 Hello everyone. Thank you for listening to this talk about the exact round complexity of best of both worlds multi-party computation. I am Divya and this talk is based on a joint work with Arpita Patra and Swati Singhya. Let us now begin with what secure multi-party computation or MPC means. Suppose we have a set of n mutually distrusting parties, among which T are corrupt and controlled by a dosary. The goal is that these parties want to compute some combined function on their private inputs. Now MPC gives them a means to do so while ensuring two main properties. The first is correctness that is at the end of the MPC protocol, everyone gets the correct function output. And the next is privacy, which means that nothing beyond the function output will be revealed. So in a nutshell, you can think of MPC as a protocol which emulates the effect of having a trusted third party to whom all these parties could simply submit their inputs and get the output in return. Let me now introduce some security notions of MPC that are classified based on how robust the protocol is. The strongest and most desirable notion is guaranteed output delivery abbreviated as GOD. In such protocols, no matter what the adversary does, he cannot prevent the honest parties from obtaining the output. So basically, at the end of such protocols, everyone is guaranteed to get the output. A slightly weaker notion is fairness. Here, even though everyone is not guaranteed to get the output, but it is fair in the sense that if the corrupt parties obtain the output, then so do these honest parties. So this is basically an all or an unkind of situation where either everybody obtains the output or nobody obtains the output. And even further, we can notion is that of security with unanimous support. Such kinds of protocols can be unfair. So it is possible that the corrupt parties obtain the output while the honest parties don't. However, there is an agreement or unanimity amongst the honest parties. So the guarantee is that either all the honest parties will obtain the output or all of them will output. Lastly, the weakest security notion is that of security with selective report. Here, the adversary can get unanimity among the honest parties by selectively depriving some of them of the output. For example, here the adversary may choose that only the middle honest party should get the output while the other two don't. So in such protocols, there could be a disagreement even amongst the honest parties. Here I have listed the notions from strongest to weakest, and therefore the implications follow accordingly. That is, candidate output delivery would imply fairness, which implies unanimous abort, which in turn implies selective abort. Naturally, it is desirable to get the strongest security notions, but that may not always be feasible. In fact, there is a famous feasibility result by Cleave, which shows that it is possible to get GOD and fairness only in the honest majority setting where the adversary corrupts less than half of the total population. This means that in the dishonest majority setting where the adversary has the power to corrupt more than half of the population, the best security notion that one can hope for in this setting would be just unanimous abort. So with this background, let's move on to see what the two worlds are and what is meant by best of both worlds MPC. The two worlds are actually the world of honest majority protocols and the world of dishonest majority protocols. Both these settings have been well studied in the MPC literature and each of them have their own pros and cons. Let's begin with the world of honest majority protocols. The biggest advantage of the protocols in this setting is that it is possible for them to achieve fairness and guaranteed output delivery. But the downside is that these protocols are secure only if the adversary corrupts less than half of the total population. So suppose you run a protocol meant for honest majority and it so happens that the adversary has corrupted more than half of the total population, then all bets are off. The security would completely break down and you don't even get the basic properties of privacy or correctness. Now coming to the case of dishonest majority setting. One of the biggest advantage of the protocols is that they maintain privacy and correctness even if the adversary corrupts N minus one out of N of them. But the downside is that these protocols are designed to guarantee at best unanimous abort. So if you execute a protocol designed for dishonest majority and the adversary actually happens to corrupt only one party, still the protocol may result in abort. So this is definitely undesirable because in this particular scenario of single corruption, it was actually theoretically feasible to achieve fairness and God. So in a nutshell, the problem is that the security guarantees of the protocols in these respective settings, they are very rigid and they completely break down in the other setting. This is especially problematic in situations where you don't know in advance how many parties the adversary is going to corrupt. And in those cases it becomes difficult to decide which category of protocol to select. So ideally you would want a single protocol that is compatible with both settings of honest and dishonest majority. This is exactly what best of both world NPC offers. It is a single protocol that achieves fairness or guaranteed output delivery when the number of corruptions happens to be less than N by two. And that very same protocol would also maintain privacy and correctness and achieve the best possible guarantee of unanimous abort if it so happens that the number of corruptions is greater than or equal to N by two. So this is how best of both worlds NPC is able to combine the best properties of protocols in honest majority and the best properties of protocols in dishonest majority. This class of best of both worlds NPC was introduced by Ishae, Katz and others. And as for their definition, a best of both world protocol would be characterized with two thresholds, TNS, where T refers to the threshold for honest majority and S refers to the threshold for dishonest majority. So to get best of both worlds in the true sense, the protocol should achieve the strongest guarantee of GOD against any T less than N by two, that is in the honest majority setting. And simultaneously it should give UA against any S less than N that is in the dishonest majority setting. So we refer to these combination of simultaneous security guarantee as GOD UA best of both worlds. Now, while this combination is indeed ideal, but unfortunately, the above works of Ishae and others showed that the ideal GOD UA best of both worlds is possible only if the number of parties is strictly greater than the sum of thresholds S and T. So they showed that if this condition does not hold, then it is not possible to design a poly-time protocol that achieves GOD against T corruptions and UA against S corruptions simultaneously. Subsequently, there were works which explode if this constraint could be circumvented. So to get around this constraint, it is natural that you have to weaken the security in either the honest or the dishonest majority setting. So there were many such attempts out of which I'll highlight a couple of them. In this first work in 2010, they showed that if you are ready to settle for fairness and honest majority instead of guaranteed output delivery, then it is possible to get best of both worlds MPC for any T less than N by two and S less than N. And particularly this constraint of N greater than S plus T can be avoided. So we refer to this notion as fair UA best of both worlds that achieves the second best guarantee of fairness in honest majority and continues to get the best guarantee of UA in dishonest majority. There were also other attempts which weakened the security in the dishonest majority setting. So in one such work, they showed that if you allow the adversary to obtain S evaluations of the function with different choices of inputs of the corrupt parties in the dishonest majority setting, then you can still avoid this condition of N greater than S plus T. So such view best of both world protocols, they give the best in honest majority that is GOD, but they give this weakened security notion, which is somewhat similar to residual security in dishonest majority. In our work, we focused on two classes of best of both world protocols. The first is the fair UA best of both worlds where we do not have any constraint on N except these natural bounds of T being less than N by two and S being less than N. So we chose to study this class as we felt that this relaxation is quite meaningful and fairness is almost as good as guaranteed output delivery for many practical applications where a rational adversary would not want to fail. The honest parties at the expense of losing his own output. The second class that we looked at is the ideal best of both worlds that is GOD UA best of both world protocols. Here, apart from these natural bounds on T and S, we also assumed that N is greater than S plus T in order to adhere to this feasibility result. So to be more specific in our work, we looked at the exact round complexity of those two classes of best of both world protocols. Before I present our results, let's look at what is known about the exact round complexity of the individual settings of honest and dishonest majority. So we considered three popular kinds of setup. The first is the plain model where no setup is assumed. The second is the CRS model where we assume that the parties have access to a common random or reference string at the beginning of the protocol. And the third category is the CRS plus PKI model where we assume that the parties have access to a public infrastructure in addition to the CRS. So an honest majority for the plain and CRS model, three rounds are known to be necessary and sufficient for fairness and guaranteed output delivery. However, in the model with PKI, two rounds is known to be optimal for these two security notions of fairness and guaranteed output delivery. Next, coming to the case of dishonest majority for selective and unanimous abort, four rounds are known to be necessary and sufficient in the plain model. However, in these other two setups of CRS and CRS plus PKI, two is known to be the optimal round complexity for these security notions with abort. Our goal was to study the exact round complexity for these two classes of best of both world protocols in these three different types of setup. One trivial observation is that any lower bound for the individual settings of honest and dishonest majority would translate to a lower bound for best of both worlds. That is because the best of both world guarantees are strictly stronger and they subsume the individual guarantees in honest and dishonest majority setting. Therefore, if you just take the maximum of the lower bounds of honest majority and dishonest majority, that would already give you a lower bound for best of both worlds. But this may not be tight because it may be the case that best of both world NPC requires more number of rounds. First, we considered the class of fair UA best of both worlds and here we showed that five is the lower bound for the plain model and three is the lower bound for the other two types of setup. So among these lower bounds, the lower bound in the CRS model is directly implied from the lower bound in the honest majority setting for fairness. However, for the other two setup of plain model and CRS plus PKI, these lower bounds were not directly implied and they were in fact new. And I would be elaborating on these arguments shortly. Coming to the upper bounds now, most of them are compiler based and for this upper bound of fair UA best of both worlds, we designed a compiler that transforms any R round UA protocol in dishonest majority into an R plus one round fair UA best of both world protocols. So if you use this compiler on the round optimal UA protocols in dishonest majority, then you would automatically obtain the round optimal fair UA best of both world protocols. So in order to use this compiler, we observed that in the CRS and CRS plus PKI setting, there were already existing two round constructions that were achieving UA. So we could just directly plug in those constructions into the compiler in order to get our matching upper bounds for CRS and CRS plus PKI. However, for the plain model, we observed that the existing four round constructions only achieved the weaker security notion of selective robot. So for this, we showed how the existing four round constructions could be boosted to obtain unanimous robot and then our compiler could be applied in order to yield this five round optimal upper bound. So this completes the picture of the exact round complexity of fair UA best of both worlds and all these bounds are shown to be tight. Next, we looked at the GOD UA best of both world protocols where the lower bounds are four, three and two for the respective settings. So here the lower bound for the plain and the PKI model, they directly follow from the existing lower bounds for UA in dishonest majority. Next, regarding this three round lower bound in the CRS model, we observed that it followed from the three round lower bound for GOD in the CRS setting for honest majority for most cases of NSMP. However, there was a small gap because this lower bound of three does not hold for some special cases like n greater than or equal to four and t equal to one. So in order to close this gap, we showed that even for these special cases where you can in fact get two round GOD protocols in honest majority, even for those cases you would still need three rounds to get GOD UA best of both worlds. So this completes the picture of the lower bounds and in terms of the upper bounds, we could show tightness of the upper bounds in the CRS and CRS plus PKI model. And for this, we designed compilers which start from the two round UA protocols of GS18 and BL18 in the CRS setting in dishonest majority. And we used our compiler to transform them into the round optimal protocols of three and two in the respective settings of CRS and CRS plus PKI. Lastly, coming to the plain model, we constructed a five round upper bound for the GOD UA best of both worlds. So as you can see, there is a gap of one round here which is left open as four rounds are known to be necessary and we showed five rounds to be sufficient. So for this upper bound, we built on some ideas of the work of BL18 which has a compiler from K round OT to K plus one round NPC. So their compiler was for the dishonest majority setting and we modified it to meet the demands of best of both worlds and to get guaranteed output delivery in honest majority. Though this construction is not round optimal, it interestingly turned out to be more challenging than our other upper bounds. For the details, I refer to the paper. So this actually completes the overview of our results where we nearly settled the exact round complexity of these two classes of best of both world protocols and for these three different kinds of setup. In the rest of the talk, I am going to elaborate on our lower bound result for fair UA best of both world NPC. The crux of the argument is that any round fair UA best of both worlds can be transformed into an R minus one round Oblivious Transfer or OT protocol. So the proof is via contradiction to show a lower bound of five rounds in the plane model. We begin with the assumption that there is a four round fair UA best of both world protocol in the plane model between these three parties P1, P2 and P3. We call the security guarantees of this class of protocols. This would mean that the protocol should be fair when t equal to one and it should achieve unanimous support in the dishonest majority case, which corresponds to s equal to two. Next, suppose that this three party protocol is used to compute this specific three party function, which details of which I will describe in just one minute. Now the overall idea is to transform this four round best of both world protocol to a three round OT protocol between a sender PS and a receiver PR. Let us quickly recall what the OT functionality looks like. So it involves the sender having input as two messages and not an M1 and the receiver has an input choice bit C. And the output is that the receiver obtains the message of his choice MC while the sender has no output. Let's now look at how this transformation works. So we assume that there is a four round best of both world protocol. Let's call it pie between these three parties P1, P2 and P3. Here the input of P1 is a pair of messages and not an M1, which is similar to the input of an OT sender. Next, the input of P2 is a choice bit C, which is similar to the input of the OT receiver. And additionally P2 also has a random string R2 as input. And lastly the input of P3 is a random string R3. Now the function is defined such that the output of the function for P2 and P3 is MC while the output for P1 is the sum of these random strings R2 plus R3. Now consider an execution of pie where all the parties behave honestly and suppose that this is how the interaction amongst the parties looks like in an all honest execution. Next, we look at a scenario where P1 is corrupt. So suppose he behaves honestly until round three and he simply remains silent in the last round. So this is the manner in which P1 misbehaves. So in this situation, there would be no outgoing messages from P1 in the last round, but he would receive the incoming messages. Now it's clear that despite his misbehavior, P1 should be able to obtain the output because his view is similar to the view of an honest P1 in an execution where everyone behaved honestly. So therefore due to the correctness of the protocol, we can conclude that P1 obtains the output R2 plus R3. Next recall that pie achieves fairness against a single corruption. So here in this scenario of a single corruption of P1 where he managed to get the output, we can conclude that P2 and P3 should also obtain the output MC in order to maintain fairness. So this leads us to the claim that the combined view of P2 and P3 at the end of round three itself should be sufficient to compute MC. This is because in round four, they only interact amongst themselves and they do not receive any new information from P1 after round three. So we now build on this claim to transform this four round protocol pie to a three round OT protocol. So in this three round protocol, the sender PS emulates the role of P1 in pie while the receiver PR would pick random inputs R2 and R3 and emulate the role of P2 and P3 using his input bit fee. So in some more detail, what PS will do is that he will use his inputs M0 and M1 and then he would send those messages similar to what P1 would send in pie to P2 and P3. On the other hand, what PR would do is that he would send messages according to the protocol pie based on whatever P2 and P3 would have sent to P1. So now the claim is that these three rounds of the protocol in this transformation is actually a secure OT protocol. So for this, we first observe that the receiver PR will be able to compute the output MC at the end of these three rounds. This is because the view of PR is similar to the combined view of P2 and P3 at the end of round three of pie. And from the previous claim, we already know that that was sufficient to compute the correct output MC. So we can conclude that this three rounds should result in PR obtaining MC. Next, we analyze security against a corrupt sender. So say PS is corrupt and as per OT security, we need to make sure that he learns nothing about the choice bit C of the honest receiver. Now, this can be argued because the corrupt PS in this OT protocol translates to P1 being corrupt in pie and the scenario of T equal to one. And in this case, we know that pie is secure and that P1 would learn nothing beyond R2 plus R3, which leads nothing about C. Similarly, security when PR is corrupt can be argued because this translates to the case where P2 and P3 are corrupt in pie and s equal to two. So by those security guarantees, we know that PR would not be able to learn anything beyond his output MC. And in particular, he cannot learn the other message of the sender, which is M1 minus C. So we can now conclude that this is indeed a secure OT protocol. However, note that this OT is actually bidirectional because in each round, both the sender and the receiver are sending messages. So we now apply a transformation which was there in the recent result. So here they showed how to transform a K round bidirectional OT to a K round alternating OT. So when we apply this transformation, we would get a three round protocol of this form where each round involves a message only in a single direction. So now we are finally arrived at a three round alternating OT protocol that is secure in the plain model. And this gives us a final contradiction because such a three round alternating OT in the plain model with black box simulation is known to be impossible by this result of 2006. So this completes the low amount argument for five rounds in the plain model and we use a similar argument for the PKI model as well. So to summarize, the main takeaway is that best of both world MPC protocols are best fit for situations where you do not know in advance how many parties the adversary is going to corrupt. And further, in terms of round complexity, our results show that best of both world MPC is actually not at all demanding. And the exact round complexity of both these classes of best of both world protocols turned out to be either the same or at most one more than the maximum of the needs in the honest majority setting and dishonest majority setting. With this, I conclude my talk and thank you very much for listening.