 Yes, my name is Michael Lilsen and you already got the title. So I guess just get going So this talk and the or this protocol is called the tiny table protocol Because it has something to do with tiny tables, I guess and it's a new protocol for two PC and it's Well, my opinion is that once you see it is like obviously simple, but I guess you'll see and decide for yourself So this a short overview of what I'm gonna talk about and just how this talk is gonna be I'm gonna start by motivating warming up as usual then I'm gonna jump straight to the protocol present the protocol Present the pre-processing material, which I'll come back to what is Some properties an extension of the protocol and finally a benchmark like how does it perform in real life? All right, so two-party computation. This is the Session we are talking about this is our basic setting our setting is special here because we only consider boolean circuits But at least on Bob each have an input x and y they want to evaluate some circuit See on their input such that the only thing that they learn is the Evaluation of the circuit of their inputs So this is this is good. We we really really like this box But we have to settle with a real-life protocol instead The problem with many protocols or existing protocols are that they are too slow so to the rescue we have the pre-processing model and I beloved child has many names. It's also known as correlated randomness something else But the main idea is that just as before the parties run some slow offline pre-processing protocol Where we push all the public key? Primitives and then later on we can do a super super fast online computation By using this pre-processing material D and D prime All right, so this is our setting and and of course the tiny tail protocol is The fast online and I will return to how we generate the pre-processing material So just to sum up being a bit more formal about the setting two-party computation In the pre-processing model malicious security static corruption and with this on its majority. So one party can be corrupt All right, so to get started with the protocol Let's do a simple warm-up with computing an AND gate Which is due to each eye at all from 13 and this is what an AND gate look like The pre-processing Functionality now. I'm just talking functionality. It's gonna do something very simple It's gonna assemble two random bits Then it's gonna scramble an AND gate and by this I mean we simply take an AND gate and then depending on the two masks We flip the AND gate like horizontally or vertically here Then we secret share this table By a usual additive secret sharing scheme. So we just take our table We just scrambled and then we secret share it by choosing a random share and making sure this invariant holds and Finally, we send one mask to Alice and the table a to Alice and the mask are B to Bob with the table B Now to compute the AND gate in the online protocol Alice and Bob now have real inputs X and Y First they encrypt their input using this mask as a one-time pad So they simply I used the notation EA for the encryption of a then they share the one-time pad encryptions of their inputs then they simply look up in their table a and B and Send the corresponding share in this index of the table and finally they reconstructed So a very simple way to compute an AND gate by making these correlated tables if you want And of course the tables and the mask is the pre-processing material here So now we are ready for the tiny table protocol. That's good So the offline phase in the tiny table protocol is a bit similar I'll say we have a circuit C with n gates and m wires and now for each wire instead we select a random mask and We will compute with EA which is the encryption of the real bit B. I For each gate we do this table trick just as before so we secret share a table But but notice here that the Rw is such that we also encrypt the output of the gate under the corresponding next mask on the output on the mask that we assign to the output wire of this gate and Then of course we send this to the players we send the corresponding input masks if they are gonna for which wires they are gonna input an Output mask in this case. We just assume both parties are gonna learn the output and Finally the tables just as before So for the online protocol, I I bet this is maybe the simplest Online protocol you have ever seen for two-party computation for the inputs We send the one-time pet encryptions of the inputs just as before for each gate as an invariant We know the encryptions of the input wires We simply look up in the tables exchange the shares and reconstruct the encrypted output and Finally for the output we just use the the output mask for the circuit to sorry to decrypt the output and Both parties knows this mask. So a very simple two-party computation protocol in basically three lines or so alright So of course this protocol is not actively secure. So The parties can cheat somewhere with the bits that they have And recall that there is back a mask bit for each wire there is the tables for each gate and Also know that that if they want to cheat somewhere They cannot really cheat at the input because that just constitutes to choosing another input and of course in the output Well, they just return an hour another output for themselves So the put the place that people can cheat is by sending the wrong table values when they look up in the tables So we fix this simply by making the pre-processing functionality commit the players to each of the bits in these tables a Symbol way is that for each table entry One party now holds two random bit strings and the other one holds the one in the position for his corresponding share so When computing the NAE way would be that after every single gate We also send a Mac for their share. So they send a bit and a Mac but we can easily extend this and make it more efficient in by Accumulating the Mac simply X oring the random bit strings whenever you accumulate an and or a computer and gate And then finally just before the output phase you send this big accumulated Mac alright so Some very short notation on secret sharing and max if you're not familiar with it already now I'm going I'm warming up for the pre-processing functionality that is going to generate these tables now for now It's just a magic functionality So we say that the parties Alice and Bob each holds a global key And we say that a secret sharing of X is such that X a plus XP Which is held by each party forms a secret sharing of of X and that these betas and the Y's is simply a Mac a linear Mac Now we have the terms a random sharing Which is basically just a secret sharing of a random value and a multiplication triples, which is three shareings But such that this relation holds that a B equals C and Note that with this with these secret sharing and with this notation players can locally add secret your values and they can use one of these multiplication triples by beaver standard trick to Compute a multiplication by secret here of secret shareings All right, so to generate the pre-processing material. This is again in the Pre-processing phase or whatever you want to call it So we attach ourselves on the tiny OT protocol which exactly spits out these random shareings and multiplication triples which we are going to use to generate the tables and The core idea here is of course to use a random sharing for each wire and then a multiplication Triple for each gate the scramble gate that we are going to compute So for each random wires, this is a protocol to generate the pre-processing material For each wire, they now assign a random sharing for each gate which now have three Shareings which corresponds to the the masking bits We we compute the table by first multiplying by using a triple the two input masks And finally we can buy by knowing constant C and D. There is like four entries. We can simply compute the table locally Also here the max are dependent. They are using this linear max scheme So we just use a random oracle to get two random bit strings if we want to use this Max scheme I showed you just before and Now for each input wire we open the wire to the guy who owns these wires Who is going to input on the wires and for each output wires. We just open all the The masks So now we have exactly our pre-processing material that we want All right, so a very simple protocols just to talk a bit about some properties this protocol has Of course, we have three XOR like every two-party Computation protocol or modern one and the idea here is simply we make The output mask which is going to encrypt the output of an XOR gate Simply be the XOR of the two input masks and then in the online phase. They can simply just locally XOR the two encryptions together to obtain the output Not gates. We simply negate the mask and then we Just remove the not gate from the circuit Also, we can generate larger tables instead of just boolean fan in two tables We can generate say the ASS box which has eight bits as input And it follows exactly the same pattern that we we Generate a truth table with this input mask. We encrypt it with the output mask and then with secretaries to a and B We can also use smaller max instead of these Long bit strings then we can of course use the linear max scheme which is used for the pre-processing phase So that we obtain for example for the S-boxes. We don't need 256 random bit strings for each of the 256 entries in the tiny tables and Finally, we obtain I think the the best complexity for a two-party computation protocol Namely by by constructing a special version of the tiny tail protocol using some coding schemes on top So one way to say if we just flatten out all the tables during the computation It's basically just a long bit string where we want to open some of the wires and by using this view We we can get the complexity down to To this k epsilon s alright, so I Want to talk a bit about a benchmark because this protocol is is fast as I as I promised you So we are benchmarking two versions one is a binary AS Which consists of a Boolean circuit from Bristol University or University of Bristol? Which is the AX AS expanded and this circuit has 41 layers Another one and and another more interesting view is is Yeah, we also have the free XOR and no knots here a More interesting version is what we call the optimized AS So basically in two PC AS is kind of the benchmark that you want to show you can do fast and that is Really lucky for us because it's because of the structure So AS is basically something like this at around key some rounds and then some other subroutines But if we look at these Subroutines we notice that all the green subroutines here. They are linear and Of course, we want to take advantage of that. So To make an optimized AS 128 version using the tiny tail protocol we can simply compute all the linear operations using AS and I so it's like We don't have to do any Boolean circuits. We simply just use like four operations directly on the CPU and for each in the subbyte which contains is it a 16 lookups We simply exchange each of the S-Box lookups with a tiny tip a secret sharing instead and Then of course we add max and we add two checks to make it actively secure Alright, so a binary AS version and an optimized version Here is some numbers on what the pre-processed data looks like in real life for the optimized and the binary and of course, it's a bit higher for the optimized especially So by this of course passive should make sense The linear is the linear max scheme and the lookup here is is just these random bit strings I talked about before the max scheme used with different security parameters 32 and 64 bits and Of course the the linear is smaller in size and And of course the optimized version takes more space than the binary version because we have these larger tables And here are some timings Where the LAN setting is simply two computers in our department and the cloud is is using the large computation machines on on Amazon and I think worth noticing here is that we are now in the micro second range which is down to Like I think this constitute to doing a yes around to make a Hertz which is some Somehow comparable to you know one computer doing it locally with no computation all right, so This was the basic protocol we We simply have a mask We simply compute on these one-time pad encryptions for each wire And then we simply have a scrambled table for each gate doing the protocol So the take home basis of this talk is that we like correlated tables and For linear functionalities like in the AES why not just compute these linear functionalities directly on one-time padding cryptid values And finally, let's just only pre-pros the non-linear blocks just as we showed you before Yes, so that's all I got for you Thank you