 And my name is Rewari Guchi. In this video, I talk about the paper entitled Homomorphic Secret Sharing for Multipartite and General Advocacy Structures Supporting Parallel Evaluation of Low-Degree Polynomials. This is a joint work with Koji Nuita. First, we introduce a multi-party computation. In this model, we assume several input players holding their private inputs. And then they run some multi-party computation protocol for a function F. For example, we can consider some statistical analysis on private customer information held by several companies. After the protocol, an output player collects messages from the input players. And then he obtains the value of the function. As for privacy, an adversary corrupts a subset of input players and see their messages during the protocol. Then the privacy requirement is that the adversary learns nothing beyond the output. Homomorphic Secret Sharing is an important building block for multi-party computation. It is a variant of a secret sharing. So it has a sharing algorithm, which takes a secret as input and outputs and shares. As in the standard security definition, we require that some specified subset of shares reveal no information on the secret. Homomorphic Secret Sharing has additional algorithms called evaluation and decoding algorithms. Support that input players generate M shares from their private inputs and send the shares to M servers. Then each server locally runs the evaluation algorithm on a function F and N shares it receives from the input players. Finally, an output player collects all outputs of the evaluation algorithms. And he runs decoding algorithm whose output is supposed to be a F of X. Homomorphic Secret Sharing has a direct application to multi-party computation. Indeed, consider the following multi-party computation protocol. M input players distribute shares of their secret input using a homomorphic secret sharing scheme. And then each player locally runs the evaluation algorithm on their received shares. Finally, an output player collects all the outputs of the evaluation algorithms and recovers the value of the function. The important features of this protocol based on an HSS scheme is that it only needs two rounds of communication. The first is sharing inputs and the second is collecting outputs. It also has the sex sickness, which means that its communication complexity is proportional to the share size independent of the complexity of the function. Furthermore, the corruption power of the adversary is characterized by the adversary structure of the underlying homomorphic secret sharing scheme. The adversary structure is the collection of subsets of shares, which reveal no information on a secret. Therefore, if we construct homomorphic secret sharing scheme for non-threshold adversary structure, then we can obtain an MTC protocol which tolerates a more general corruption pattern. In this work, we focus on three kinds of adversary structures. Adversive structure is the collection delta of subsets of players whose shares reveal no information on a secret. The simplest case is a threshold of the adversary structure, which tolerates any collusion of at most T players. On the other hand, the most general case is a general adversary structure, which has no limitation on delta. So every adversary structure is classified to general adversary structures. For example, we can consider a non-threshold adversary structure induced by a graph. In this adversary structure, a player corresponds to a vertex, and an adversary is one of the players. And this dishonest player colludes with its adjacent players. Finally, a multi-partite adversary structure aligns between threshold and general adversary structures. Specifically, I support that the whole set of players is partitioned into L parts, P1 to PL. Roughly speaking, in a multi-partite adversary structure, whether a subset X is in delta or not is uniquely determined by this vector, which counts the number of players in each part. Note that if we set L to 1, then delta is equivalent to a threshold adversary structure. And if we set L to n, then it is equivalent to a general adversary structure. In this sense, a multi-partite adversary structure lies between threshold and general adversary structures. Next, we explain the previously proposed homomorphic secret sharing schemes. In this work, we consider a homomorphic secret sharing scheme computing bounded degree polynomials. First, information theoretically secure HSS schemes were proposed for adversary structures satisfying the condition called tight QD, which means that for any these subsets in delta, their union does not cover the whole set of players. Three homomorphic secret sharing schemes have been proposed for threshold, multi-partite, and general adversary structures. The security of these schemes is information theoretic, and so it does not rely on any cryptographic assumption. But the condition tight QD puts a strong limit on adversary structures. For example, a threshold adversary structure of type QD mean that its corruption threshold must be less than m over d. On the other hand, if we assume the LWE assumption, there is an homomorphic secret sharing scheme tolerating all the adversary structures. These schemes achieve the largest corruption threshold, m minus 1, which means that they are secure as long as there is at least one honest player. But we must assume a narrow class of cryptographic assumptions related to lattices. Recently, two homomorphic secret sharing schemes have been proposed, and they lie between these two extreme cases. These schemes assume homomorphic encryption for a degree k polynomials, which can be obtained from various hardness assumptions such as Diffie-Hellman problem in addition to LWE. Furthermore, for the degree k of the underlying homomorphic encryption scheme, they can tolerate a wider class of adversary structures of type QD k. We do not give its formal definition here, but an important point is that the class of tolerable adversary structure is wider than those of type QD. For example, in the threshold case, and type QD k means that the corruption threshold is less than k plus 1 times m over d, which is k plus 1 times larger than the upper bound for type QD. The threshold scheme has constant share size. On the other hand, the general homomorphic secret sharing scheme has a share size of exponential in m. This work also follows that direction of research. Based on homomorphic encryption, we first show a novel homomorphic secret sharing scheme for multipartite adversary structures of type QD k, computing the degree d polynomials. The share size of our scheme is polynomial in the number of players, and so more efficient than the general contraction. Furthermore, because our scheme tolerates a multipartite adversary structures, it is more general than the threshold scheme. In addition, we show that these three homomorphic secret sharing schemes can be extended to homomorphic secret sharing for a SIMD computation, which means that it computes a single polynomial on L different inputs in parallel. And the overheads in share size are all log of L. Therefore, our technique is more efficient than the naive solution of simply running L computations independently, which results in an overhead proportional to L. As a drawback, however, the adversary structures of our HSS schemes must satisfy a stronger condition, which we call type QD kL. But it is still wider than the information theoretic bound of type QD. From now on, we explain how the contraction of homomorphic secret sharing scheme for general adversary structures, which supports parallel evaluation. As we said earlier, based on homomorphic encryption, there are three homomorphic secret sharing schemes for adversary structures of type QD k. In this work, we show that these homomorphic secret sharing schemes can be extended to the ones supporting the parallel evaluation of a single polynomial, while the class of tolerable adversary structures becomes smaller. An important point of our technique is that the overhead is only logarithmic in L, the number of parallel computations. And therefore, it is more efficient than the naive solution of simply running L computations independently. Due to the time constraint, we only explain the case of general adversary structures. Technically, we use the notion of packed secret sharing. The previous homomorphic secret sharing scheme can tolerate general adversary structures, but does not support parallel evaluation. On the other hand, packed secret sharing scheme supports parallel evaluation, but can only tolerate threshold adversary structures. In this work, we propose a novel way to combine two schemes. And as a result, we obtain a homomorphic secret sharing scheme, which not only tolerates general adversary structures, but also supports parallel evaluation. Before explaining the details of our technique, we recall the previously proposed homomorphic secret sharing scheme. Let delta be a general adversary structure. Without loss of generality, we may assume that delta is monotonically decreasing, by which we mean that if A is a subset of B and B is in delta, then A is also in delta. So then delta is uniquely determined by only specifying all maximal subsets A1 to Am. In the previous scheme, a secret input is an element of a finite field, because it only supports one-shot computation. In its shared generation, first, a secret S is randomly split into n random elements, S1 to Sm. Here, n is the number of all maximal subsets of delta. Then for each i, Si is given to players which does not belong to a maximal set Ai. And players in Ai receive a ciphertext of Si. So then the privacy is straightforward, because for any maximal subset Ai, players in this set only receive a ciphertext of Si. And so they do not obtain any information on Si. So therefore, they cannot learn the secret input S To extend this homomorphic secret-sharing scheme to a parallel computation, we also use the notion of a packed secret-sharing. Here, we consider a threshold adversary structure. In this scheme, a secret input is supposed to be an L-dimensional vectors. In its shared generation, we choose a random polynomial, Phi, such that the values of Phi at L different points, alpha 1 to alpha L, are equal to the secret vector. And also that the degree is at most t plus L minus 1. Then we give a point Phi of j unto the jth server as its share. As for privacy, t shares reveal t linear constraints on the coefficients of Phi. But the number of coefficients of Phi is t plus L. And so there are still unknown coefficients, which protects L secrets. So in summary, t shares reveals no information on the secret vector. On the other hand, t plus L shares are sufficient to recover the interpolating polynomial Phi, because again, the number of coefficients of Phi is t plus L. So then we can compute the secret vector from this polynomial. From now on, we show our homophic secret-sharing scheme, which combined the previous homophic secret-sharing scheme for general adversary structures and packed secret-sharing scheme. Recall that general adversary structure is determined by all maximal subsets, a1 to an. Now, a secret input is an L-dimensional vector, because we consider parallel computation. As in the previous homophic secret-sharing scheme, we first split the input vector s into n random vectors, s1 to sn. This is a simple expansion of the previous scheme to a vector-valued inputs. Next, we associate each vector su with a maximal unset au. And we share the vector su using a packed secret-sharing. Precisely, we choose a random polynomial Phi u and give Phi u of j to the j's player if it is not in au. And give a ciphertext of Phi u of j to players in au. Then the privacy is straightforward. For any maximal subset au, players in this set do not learn any information on the polynomial Phi u, because all of its values are encrypted. So therefore, they do not learn the vector su, and so the secret vector s either. Now, we show how our scheme performs a parallel evaluation of a single-digly d polynomial. Let x1 to xd be d-secret inputs, which are L-dimensional vectors. It follows from the construction of our scheme that each secret vector is split into n random vectors. And then each of them is shared via packed secret-sharing using the random polynomial. We consider the product of d-secret. Here, star denotes the element-wise product. This polynomial is expanded to the sum of n to d monomials. Note that each of them can be computed if the product of their interpolating polynomials is recovered. More precisely, because the degree of this polynomial is dL minus 1, if we collect more than dL minus 1 points of this polynomial from servers, we can recover it by Lagrange interpolation. Recall that from the construction, server i has the points of phi u as plain text if it does not belong to a u. And it has the points of phi u as cipher text if it is in a u. Then the value of this polynomial at i is separated into two parts. The first is the product of points associated with maximal subsets not containing i. And the latter is the product of the remaining points. Then server i only has cipher text of these values in the second part. An important point is that if the number of cipher text in the second part is at most k, then the server i can compute a cipher text of this value because of the correctness of homomorphic encryption. Therefore, the evaluation of degree d polynomial succeeds if the following condition holds. For any combination of d indices, j1 to jd, there are sufficiently many servers such that the number of cipher text to be multiplied is at most k. Precisely, it will require that the number of such servers to be more than the degree of this polynomial, that is d l minus 1. Then the player can recover this polynomial from the points sent by servers. And then he obtains a multiplication of d secret vectors. However, this is not our final homophic Zegersharing scheme. There is some room for optimization. As in our formal construction, we split a secret vector into random vectors. But now we also give servers cipher text of derivatives of the interpolating polynomial. Privacy still holds true because this additional information is encrypted. We omit the details, but because of this additional information, an output to player obtains more information on the product of secrets from servers. So as a result, this scheme can compute a polynomial of higher degree. In addition, so far, we only consider a privacy against servers that in application to NPC, we also require that an output player should not learn any information beyond the value of a function. So for that, we need to re-randomize the outputs of the evaluation algorithm with random shares of 0. Then the condition on the adverse structure is slightly changed. This is the final condition, and we call it type QDKL. We note that if we set L to 1, it is equivalent to a type QDK, which is the condition required as the previous homophic secret sharing scheme. Therefore, our scheme supports L-parallel computations while the condition becomes stronger as L grows. As for efficiency, in our scheme, each server receives at most n field elements and at most n ciphertexts. Here, n is a number of maximal subsets of delta, which is exponential in the number of players in the worst case. On the other hand, to share secret vectors instead of scholars, we need to choose a finite field containing at least n plus l elements. Therefore, the share size of our scheme is 2 to m times a log of n plus l. Finally, we summarize this talk. In this work, we first propose a novel homophic secret sharing scheme for multipartic adverse structures of type QDK. The share size of our scheme is polynomial in the number of players and so more efficient than the general construction. Furthermore, because our scheme tolerates multipartic adverse structures and so it is more general than the threshold scheme. In addition, we show that these three homophic secret sharing schemes can be extended to the ones for CMD computation, which means that it computes a single polynomial on l different points. The adverse structures of our homophic secret sharing schemes must satisfy a stronger condition, which we call type QDKL. But the overheads in share size are all log of l. So therefore, our technique is more efficient than the naive solution of simply running l computations independently. And these are our references. This is the end of my talk. That's all. Thank you.