 Hi, I'm Q. Lee of Seoul National University in Korea. In this video, I will present Megahertz 2K, a new multi-party computation protocol from homomorphic encryption over rings at 2K. This is a joint work with my advisor Jung E Chan and Dr. Dong Woo Kim of Western Digital. Our MPC protocol belongs to so-called speeds family, which follows the approach of speeds protocol presented at crypto 2012. All these protocols aim a general MPC protocol which is secure against actively corrupted majority. By active security, we mean that adversaries may freely deviate from the described protocol opposed to honest but curious model. By dishonest majority, we mean that all parties except one may be corrupted. Among various settings of MPC, it is one of the most important settings. Modeling the security thread as honest but curious adversaries is often unsatisfactory in real-life applications. And in the case of secure two-party computation, corrupted majority is the only meaningful goal. However, it was notoriously difficult to handle actively corrupted majority efficiently. Before speeds, those are first observed that one can push the use of heavy public machinery into a pre-processing phase without knowing input values and functions to compute. Meanwhile, in an online phase, one can securely compute a function using only lightweight primitives. This paradigm, so-called pre-processing model, spotlighted the possibility of designing an efficient MPC protocol even in the actively secure dishonest majority setting. In more details, the goal of pre-processing phase is the generation of so-called Bieber's triple or simply triple generation. That is, parties jointly and securely generate random additive secret shares of A, B, and C, satisfying A times B equals C. Then in online phase, parties can perform secure computation using the famous Bieber's trick, where Bieber's triple is consumed at each multiplication gates. However, this is not sufficient for our malicious setting, since adversaries might deviate from described protocols in online phase. So in speeds like protocols, MAC is used to authenticate the computations. In particular, we use an information theoretically secure MAC simply multiplying a global MAC key alpha to input, which satisfies linearity. Accordingly, the goal of pre-processing phase is changed to authenticated triple generation. Namely, parties additionally generate random additive shares of alpha A, alpha B, and alpha C using obfuscated MAC key. We remark that no one knows the value of alpha since it is generated in a distributed way. The online phase essentially stays the same by the linearity of our MAC. After speeds, there were active and steady developments in this area. Except for the dosage, all these works share the same online phase. The distinctive features are in the designs of pre-processing phase. These works can be classified by main technical tools they are using, namely, somewhat homomorphic encryption, linear homomorphic encryption, and oblivious transfer. There were some back and forth, but overdrive with top-key optimization on it is now considered to be the state-of-the-art, which leveraged hyperalism of lattice-based homomorphic encryption. Meanwhile, all the works I have mentioned are NPC protocols over finite fields. The main reason that they were not extended to more general wings, such as that 2k, is that the security of MAC we are using is somehow related to invertibility. That is, it is hard to translate the online phase of speeds to the ring Z2k where non-invertible elements are, majority. Surprisingly, speeds2k, presented in crypto 2018, extended the MAC to also work over Z2k kays, and initiated the research on speeds like protocol over Z2k. According to the authors, this is not only theoretically interesting, but also have implications in practice. Note that integer arithmetic in modern CPUs are done modulo 2 to the k, say 2 to the 64. If we use npc over zp, we first need to compile our code into zp arithmetic, and zp arithmetic in npc online phase needs to be again emulated by z2k arithmetic for executions. These cause double overheads for emulations. On the other hand, if we use npc over z2k, we can naturally compile without overheads. Meanwhile, there are also limitations that this approach requires a less efficient MAC, namely speeds2k MAC. However, a file of work reported that in serious applications such as decision tree and support vector machine, npc over z2k shows up to 5 times improvement in online phase compared to npc over finite fields. However, a disclaimer here is that this does not mean an absolute advantage, since for the pre-processing phase, there are still a substantial gap between zp and z2k ks. Actually, the goal of our work is to reduce such gap. However, as you can see, speeds2k is an OT-based protocol. The authors left an open problem to construct an HE-based npc protocol over z2k, since the HE-based approach showed the best performance in zp ks. The complication here is that achieving hyperalism in lattice-based HE is very non-trivial in z2k ks, opposed to zp ks. There are two follow-up works aiming to improve the pre-processing phase of speeds2k, namely overdrive2k and manza. Especially, overdrive2k partially solved the open problem of speeds2k by proposing a new packing method for z2k messages. Interestingly, the authors of overdrive2k left another open problem to bring the top gear optimization into z2k framework, as they could not employ top gear, the state-of-the-art technique of zp. And this is where our work belongs. We follow the shg-based approach to construct an npc protocol over z2k, secure against actively corrupted majority. We solved the open problem of speeds2k by designing an efficient packing method for z2k messages, and also the open problem of overdrive2k by proving mathematical limits to allow top gear optimization also in z2k ks. As overdrive2k is the most comparative work, we will continuously compare our work with overdrive2k. In this slide, I will briefly review the shg-based authenticated triple generation. We call that the goal is to securely generate shares of a, b, and c, satisfying a times b equals c. In addition to that, we have to generate shares of alpha a, alpha b, and alpha c, where alpha is a global MAC key. The protocol starts by each party choosing random values a, i, and b, i. Conversely, the shared values a and b are defined by these additive shares. Then, each party encrypts these shares and broadcasts them with so-called zkp of plain text knowledge, which guarantees that they have honestly generated the ciphertext. Then, they add the ciphertext to reconstruct a and b in encrypted form. To generate shares of alpha a, they multiply encryption of a with previously generated encryption of MAC key alpha. Then, they perform so-called distributed decryption to share alpha a. We can do similarly for alpha b. To generate shares of c and alpha c, we first homomorphically multiply the ciphertext. Indeed, to generate shares of alpha c, we can again homomorphically multiply encryption of alpha and perform distributed decryption. However, this method is not favorable since this requires SHE scheme of multiplicative depth 2, as we are homomorphically multiplying 2 times consecutively. This increases parameters of SHE and affects the efficiency. So, the standard method here is so-called reshare protocol. Roughly speaking, the reshare protocol securely re-encrypts a level 0HE ciphertext, which does not allow any more multiplications into a fresh ciphertext. The reshare protocol allows SHE scheme with multiplicative depth 1 to be sufficient for our case. Then, we can just proceed just like alpha a and alpha b. We remarked that the messages are actually vectors by parallelism offered by packing methods of lattice-based HE schemes. So, to sum up, the main building blocks of authenticated triple generation and their rules are first, a packing method enhances amortized performance. Second, reshare protocol allows us to keep down the SHG parameters. And third, ZKPOPK, which is the heaviest part, guarantees that the parties honestly generated the ciphertext. As the title of our paper suggests, our protocol megahertz 2K is a combination of improvements in all these three building blocks. Finally, we are ready to get into our technical contributions. In this section, we are interested in HE packing methods. By packing, we mean methods for embedding several copies of messages into a single plain text while providing a certain degree of homomorphism. In our work, we consider packing for copies of ring of integers modulo sum t. Packing enhances amortized performance by allowing SIMD-like optimizations. And it is essential for practical use of HE, as this complicated plain text space defined by lattice-based HE schemes is usually not the space we want to compute in. Packing plays an important role in speeds like HE-based NPC protocols, since the efficiency of packing methods, which is measured by how densely the messages are packed into a plain text, directly affects the throughput of triple generations. First, I will review the conventional packing method for prime field messages. The idea is to choose parameters so that the cyclotomy polynomial fully splits modulo p. Then we can apply CRT ring isomorphisms to pack several zp messages into a plain text in zpx quotiented by a cyclotomy polynomial. Note that since this packing method is defined by an isomorphism, it offers fully homomorphic correspondence between messages and plain text, and packing structure is maintained after the homomorphic operations. Also, it offers the perfect packing density. However, we cannot use the conventional packing method for z2k messages, since cyclotomy polynomial never fully splits modulo 2 to the k. Meanwhile, it is known that it vectorizes into polynomials of same degree d. In this case, one way to pack z2k messages is to again leverage CRT isomorphism, but use only constant coefficients and put 0 in the other coefficients. In this way, we can still enjoy fully homomorphic correspondence and level consistency. This method was often used by Helip and Helip-based applications. However, using this method, the packing density goes too low, namely 1 over d. As we can use only d over 10 due to security reasons, using this method in our case causes over 10 times overhead for npc over z2k messages, compared to prime-field ks. Overdrive2k aims to improve the packing density of Helip-packing by an observation that a somatomorphic correspondence up to one multiplication is enough for npc preprocessing. The idea is to use coefficients as much as possible, but avoiding interference. For example, if we pack messages into coefficients of degree 0, 1, 3, 4, and 9 and multiply, as it is carefully designed, coefficients of 0, 2, 6, 8, and 18 encode the product of messages. By this mean, overdrive2k achieve somatomorphic correspondence up to one multiplication. Also note that this packing method is level-dependent, meaning that the packing structure changes after multiplication. The authors claim that the packing density of their method has asymptotically 1 over d to 0.4, and is roughly 1 over 5 for practical parameters. The starting point of our packing method is the idea of what if we use evaluation points rather than coefficients as previous packings. That is, what if we use interpolation to pack messages? If we interpolate the messages into a polynomial of degree roughly half of d, then we can easily avoid degree over flow when multiplied, and prevent information loss by reduction by the quotient polynomials. The best part is that this packing method offers packing density of more than a half. This sounds perfect, reducing the gap of packing density between the field and the z2k case, only to the factor of 2. However, the caveat here is that interpolation over z2k is impossible in general. To see this, consider evaluation at 0 and 2. These two values must have the same parity. Thus, we do not have full freedom to choose target points. However, our story does not end here. We devised a method to perform something very similar to interpolation over z2k. We call this method a tweaked interpolation. The main idea is to lift the target points through a larger ring to cancel out effects of zero divisors. Precisely, when n z2k messages are given, we can find a not-so-large delta so that there exists a polynomial over this lifted ring, whose degree is less than n, and its evaluation at i equals i's message multiplied by 2 to the delta for all i. Coming back to packing methods, we can now realize our packing design with the help of tweaked interpolation. Just one thing to be careful is that since we lifted the target points by a factor of 2 to the delta and multiplied, the lifting factor grows to 2 to the 2 delta. In this regard, we must use plain text modulus with an extra delta to avoid modulus overflow and prevent information loss. Then, our tweaked interpolation packing offers somatomorphic correspondence up to one multiplication. Note that our packing method is also level dependent. In fact, we can choose the delta to be roughly the half of d. Thus, packing density of our tweaked interpolation packing is roughly a half when d is sufficiently smaller than k. And this is the case for typical parameters of actively secure NPC over z2k. Moreover, in a recent paper by me and Professor Chan, we proved that this is somehow near optimal. The graphs show the plots of packing densities along the change of the degree d. The red is for overdrive 2k packing and blue is for our tweaked interpolation packing. Three blue lines each denote densities for three typical size of k used in actively secure NPC over z2k, as our density is affected by the size of the ring z2k. The left graph shows an asymptotic behavior of density, and the right graph shows an exact densities in practical set of d. Notice that the gap is visible even in the closest case. Our tweaked interpolation packing shows up to 2.5 times improvements in packing density versus overdrive 2k packing. That is, using tweaked interpolation packing in NPC preprocessing, we could improve the amortized performance by a factor of 2.5. A limitation of packing for z2k is that they are level dependent. By level dependent, we mean that we get different packing structure after multiplications, so that we have different packing structure for each multiplicative level. A recent paper by me and Professor Chan proves that this situation is inevitable. The circumstance is in contrast with conventional packings for prime fields, which are naturally level consistent by CRT isomorphisms. The issue here is that if a packing method is level dependent, then we cannot perform homomorphic computation between different packing levels. But why does this even matter? To see this, I will briefly review the process of the reshare protocol. Roughly speaking, it is used to re-increase a level 0HE ciphertext, which does not allow any more multiplications into a fresh ciphertext. Oversimplifying a bit, it proceeds like the diagram. First, we add a random ciphertext R to mask the input ciphertext C. Then we perform collaborative decryption, followed by encryption. Finally, we subtract the masking ciphertext R to reconstruct the original plaintext C. Notice that the masking ciphertext R is used twice at different levels. Once to mask the input ciphertext C at level 0, and once to reconstruct the plaintext at level 1. Whereas the ciphertext levels can be easily adjusted by modulus switching technique in HE, but difference of packing levels seems problematic. In this context, overdrive2k provides two masking ciphertext with same message but in different packing levels. This solution, however, almost doubles the cost of reshare protocol. On the other hand, we resolve this issue by a technical trick. The main observation is that we use the reshare protocol only to support an additional multiplication with MAC key alpha, which is indeed a constant in z2k. Thus, in fact, we do not even need to care about packing levels if we use a different packing structure for MAC key, namely if we use constant packing method. Our trick closes gap between the prime field and z2k cases caused by level consistency of the packings and offers 1.4 times reduction in communication cost compared to the solution of overdrive2k. In this section, we are interested in z2kpo plaintext knowledge, which is abbreviated as z2kpopk. It guarantees that a ciphertext is honestly generated from a plaintext without revealing any information on the plaintext. z2kpopk plays an important role in speeds like protocols since it restricts adversaries from submitting maliciously generated ciphertext to learn information of other parties. z2kpopk is a standard genotype protocol. Suppose the prover Alice wants to prove that she has honestly generated a ciphertext, which encrypts a plaintext x with randomness r. First, she commits a random masking ciphertext. Then the verifier Bob chooses a random challenge c, which is either 0 or 1. After receiving the challenge, Alice responds with corresponding linear combination of plaintext and randomness. Finally, Bob checks certain criteria to judge whether really Alice has honestly generated the ciphertext. However, using such a small challenge space consisting of only 0 and 1, we must iterate this process numerous times to achieve satisfactory level of security. The Top Gear protocol aims to enhance the efficiency of z2kpopk by enlarging the challenge space. The main idea is to leverage the structure of HE plaintext base, namely z2x quotiented by a power of 2 cyclotomic polynomial. In this way, they extended the challenge space to 0 and powers of x. This approach is favorable in communication cost and latency. And Top Gear optimization also affects memory consumption in batched version of z2kpopk, which is a standard in speed slide protocols. Behind the scene of Top Gear, there are two mathematical elements which enable such large challenge space. First fact is that multiplying a power of x does not increase the size of questions too much. Second is that a difference of powers of x always has a small pseudo inverse in plaintext space. The second fact was first observed by Benhamu Daedal and is being widely employed. These two facts are the essence of security proofs of z2kpopk, including soundness. However, these lemmas were only known for the power of 2k's. Meanwhile, power of 2 cyclotomic polynomials are irreducible modulo 2 to the k. This means that we cannot leverage CRT parallelism for z2k messages in this case. In this context, overdrive 2k could not employ the Top Gear optimization. In this work, we extended the lemmas to the prime case, and in the follow-up work, we extended even further to the case where M has two or less prime factors. With these new generalizations, we propose Top Gear 2k, which allows us to use larger challenge space for z2k messages as in Top Gear for prime field messages. Indeed, our z2kpopk enjoys same advantages as the original Top Gear protocol. Another limitation of packings for z2k is that they are non-surjective. By non-surjective, we mean that there exist invalid packings in plaintext space. The recent work proves that this situation is also inevitable. The circumstance is in contrast with the conventional packings for prime fields, which are naturally surjective by CRT isomorphisms. The issue here is that malicious adversaries may use these invalid packings to illegitimate the learned information of other parties, so it is necessary to somehow handle these invalid packings. In this work, we conceptualized zero-knowledge proof of message knowledge abbreviated as z2kpomk, which guarantees that a ciphertext encrypts a valid packing without revealing any other information on message. This concept was somehow neglected in overdrive2k, since z2kpomk can be easily integrated into z2kpopk if one only used a small challenge space consisting of zero and one. In this work, we designed an efficient z2kpomk for our tweaked interpolation packing, which goes well with our extended challenge space. Combining all the previous improvements, we can combine them into a better authenticated triple generation. Our new tweaked interpolation packing offers a better amortized performance. Our simpler reshare protocol offers reduction in communication costs and latency, and our better z2kpopk with our new z2kpomk offers reduction in communication costs, latency, and memory consumption. As a whole, megahertz2k, an MPC protocol over z2k, secure against actively corrupted majority, offers from 2.2 to 4.8 times improvements in amortized communication costs versus previous best schemes, and offers 3.7 to 6.4 times improvements in memory consumption versus overdrive2k. But what we really want to share here is our new techniques and concepts which enabled the these improvements, namely tweaked interpolation and tweaked interpolation packing, level dependency and surjective tip for packings, constant packing trick for simpler reshare, generalization of dilemma by behamu.all, and our new notion of z2kpomk. Thank you for watching. Any questions or comments are welcomed by any means.