring of the integers module 2 to the K, so Z2K for short. And why do we do this? This choice comes from the fact that one is interesting and two is an interesting problem and two actually the integer arithmetic on standard CPU is done module 2 to the K for a specific value of K. So an MPC protocol that is designed in this model is simply to implement because you know the arithmetic of the protocol is the same arithmetic of the machine implementing it and then can implement very easily tricks and other sub protocols that are used for this CPU computation to speed up this computation. So at the end we get a protocol MPC protocol that is fast in practice as well. We are not the first one to look at this model actually there are feasibilities result that says that MPC is possible even in the dishonest majority case of a ring for any ring fine ring of course and there are also there is also a framework for a very specific case the three-party case with one correction design a very efficient protocol for computation over the specific ring to the K. This is the shame by the framework and quite recently Kramer and others are crypto two years ago they also extended the tools that are used in many protocols of the speed family to compute overfield they send this tool to compute over a ring so they designed what they call the speed 2k protocol and there are already some variation of this protocol for example over the 2k was presented quite recently and with all of these line of work and we present a new protocol that we call it monza that is specific for the two-party case achieves active security and as speed 2k is in the preposessing model actually we have the same online phase of speed 2k but we have a different preposessing we use for the first time this scheme that is called a joys-lebert scheme that is very well suited for this mpc preposessing over the ring it's very well suited for this because it's linearly homomorphic it naturally supports message space the ring that we are interested in it's quite efficient basic operation like encryption decryption and the homomorphic operation are really efficient moreover they don't need this encryption scheme doesn't need zero knowledge proof of plaintiff's knowledge so this is a plus for the mpc preposessing application however it still needs some kind of zero knowledge proof specifically zero knowledge proof for correct multiplication and the challenge here is that such proof were not known in the literature before this work so in order to be able to use this joys-lebert scheme and you know exploit all these nice features the challenge we had to to overcome was actually designed this specific protocol and I'll tell you more in the following of this talk but before I want to say that Monza is also efficient in practice we implemented the preposessing phase in C and did some we did some benchmarks and tests and you can read all the details of these in the paper here I want to say two things first of all the throughputs of the preposessing phase so how many tripods for example we generate per second it stays the same or almost the same even if the connection between the two parties is low so the throughput for tripods with a like a very good connection LAM connection with 0.5 sorry millisecond between the two parties as latency is 19 if we go down to a very slow connection with the 100 millisecond we still have a good throughput that is 70 so just two tripods left this is a nice feature for application for specific application and also computation wise we have that let's say the role of the two parties is not symmetric we have one party that always has to do like more operation or like more complex operation okay so this means that Monza can be very well it can be a good size in the model where we have a server the client and the server is more has more computational power than than the client okay these are some features and now I want to start to construct the protocol and for this I'll start recalling you what's how a speed like protocol looks we have two tools here first of all we have a secret sharing an arithmetic secret sharing and specifically the additive one meaning that any value like for example A is represented as a pair of values A1 and A2 such that the sum is the value and such that Alice only know A1 Bob only know is to be A2 and we also have an information theoretic mark message authentication code and this means that there is a global key that stays the same you call it data and it stays the same for the entire protocol and this key is used with each value to create this mark the mark is just the product between the key and the value and the mark is also clearly secret shared and these are the two tools that in the speeds in the speeds formula are used for all the online phase of all for all the protocols there and usually they are these tools are used that especially the market is used on them on a field very recently as I told you before Kramer and others they extended this to they adapted this this tool to work on a computation for computation over the ringer that should decay and how did they do it so the key idea is the following if you want to compute on that should okay you actually need to go to let's say an extension ring so that is a ring that is large as and it has other s bits okay so most specifically say you have a value a in that should decay what you are going to take you are going to take an a prime in that to k plus s such that the first k bits are equal that is these two where are equal model to decay and then you are going to secret share and authenticate the the value a prime okay and you are doing these for all the inputs and then you are going to do the computation over the ringer to to the k plus s so the online phase of speeds to like is very is basically the same of of the online phase of speeds meaning that any linear operation in the function is executed locally on the shares by the parties and for multiplication to to have an efficient way to do multi creation we use a random trip also a random triple is three values x y and that they are shared authenticated form and the first two x and y are random while y is the product y sorry that is the product of x times y and once that you have a random triple we have a standard tool trick called the beaver format to also do multiplication okay this is quite the known standard and the key point here is that how do we get this random triple so here is where the preprocessing comes into into play basically before doing the online computation there must be a preprocessing phase that use some cryptographic primitives for example public ecrypto to generate these random tripods and other correlated randomness that we may need and so if you think how to create these tripods in this offline phase with assessing phase you can realize quite quite soon that basically all you need is a multiplication protocol indeed like generating random values is easy because each party can just take their own shares of this value what is complicated is for example to mark this value because you have to do a multiplication between the two shared values and this involves multiplication between like two shares one known by Alice and one known by Bob so if we design a protocol to multiply to multiply two values one known by Alice one more Bob and this multiplication protocol will return the shares of these multiplication then basically we are done we can use these to construct tripods okay so how do we do multiplication between secrets there are like again several protocols that use different primitives different building blocks for example you can use oblivious transfer you are going to have a quite cheap protocol that is but that is however band-wide band-width intense you can use the homomorphic encryption different flavor for example the original speed protocol used at somewhat homomorphic encryption meaning that the encryption scheme that is linearly homomorphic and it also allows you to compute say the multiplication to Cybert or like manipulate to Cybert to get the encryption of the multiplication of the two original values or you can use you can use something simple like linear homomorphic encryption only we take these up let me say first of all that there is no one that is best or that is the best they all have these prongs and cons for example as I said before oblivious transfer is a cheap in computation but bandwidth intense using homomorphic encryption give you something that is much better in communication so requires less communication but is more more intense for computation for sorry computation requires more computation so there are different flavor different solutions and we we present a new solution that use a simply linear homomorphic encryption scheme and in particular the encryption scheme that we choose is this joy live art for all the nice future I told you at the beginning so let me recall you what this scheme is this is a basically an extension a generalization let's say of the godwater minkalis scheme and instead of for instead instead of encrypting bits it encrypts a string of bits or like element of the ring that should do then the public key is a ring an LSA module and with the generator of the group of the invertimal element what you end this generator has to be actually a special one it has to has the jacobi symbol equal to one and jacobi symbol is just an an extension of the legend symbol that you can compute one you know p and q okay so some like let's say a number of theoretic character characterizes specific characterization and idea but one you have these you can encrypt your message just taking your message for example m just doing g to the n so generator to them and then you randomize the encryption taking a random value x and elevating these to the power to them the order of the plain text space okay so once how do we use what that we have this how do we use it to to do the multiplication protocol it's quite simple so again remember that we have a alice with input x bob with input time and they want to compute a secret sharing of these x times y okay we'll assume that alice has public and secret key for the jury bus scheme while bob only has the public so the protocol goes like this artists send the encryption of x to bob bob takes this type artist a and do use the homomorphic property of the of the scheme to compute c that is y times a y is input plus the encryption of a random value r i was chosen by by bobby if i and send back this value c to alice alice decrees and gets her shares basically so defines her share that one as the encryption of c while bob defines is is share as minus r and it's quite easy to verify that z one plus the two now is actually y x times y so we have a secret sharing of the multiplication of the two in both perfect security for bob is super easy because alice can cheat basically can do anything what is challenging here is how do we achieve security for for alice so when bob is corrupted he could for example send back send this c competent in a wrong form okay so in order to avoid this we had to add a zero knowledge proof of the fact that c is actually y a plus encryption of r okay and the challenge is here because such a product is not known for the jay libert scheme and moreover since jay libert works on a ring it's not easy to like take standards not like protocols and adapt to to to work in this case because we have the non-invertible element we have all the problem that being on a ring brings with for example not all and invertible and and so we can't divide easily by elements that are non-zero i'll tell you one more about this but first let me let me do a let me do a comment let me precise one thing so this is what we want to prove what we need to prove to have the multiplication protocol to be secure so we have to prove this blue statement that you see in the slide that was the one in the in the previous protocol however for the rest of this talk i'm going to focus on something that is simpler just for the sake of simplicity and that is actually proving that Bob wants to convince Alice that he knows m such that the public cypher testee is the encryption of m without revealing m okay um the the the key ideas are similar the first protocol is the like the one we need is more involved so we are going to focus on the simpler one for the at least doing this talk so let's construct this simple protocol to understand the the key ideas and we're going to construct it as is not like protocol so the first thing that is going to happen is that Bob the the pruger is going to sample another message s and to encrypt this message with the same key clearly but with new random s w and send this encryption back to Alice uh send this to Alice Alice she is going to choose a challenge challenge as an element of that true to the x true to the s so could be a bit sting let's say it's a bit more or is a bit sting of s element we we um we interpret it as an element of this new ring that to that true to the s and and and this challenge is received by Bob who computes true values values x and y these two values can be computed by just knowing m and if these two values are computed correctly like following this this formula then uh when they are sent to Alice Alice can use them to verify a specific algebraic uh formula the one you see uh on on the slide if this formula is true she accepts the proof otherwise she reacts and correctness again it it's just uh doing some some math it's quite easy and the soundness the soundness in this kind of protocol usually is proven in this way we assume that Alice is sending more than a challenge like a a d prime there are different challenges and we say if Bob can answer both of them then basically we can compute uh this m that means Bob is not lying so if Bob answer many challenges is not lying and the way we compute is that we use the algebraic uh formulas that uh uh that is used by Alice to verify we use that formula with different challenge as we get we compose them together we get basically a formula for m this formula usually depends on the invert of the element e minus e prime the two different challenges and while if you are on a field this is fine because you can invert this element this element is different than zero so you can invert you cannot do this on a ring because on the non a ring uh there are non invertible elements uh they are actually in the ring two to the n there are a lot of them all even uh elements are not invertible for example so how can we adapt this strategy how can we we overcome this problem so what we show in the paper is that actually this value e minus e prime and two to then they have the great common divisor is always two to the t for some t that is smaller than s the bit length of the challenge that is also smaller than m okay so we can basically simplify a factor two to the t from both of these and once that you do this you can at that point you can actually invert the new the new value the simplified value clear you don't invert in the ring two to the n but you invert in the ring that is smaller two to the n minus f and this means that you basically you are extracting your computing you are a formula for m that only extracts a compass and extracts the first n minus two bits of it so if you actually want to extract all the message now you have to go back start from scratch and start your uh zero knowledge protocol with the larger message page you have to work from the beginning on the ring uh uh z two to the n plus s if you do this then you basically start or ask when you start to just the first n bits and notice that this is not an efficient problem we can do this like going to the extension field section ring in uh it's not a problem for efficiency because the cyber test land that stays the same with the bit is a jolly bath scheme okay uh so if you wrap all together basically now you I hope you get an idea of the zero knowledge uh protocol of correct multiplication going to be similar to this one I show you but more involved and you can use it to construct your you can use it in the multiplication purple and multiplication probably is then used in uh to genetic trials there are a lot of details how you use all these together that you can find in the paper let me skip them here instead I want to talk like a minute about the computation the communication complexity of months of the processing phase so the nice thing is that we are able to compute the explicit formula of the communication complexity so all constant are explicit and clearly the communication complexity is linear in the cyber test land and in the input land and in the land of these extra s bits that we need for security but it's not just that the linear we have explicit constant you can see the formula there in the slide and the formula translates to kind of translate to explicit numbers when you plug them in and there's an example that for example for 80 bits computational security and this s our statistical security parameter were equal to 40 less than 70 kilo bits are needed for a typo on the an example where the the input size is 128 bit and you'll just see a table there that you can read more details about it in the paper but basically this is the table that compares our protocol with the speech okay protocol we achieve a very similar communication complexity and and usually Monza is more efficient meaning needs it needs less communication when K is a bit larger like for example for K 128 Monza is more efficient okay before concluding I just want to say that they would have some interesting direction for future works for example we would like to see if we can extend this protocol to the end party case something interesting also designing batch verification for the zoonerage proof because we do a lot of them for each type or two you need a number of the zoonerage proof imagine if you can batch verify them you gain a lot in efficiency and then also maybe you want for some specific application it would be interesting to design soup protocols that can exploit the GL unique properties and with this it is all thank you a lot for watching and bye bye