 So, I'm going to talk about maliciously secure private set intersection, let's say, joint work with Tobias. So, specifically, we are going to realize this functionality of PSI where both the parties will get the output of the protocol. So, AF and B have these sets ASA and SB, and the functionality will give the intersection of this ASA and SB, nothing else to both the parties. So, we are in the settings where the set size are same or similar, you can pair it to make it same. And also, we are considering security against malicious adversary. So, why PSI? So, as already, which I mentioned that this is a really practically motivated problem and it comes in many real-life scenarios. For example, he mentioned about this measuring at conversion rate, but there are also many other applications like private contract discovery, math making, right sharing, secure sketch and many other things. And there actually, many work has been done on this two-party PSI primitive and specifically also on actively secure two-party PSI primitive, but very few work considered the multi-party settings. So, in this work, specifically like actively secure multi-party setting, so in this work, we try to construct more efficient multi-party PSI protocol which is secure against a malicious adversary. So, in this process, we actually find, propose several secure PSI protocol based on one primitive which is called oblivious linear function evaluation. So, specifically, we propose a two-PFS, propose a two-PSI protocol with optimal communication complexity like which is linear in the set size and the computational complexity is dominated by order of m log m field multiplication. And then we generalize these two-PSI protocol to multi-party PSI protocol with communication complexity of n square plus nmk where n is the number of parties. So, usually, this n is much smaller than the set size m, so we kind of get almost linear communication complexity for actively secure multi-party PSI protocol. And for the computational complexity, it is order of nm log m basic field multiplication. We also give a protocol for threshold multi-party PSI with same communication and computational complexity and threshold multi-party PSI means every party will learn the intersection when the size of the intersection is greater than some threshold value. And all these protocols are information theoretically secure in welly hybrid model. And so, we can say like in comparison with other MPSI protocol, our protocol kind of asymptotically beats all the existing maliciously secure PSI protocols. And this is the first instantiation of a threshold multi-party PSI protocol which achieves active security and also almost linear communication over it. And I note that for the two-party threshold PSI protocol, it actually achieves the linear communication over it because this is kind of n minus 1 whole square, so it's just go away. So we find this result in welly hybrid model. Now the question is what is welly? So, this is a primitive called oblivious linear function evaluation where two part it is a two-party primitive where one party the sender holds this linear function AX plus B and the other party holds this evaluation point alpha and at the end of the protocol receiver will learn A alpha plus B and sender will learn nothing. So there are many available construction passively secure, actively secure, etc. But for our specific instantiation of the PSI protocol, we use a maliciously secure welly protocol from GNN 17 which also achieve constant communication over it. Now how to do PSI from welly? So from welly, we define a functionality, restrictive functionality welly plus which actually don't allow the receiver to input zero values in the welly functionality. And then from that we define a functionality called oblivious polynomial either addition Yeah, so we define this OPA functionality which essentially take two polynomial randomize it and add it and from this OPA functionality we get this our two-party PSI protocol. And from this two-party PSI protocol we get this multi-party PSI protocol. And note that like if you don't want active security you can go from this welly directly to this OPA functionality and then to the PSI and multi-party PSI. So it's a nice background. So how to do this to PSI from welly? So the idea is simple, first you encode your sets into polynomial such that each element of the set represent the root of the polynomial. So Alice encode is set SA to PA of X in this way, Bob encode is set SV to PB of X in this way and then observe this PA of X plus PB of X the roots of this polynomial from the roots of this polynomial you can actually detect the intersection of two sets. But obviously this is not secure because given this PA of X plus PB of X one can remove this PB of X and learn the input of the other party totally. So how to resolve this issue? So the simple thing what we can do is just randomize this polynomials and add them. And so and we call it the intersection polynomial which is PA into R1 plus PB into R2. And so if you see closely again the roots of this polynomial actually give the intersection of these two sets SA and SV. So actually this is already shown by Krishna and Song that this linear random polynomial can be written as like GCD of PA comma PB into some uniform random polynomial of the matching degree. And the roots of this GCD of PA and PB already gives the intersection and this roots from this uniform polynomial actually gives no information about the other party's input. So we use this fact. So in this paper actually they kind of encrypt this polynomial with additively homomorphic encryption and then for malicious security they use zero knowledge proof. So that's why using this heavy cryptographic machinery they lose the concrete efficiency of the protocol. So instead what we use we use this primitive call OLE to do this randomized addition. So first of all I define this functionality which is called OPA oblivious polynomial addition. In this functionality Alice give input is input polynomial PA and some random polynomial R and Bob give his input polynomial PB. And at the end of the protocol Bob will learn this PA plus PB into R. So in other terms actually Alice randomized Bob's input polynomial and add his polynomial to that. So how we can realize this functionality we can realize it from OLE in a simple manner. So note that the input of A and B is this PA and PB polynomial which are of degree M. And now A choose some random polynomial R1 and R2 of degree M. And randomized his own polynomial PA with this R1 well so I call it P which is equal to PA into R of 1. And then Alice evaluate his polynomial P and this random polynomial R was a publicly known index like alpha 1 to alpha 2M. And Bob will also do the same thing with his input polynomial PB. And then they invoke like 2M OLEs where Alice's input is P of alpha i and R2 of alpha i. And Bob's input is PB of alpha i. So now from each invocation of this OLE Bob will learn this PB into R2 plus P of like evaluation of PB into R2 plus P. And you can see the degree of this PB degree of this R2 is M. So the total degree of this polynomial is 2M. So from 2M evolution points Bob can reconstruct the polynomial PA into R1 plus PB into R2. So that's the functionality with order of M OLE calls you can actually randomize and add to polynomials. It's interesting to note that it's already this functionality is already gives a one sided to PSI protocol with passive security because this randomized polynomial already contains the encoding of the intersection. So but with passive security and yeah this protocol is definitely information theoretic in F OLE hybrid model and the communication complexities like order of M field elements even if you implement this F OLE using that OLE protocol from GNN 17 because that has a constant communication over it and it's coming back. So we are done with this OPA functionality. So from OLE we designed this OPA functionality with passive security but what about active security? For active security we have to use actively secure OLE box in place of passively secure OLE but that's not enough. We have to ensure that receiver cannot input a zero value to all the OLE invocations because otherwise the receiver can learn the polynomial of the sender fully. So we define a functionality called OLE plus which do the task for us and which request only two OLE calls. And then at the end we need a consistency check and we are working with the polynomials and whenever working with polynomials that's nice because you have the input and output polynomials you pick a random point and check the consistency of the polynomial. So that's a simple check we do at the end of the protocol. And so we are done with actively secure OPA protocol. Now from this I'll show that how we achieve the actively secure two PSI when both the party will get the output. So the idea is that Alice now choose this random polynomial UA which has some degree 2M and some random polynomial RA and RA prime with degree M. And they, Alice and Bob invoke the OPA functionality where Alice input this UA and RA and Bob input his polynomial PB. As a result the Bob will get this ASB which is PB into RA plus UA. This actually can be seen as a secret sharing of this randomized polynomial PB into RA where AS share is minus UA and B share is ASB. So given that like Bob will also do the same thing he will do some UB and RB and secret share the AS polynomial PA into RB. So once they're done with that Alice and Bob will de-randomize these things in a way and add them in such a way such that it will result in this polynomial which is PA into some random polynomial plus PB into some random polynomial. And this is, this already gives the intersection. So and then at the end they will run the similar consistency check like evaluating their input and output polynomial in a random point and check whether the relation holds. Now if you see closely like this part of this protocol don't leak any information because this PB into RA is masked by a random 2M degree polynomial UA and this PA into RB is a random 2M degree polynomial UB. So up to this point this is totally secure but a malicious adversary can try to de-randomize it in many different ways but that leads to a wrong polynomial because this UA and UB are chosen totally in random and if they say wrong polynomial then the check will fail and then both the party can abort. So that's the whole protocol and the communication complexity is order of M field elements because this OPA can be implemented with order of M field elements and for de-randomization again you have to transfer O of M field elements. And computational complexity is dominated by order of N log M field multiplication because of the to detect the intersection you have to do the multipoint evaluation of this final polynomial and that requires this first modular transform which requires the same log M field multiplications. So we are done with this 2PSI and now I will show, I will give the intuition that how we can get this multiparty PSI from this 2PSI kind of directly. So we use the start technology like from paper by Muthu and Kermit from 2017. So here I take a toy example of free party case where free parties A, B and C they have their polynomial P, A, P, B and Pc. Now C will say compute the intersection and then C will learn two party protocol with A and B to learn the intersection polynomial P, A intersection C and P, B intersection C. Now if you see like he defined this intersection polynomial as P, A intersection C plus P, B intersection C and root of this polynomial already give A intersection B intersection C. Okay, so we are done. But unfortunately no because here the central party can learn the intermediate intersection. So we can learn intersection between A and C and the intersection between B and C which is not allowed in the ideal functionality. So we have to do something about that. So what we do is like we allow A and B to run a set of phase where they can talk to each other and make some random mask like RA and RB. After they are done with that then C start talking with A and B and run the two party PSI protocol and where A use the random mask RA minus RB and B use the random mask minus RA minus RB. So at the end of the protocol the C will learn the same polynomial masked with some value and from this instance you will learn some P, B intersection C learned with the negative of that same polynomial. So now if we add both of them you will get the same intersection polynomial and thus can detect the intersection. But in this case C cannot learn this intermediate intersection due to this random masking. So yeah that's the protocol and that can be definitely extended to multi-party case and for malicious security we have to add a similar check as a two party PSI protocol at the end of the protocol. So in terms of communication for the set of phase so A and B can actually exchange some PRG seeds and then extend it to form this RA and RB. So it's like N square communication and then for this N instances of two PSI that is like NM communication. So the total communication is like N square plus NM into K and computationally the central party have to do N two PSI instances so this is dominated by N into M log M multiplication. So that's it, that's the multi-party PSI protocol. For the full protocol you can look into the paper there are some minor details. So we are done with this multi-party PSI. Now I'll give an intuition about how we can get threshold multi-party PSI from this multi-party PSI protocol. So let us consider a two party one-sided PSI case, the first thing the PA protocol. So what actually what's happening here? So here actually Bob learns this intersection polynomial which is PA into R1 plus PB into R2 and Bob evaluates this intersection polynomial over its points and get these outputs. And whenever this BI belongs to the intersection he will get this white box which is zero output and otherwise he will get some random evaluation random points over the field. And from these zero outputs Bob can detect the intersection. So that's what's happening in all the protocols. Now the idea is to make it threshold use a different encoding. Use the encoding such that this PA prime of alpha evaluates to one instead of zero when this alpha is in from the set. And similarly Bob can encode his set SV to PB prime such that like when PB prime alpha is evaluated to one if alpha belongs to this SV. So if we do that and we choose this random polynomials not in a random way but in a certain way such that this like this R1 prime and R2 prime of alpha gives a share of some LM robust secret sharing scheme which like share of the values of S1 and S2 where we want to achieve this L threshold. So now if you run the previous protocol like before Bob will learn this polynomial which I'll call that P intersection prime which is PA prime into R1 prime plus PB prime into R2 prime. And evaluation of this polynomial now give him something like that where this for the BI's where the BI belongs to the intersection he will get share of this S1 plus S2 because this PA prime and PB prime evaluates to one for this encoding and this R1 prime alpha and R2 prime alpha gives him S1 plus S2. So he'll get one share of S1 plus S2 and in the similar way if you get like kind of L shares of S1 plus S2 from that L shares he can reconstruct this S1 plus S2 and thus can detect the intersection. But there is a problem because now the other evolution points are not random because this R1 prime and R2 prime are not random polynomial of degree m. So that might leak some information about the other parties input. So to resolve that issue so one way to resolve that issue is to use P intersection like where you encode the polynomial like the previous MPSI protocol and then use the new encoding and define this P intersection plus P intersection prime as intersection polynomial. So if you do that then Bob will evaluate this polynomial over his input so he'll get something like that. So first he get this random points for the BI which belongs to the intersection he will get some zero, some random points zero and so on. And from this thing he will get something like this where he gets the secret share of S1 plus S2 whenever BI belongs to the intersection and otherwise he will get something else we don't care. But now if you add those things so this gives like in the position where BI actually belongs to the intersection he will get the share of S1 plus S2 and for the other case the evolution points looks random. So we have to take care that in the protocol we take care of the fact that Bob ultimately will learn just this polynomial not any like just not P intersection or P intersection prime separately. So if so and then we are done because from here Bob can compute this S1 plus S2 and then detect the intersection. And that's the and that can be definitely extended to multi-party case. I just give an example for two-party case and it has a same communication and computational complexity as the multi-party PSI protocol. So with that I'm done so in summary we give a very simple protocol for actively secure to PSI in OLE hybrid model we generalize it from to PSI to MPSI this is the most efficient actively secure MPSI till date and this is also the first actively secure threshold MPSI protocol. So in the paper we also give a estimation of the concrete performance we don't have a implementation but we just estimate the communication over it of the paper. And so for the details you can look into that paper actually surprisingly the performance like at least communication over it of our two PSI protocol is comparable and in fact in some cases it's better than the most efficient to PSI actively secure to PSI protocol. And feature direction obviously you can use the more optimization which is already exist in the PSI literature and then implement this OLE PSI protocols to see the actual concrete efficiency of these protocols. And one of the important thing is that performance in offline and online paradigm. So all these things are in OLE hybrid model. So you can do like in the offline phase you can do all the OLEs with random input and then in the online phase you can de-randomize these OLEs to get the actual output. And that actually drastically improve the communication over it of the protocol. And so that's something to look into. And then another question is so we get a threshold PSI protocol with linear communication complexity so we can look can we do better. So actually we have a protocol of threshold PSI with sub-linear communication complexity and so maybe I'll going to explain that in crypto this year. And so this is a print link and thank you. Thank you Satrajit for the talk and for the expert handling of the glitch. Any questions? All right then let's thank all the speakers in the session and thank Lorenzo for expertly handling the glitch.