 And my name is Jiang Zhang and I am the chair of this session. Here we have four talks. The first one is more efficient universal security constructions by Daniel Ganser, Anthony Smith, Thomas Sleitman, and the other names will give us a talk. Thank you very much for the introduction. So today, so my name is Agnes, as mentioned, and I'm from Cleveland, Amsterdam. This is joint work with Daniel Gunther, who is sitting here, and my advisor Thomas Sleitman. I'm going to talk about more efficient universal circuit constructions and the way we took another step on this theory practice lying forward. So universal circuits were proposed by Leslie Boney until 1976. The definition, so how he defined it, is that there exists a Boolean circuit that has size order of N, for which it holds that any Boolean function of at most size N, the UC can be made to compute. So we can compute any functionality with this universal circuit. So what does it mean that we can make it compute the functionality? It means that there exists a set of programming bits, such that we can input these programming bits into the circuit as an additional input, and it will compute our functionality on the original input, as shown here. Applications of universal circuits, there are a couple of more theoretical applications where it's used in some protocols to make it more generic or more universal. It can be used for obfuscation or some attribute-based encryption protocols. It can also be used for batch execution, secure computation, when we actually want to compute multiple functionalities faster. And it can be that if we want to compute it many, many times, then with batch execution and secure computation of universal circuits, we may be able to be more efficient. The most prominent application is private function evaluation, and I would like to go a little bit into detail about this. So first of all, we are in the secure multi-party computation session. So what is actually secure function evaluation or secure computation, or in my case, secure two-party computation? We have Alice on one side and Bob on the other, and they would like to get to know who of them is richer. This is the famous linearized problem, and there exist interactive protocols in which they can do it without the use of the trusted third party. Some of these protocols use Boolean circuits, and the two most famous ones are Yoast Galbert circuit protocol and the GMW protocol. And private function evaluation extends this portion a little bit. So now, on one hand, we have Bob, who became an insurance like the employee of an insurance company, and Alice would like to buy a car. So she also would want to know if Bob's insurance company gives her insurance for this car or that. So Bob would like to check if Alice is like if he can give insurance to her or not. So Alice provides all her sensitive information for this, and Bob provides this functionality, which is to be also kept private, since insurance company does not want to reveal it to Alice. And then we want some protocol like this, and this is called private function evaluation, that is similar to secure computation, but it also hides the function on one side. Okay, how can we do this? First of all, Bob should represent his functionality as a Boolean circuit, and then we can just use universal circuit and secure computation to compute this, because the universal circuit is a big entity for which we only need to reveal the maximum size of Bob's functionality, and then we can use it with the two inputs. So Bob now represents his functionality as a data, and then he can just input it into the universal circuit, and then we can get the result using secure computation. So what do we expect from a universal circuit construction in general? We expect that for an input circuit C, which has size N, which is the sum of its inputs, outputs, and gains, it gives us two things. First of all, it gives us the universal circuit itself, which can be generated by anyone. This is only dependent on the size of the circuit, and it also gives us the programming width, which actually depends on the input circuit. So this is the only part that depends on the input circuit. Okay, so where are we when it comes to universal circuit constructions right now? So as I mentioned, Valiant was the first to give the idea and prove the existence of such universal circuits, and he has given two constructions already in 1976. Both are recursive constructions, and they are based on, so one of them is based on a two-way recursive structure, so when we use two sub-structures within the structure, and the other one on a four-way structure. And this means, so the two-way construction has a slightly larger size than the four-way construction, but it has a better depth. So in some scenarios maybe we would want to use that, but in general, we like to optimize for the size, so the four-way construction is a little bit better. Then for 32 years, there was silence when it comes to use the research, and in 2008, Kalesi Promen-Schneider proposed another universal circuit construction, which also, they have been implemented, they have implemented, and this has an asymptotically larger size and also depth, unfortunately, but this was the first universal circuit construction that has been brought to practice. Then in, so last year, two concurrent and independent works have studied Valiant's two-way U.C. construction and managed to bring it into practice. So we were one of the works, it was published in Eurocrypt 2016, and we looked into the actual programming protocol of Valiant's two-way construction and brought it into practice. Our code is also available for this construction. And then also, the other work from Litma-Mohassem-Zalagian proposed the generalization of Valiant's construction to a K-way construction, so we can now have any number of recursion, so the recursive structure can use any number of substructures within it. Then in this work, we first of all look into bringing the four-way split construction into practice, and second of all, we also provide a hybrid construction which will achieve only a slightly better concrete size than of Valiant's four-way construction, but asymptotically, it will have the same size. Okay, so Valiant's U.C. construction is in a very brief manner, so we have the input circuit, which has at most size n, and we can generate its graph at the first step. So this means that for every input output and gate, we generate a node, so there is a node, and for every buyer between them, we have an edge. This is quite intuitive, and they call this the graph of the circuit. Then we can generate, even n, the so-called universal graph, and then we need to embed the graph of the circuit into this universal graph. Now I want to tell you what embedding actually means in this sense. So we have a universal graph, and the property of this graph is that you can have any combination, so you can go from any special nodes to any other special nodes in this graph, and you can have any combinations that is valid in this graph to circuit. And the embedding means that we want to find this joint path within this universal graph for every single edge in the original graph of the circuit. So this is a small example for what embedding means, so we can see that this is the path we found for this edge, and this is another path we found for this other edge. Okay, so after this, we can just output the universal circuit and the programming bits as well. So the programming bits depend on this embedding. So our contributions, the first one is looking into the programming algorithm of the four-way construction and making it a little bit more modular so we can then bring it into practice. So the modular... So the construction itself, as I mentioned, has a four-way recursive structure. This means that we have an internal skeleton which is then created for end nodes and then we create four smaller skeletons for end-over-four nodes. And this skeleton consists of many blocks that repeat so that are repeatedly. And then these nodes, so these blocks look like the one on the left, on the right side, left side for you. And they have some special nodes on top and on the bottom we will call them input and output nodes in this case. And then they have special nodes in between, the green ones, and they are the ones that correspond to the original graph of the circuit actually. And what happens is that we want to... So the structure enables any single input nodes to go into any special node. And from any special node, we can also go into any of the output nodes. And this will help us later. And this... So this task of going from any... So from the particular nodes we need to go to to the special nodes and from the special nodes to the output nodes, is called globe embedding. And this is the first task. This is the easier one because we are dealing with only small blocks. And then these... So this skeleton itself is interconnected with the sub-structures through these input and output nodes basically. So we have one interconnection to every single smaller sub-graph and they are not interconnected with each other. So the smaller graphs are totally dependent of each other. And so the other task we have is to define what programming needs to be done in the blocks. So what do we actually want to lead where and where from do we want to lead what within the blocks? That's the first task. And the second task is to give information to all these recursion points as well in order to be able to to go one step further down. So this is basically the recursion point and the leaping point. So just a very brief idea of how we actually do this recursion point and we already know from the two-way split construction so from the programming of the two-way split construction that we can generate three for the graph itself, so the graph of the circuit itself which corresponds to the universal graph and this we generate by merging every two neighbors at every step so this is how we get smaller graphs and then we split them in two with some caloric algorithm so that we have graphs with the same property as before. So we have a graph here with a certain property and then we have split it and then we merge it again and then split it again and so on and so forth. Okay. So this was used so when we looked at where a certain edge goes within this path so we have an edge in the original graph and then it goes in a way in the smaller graphs as well and this defined how we actually so which sub-graphs we need to use in the universal graph itself. So now in the four-way split construction we can use every second graph that was generated before so we don't need to find a new algorithm we can just take the previous embedding like the defining of the embedding and then skip every second step and then we can find these four graphs of each step. We need a small trick, a small modification but I don't go into details about that. Then we looked into the size of the UCs and proposed a new hybrid method so Lickma et al in the last year has shown that there is this K-way construction and we can actually have any K for the valiant UC and we looked into the actual number actual asymptotic complexities that we would get and we have seen that the best is actually the four-way and the two-way is the construction what valiant has already proposed so we cannot find anything better. First it seems that the three-way construction will be actually better but unfortunately there was a small trick that valiant has used for one of the building blocks that he used before somewhere and that same trick didn't apply in our case and we have to have another node which makes it actually bigger than the two-way and four-way split construction. Okay so then we looked into the concrete sizes just to give a few examples so this is for a circuit that has at most size around 40,000 it can also evaluate AS it would have around 2.4 million NPHs in the resulting universal circuit and it is usually better with the four-way construction but sometimes for small circuit instances it is better with the two-way construction. So then we look into how and how so what's the difference between the two-way and the four-way split construction. On the x-axis we have the two-way split construction so that's 0% improvement over two-way split and then the disfractuating thing is the improvement of the four-way split you see over the two-way split you see. So we can see that for small circuits actually most of the times the two-way split construction performs better. So then we thought okay but we need a lot of these small UCs within the big UC right so we have in the end a lot of these usually we want to have big circuits we have a lot of smaller circuits inside so why aren't we doing something smarter why are we combining the two so that we can get better concrete complexities. So then we decided okay at every we create a dynamic programming algorithm and see at every single step is it better to create four skeletons for the four-way split or is it better to create two skeletons for the two-way split and whichever is better we go for that one at each step. And this actually results in a nicer graph in the end so the green line is now the improvement of the hybrid you see over the two-way split you see and this fluctuates in the beginning as well but it's always at least zero and then it becomes much more consistent by the end and it will stay always around 3.6 4% improvement for the two-way split construction. And basically so this fluctuation is due to the parity and the modulo 4 properties of the size of the circuit actually so just to give an intuition not if we are yet but if you are interested come to me afterwards so the concrete size has also become better in every example that we have then we also implemented this universal circuit construction so we verified that we really did it correctly so the implementation uses the first step from the existing UC implementation from 2016 and so we generate the graph of the circuit based on the input circuit as I mentioned before and then for the size of the circuit we generate the universal graph which now looks very different from the 4-way construction and not the 2-way construction and then we embed this graph of the circuit into the universal graph and out to the UCM programming and this we call a 4-way UC compiler and I have some good news here we have code so you can go and you can find it open source online and if you want you can play around with it you can ask questions later come to us if there is something that you are interested in using this for some experimental results so it does take some seconds to compute the universal circuits for fairly large input circuits however we can see that so for example as a need for an AS circuit it would take around 7 seconds with the faster construction and 8 with the 4-way circuit construction and for a very large circuit like SHA-256 with 200,000 kts we would get around a minute's run time however this is only pre-computation time when it comes to highly functional evaluation so this is only done on the side of the function holder only he needs to do it he doesn't need to even know Alice at the moment when he computes this this universal circuit and we see that actually we get better run times when we go to larger and larger circuits and that's due to the fact that the universal circuit will also be smaller so we have less programming when we go out first so one last comparison so there exist special purpose protocols for private function evaluation they are solid based on oblivious transfers and they have better computation complexity so they have a smaller number of symmetric key operations the public key operations are the same they depend only on the security parameter but they have a better number of symmetric key operation so this particular protocol we compared to was proposed by myself again four years ago and so this is the very fixed there so the improvement is only based on the constant factor before the end of the game and then we have so we look into the communication of the protocols and actually we've seen that we have better communication and that's due to the fact that not every optimization and improvement for secure computation actually applies directly to the other protocols but it applies directly to our protocols so we can get better communication complexities than them so there was one work this year that improved over the Mohan Saszakian work which then improved in one of the optimizations that exist in secure computation for current functional variations so other contributions were we actually looked into the algorithm for embedding the graph into the four ways of construction then looked into the size and size of the circuit and proposed a new hybrid method and then implemented it and have a new use in compiler so we have taken some step forwards mainly towards practice and so thank you very much for your attention and if you have any questions I'm very happy to answer them or comments can you go back and look at the slide when you're talking about hybrid the universal circuit the performance yeah so from the value to say the performance yeah so can you explain why the hybrid comes from from the previous slide trying to combine trying to use either two ways or two four ways but where does the benefit of the green part come from so the green line is actually the improvement of the hybrid over the the two ways over the four ways of construction you're right so the whole graph would show the improvement over the two ways but if since I didn't color the parts that are below the blue but not but above the red line it is actually so the green colored parts show the improvement of the hybrid over the four ways of construction so because of the time we have low time for more questions and let's send the speaker back