 So, hi, my name is Damiano, and now I'm going to present a giant project with Peter Scholl, titled Multi-Party Multiplication Triples for Speeds from Ringelpian. So the main contribution of our work is the design of an actively secure MPC protocol for the generation of authenticated beaver triples. And the novelty is that this construction achieves sub-linear communication in the amount of generated material. So I will start by explaining what Speeds is. So Speeds is an efficient multi-party computation protocol for computations over a large prime field F. And it achieves active security by relying on the online phase, offline phase paradigm. Specifically, we have this input independent preprocessing phase called offline phase, where the parties generate large amount of correlated material. And later on in the online phase, the parties use this correlated randomness to compute the output of their function in a secure way. So without revealing any information about the inputs. Thanks to this paradigm, the complexity of the online phase is really low. So the main type of correlated material that we generate in the offline phase is called beaver triple or multiplication triples. And as the name suggests, these are needed to compute multiplications. Specifically, we need one multiplication triple per multiplication gate. And so we need a lot of them. And usually the generation of these is rather expensive. So which is exactly a beaver triple. As I said at the beginning, we are working over a large prime field F. And suppose that N is the number of parties. So beaver triple is a random tuple of secret shared elements as the one that you see on the screen. So we have X and Y that are uniformly random over the field. And then we have a secret sharing of their product. Here the square brackets denote additive secret sharing among then parties. So beaver triple is the union of these three terms. And actually it allows us only to achieve passive security. And speeds wants active security. So the construction introduces a Mac key alpha that is uniformly distributed over the field and secret shared among them parties. Alpha is used to authenticate all the beaver triples. And this is done by introducing some Macs that are also secret shared among them parties. So we have X times alpha, the Mac over X, Y times alpha, the Mac over Y, and X times Y times alpha, the Mac over the product. And yet the union of the beaver triple with its Macs is called an authenticated beaver triple. Okay, now I'm going to talk about the main tool that allowed us to achieve low communication complexity in our triple generation protocol. And this is called the pseudo random correlation generator or PCG for short. So PCG is a particular construction that allows us to generate large amounts of correlated material with no communication. And this is done by expanding small correlated seeds. So specifically a PCG is an unparty construction. So let me draw in parties. And we tackle some correlation function C. So let's denote the outputs by R1, RN. So these are correlated values. And there is one for each party. In particular, RI is addressed to party PI. So the PCG specifies how to generate N small seeds, K1, KN. And their generation is performed by a trusted dealer. So after the seeds have been distributed, all the parties can locally expand them. So without any interaction, obtaining large amounts of correlated material. So I will write that party PI obtains the vector RI. So P2 obtains the vector R2, P1 obtains the vector R1. And with this notation, I mean that these N vectors are all correlated entry by entry, according to C. Specifically, its entry of the vector RI has the same form as the i-th output of the correlation functions. So now I would like to talk a little bit about security of PCGs. And in order to do so, assume that the subset of parties is corrupt. So clearly the corrupted parties know their outputs. And these outputs leak some information about the outputs of the honest parties. That's because the samples that we obtained by expanding the PCG seeds are all correlated. So there is nothing we can do to avoid this leakage. It's something intrinsic in the problem. However, I noticed that there is another potential issue, namely that the corrupted parties also see their seeds. And these seeds may leak some additional information. And we don't want that. So the security definition of PCGs states exactly this. The seeds of the corrupted parties leak no information about the outputs of the honest parties, except what can be inferred from their expansion R2 and RI. So at the beginning, it may seem strange that we base our triple generation protocol on this PCG constructions that need a trusted dealer for the generation of the seeds. Indeed, the whole point of a triple generation protocol is to get rid of trusted dealers in speeds. However, notice that the PCG seeds are all small. So usually it is not hard to design multi-party computation protocols that generate and distribute them with linear communication in the seed size. So when we compose these protocols with the expansion phase, and this composition is trivially secure because the expansion is not interactive, we obtain protocols that generate large amounts of correlated randomness with sublinear communication in the size of the outputs. And this is exactly what we want. So recently, there has been some work on PCGs for bigger triples. And the first work is by Boyle Tull at Crypto 2019, where they designed a PCG that generates an unauthenticated bigger triples for end parties with logarithmic seed size in the number of triples that are generated. One year later, the same authors designed another PCG, but now for authenticated bigger triples. And the seed size is still logarithmic in it. However, this construction works only in the two-party setting. But what about authenticated bigger triple in the end party setting? Well, until recently, no efficient construction was known. But in this work, we present a solution with O of square root of M seed size. So the security of our PCG relies on the Ringel PN assumption, which I'm going to describe now. So our setting is a ring R, which is the quotient between the polynomial ring over the field F, and the ideal generated by a polynomial F of X. We also introduced two parameters. The first one is a small constant C. And then we have T that is roughly the size of the security parameter lambda. We also introduce a distribution, which is denoted by HWT. And these samples are random T-spars polynomial over the ring R. And with T-spars, I mean that this polynomial has at most 10 of zero coefficients. Now, consider the following pair. We have A that is uniformly distributed over R to the C. So C is this small parameter here. And then we have the inner product between A and another vector E. And E is sampled according to HWT to the C. Specifically, that means that E is a C-dimensional vector. And each entry of E is a T-spars polynomial in the ring R. So the ring LPN assumption states that this pair is computationally indistinguishable from A U, where A is again uniform over R to the C, whereas U is uniform over R. So essentially, the ring LPN assumption states that even if A is known, the inner product looks random over the ring R. So the second tool that we used for the construction of our PCG is called distributed point function, or DPF for short. So DPF is a particular tool that allows us to compress an n-party secret sharing of a unit vector into n small keys. So a unit vector is a particular vector where all the entries are zero except for one. On this slide, I denoted the non-zero element by a red square. And its position is called the special position of the unit vector. And we denoted by omega. So a DPF takes as input a unit vector and outputs n small keys, one for each party. And the size of the keys is sublinear in the size of the unit vector that is given as input. Moreover, even if the part is collude, the keys leak no information about the special position, omega, and the non-zero element, the red square. And finally, the compression has also the nice property that is invertible. So the parties can take their keys and expand them locally. So without an interaction, obtaining a n-party secret sharing of the unit vector that was given as input for the key generation. So what is the state of the art of distributed point functions? In the two-party setting, they are really efficient. Indeed, we know constructions that have logarithmic key size in the length of the unit vector that we give as input. However, in the three-party setting, the constructions are not as efficient. Indeed, the best solution have O of square root of n a key size. Finally, in the n-party setting, they get even worse because, yes, the key size is still O of square root of n, but there is also a factor that is exponential in the number of parties. So we can finally talk about our PCG for multi-party beaver triple. Our goal is to take a Mackey alpha uniform over the field and n-authenticated beaver triples and compress them into some small material. So the first thing that we do is to choose the ring R where we instantiate the ring LPN assumption. And in particular, we choose R to be isomorphic to F to the n, where F to the n is a ring with entry-wise addition and multiplication. It is possible to make this choice because the polynomial F of X here does not need to be reducible for security. It can also split into linear factors. Now, take the Mackey and the n-authenticated beaver triples using the isomorphism here. And without any interaction, the parties are able to convert them into one single authenticated beaver triple over the ring R. And what I mean is that now X and Y are uniform at random over the ring R, whereas alpha remains the same as before, so a field element. The nice thing of the isomorphism is also that it is invertible. So the parties are able to convert material of this kind into n-authenticated beaver triples over the field F. And this is done without any interaction. So we notice that all of a sudden our goal has become to compress a single authenticated beaver triple over the ring R. And we are going to do this by compressing each term one after another. So we start from X and Y. And as I said before, these are uniformly random elements over the ring R that are secret shared among the n-parties. So suppose that the random oracle now provides everybody with a random vector A belonging to R to the C. Each party PI will compress each shares of X and Y as follows. So first of all, it samples two vectors of sparse polynomials, UI and VI, using the distribution HWT to the C. They wanted to introduce with the ring LPN assumption. So next PI sets each share of X to be XI, the inner product between A and UI. And similarly, it sets each share of Y to be the inner product between A and VI. So you understand it by the ring LPN assumption XI and YI now look random, even if A is public. But the entropy of XI and YI now is low because they are described in terms of sparse polynomials. And the description of sparse polynomials is short. So next we compress the terms alpha 10 X and alpha 10 Y. And we start by observing that alpha 10 X can be rewritten as the sum over I and J of alpha I times XJ, where alpha I and XJ represent the shares of PI and PJ respectively. These can again be rewritten as the sum over I and J of alpha I times the inner product between A and UJ, which is also equal to the sum over I and J of the inner product between A and alpha I times UJ. Okay, now suppose that the parties have a secret sharing of alpha I times UJ between the parties PI and PJ only. So I use these indexes I and J at the brackets to denote two parties secret sharing between PI and PJ only. So if the parties have these n square secret sharing, they are able to obtain a secret sharing of alpha 10 X between the n parties due to the linearity of the inner product and the sum here. Moreover, these n square secret sharing leak no information about the shares of PI and PJ to the other parties. Indeed, in order to leak some information, both PI and PJ would need to be corrupt. And in this case, what we leak is actually alpha I and UJ, which are values that are already known to this. So now our goal will be to compress these terms instead of these. So what's the structure of UJ? UJ is a C dimensional vector over the ring R and each entry is a T sparse polynomial of degree n. So here we represent these polynomials by listing the coefficients starting from the term of degree zero. And then on zero coefficients are represented with colored squares. So when we multiply UJ by alpha I, the structure remains the same. That's because alpha I is an element of the field. So the only thing that changes is the color of the squares. So the value of the coefficient changes, but their positions remain the same as before. So how can we compress a secret sharing of alpha I times UJ between party PI and PJ only? Well, we notice that each entry of this vector can be written as the sum of T and dimensional unit vectors. For instance, these would be those associated with the first entry. And now we know how to compress secret sharing of unit vectors using DPS. In particular, when we perform the operation, we provide the parties with keys that leak no information about alpha I and UJ to the parties because of the security of DPS. And the material that we obtain in this way is small. In particular, it is just C times T pairs of DPS keys. C because there are C entries and T because there are T unit vectors per entry. And the size of these keys is logarithmic in N because it is just a secret sharing between two parties. So next, we compress the terms X times Y. So we do it similar to X times alpha. Indeed, we notice that X times Y can be rewritten as the sum over I and J of XI times YJ, where XI and YJ are the shares of PI and PJ respectively. And this can again be rewritten as the sum over I and J of the inner product between A and UI with the inner product between A and VJ. This last term can be proven to be equal to the sum over I and J of the inner product between the outer product of A with itself and then the outer product between UI and VJ. I will define this outer product later in the next slide. So now suppose that the parties have a two-party secret sharing of UI outer product with VJ between party PI and PJ only. So due to the linearity of the inner product and of the sum here, the parties can convert these N square two-party secret shareings into a single secret sharing of X times Y between all the N parties without any interaction. Now our goal will be to compress these two-party secret shareings between PI and PJ. So basically we are doing the same thing that we did for alpha times X. The only difference is that now X and Y are both ring elements, whereas before one of the factors was a field element. So how is the outer product defined? Well UI and VJ are c-dimensional vectors over the ring R and their outer product is defined to be the c-square dimensional vector over R where for every L and M the element in position CL plus M is the product of the L's element in UI and the M's element in VJ. Now take the L's entry of UI and the M's entry of VJ, which are both T-sparse polynomials over R. We consider that product but not over R but over f of X. Since the reduction modulo in ADL commits without the operation, we can always make the reduction later whenever it is more suitable. Now the product of two polynomials over f of X is still somewhat sparse. Indeed this is a polynomial of degree at most 2N and they are at most T-square non-zero coefficients. That's because all the terms of a product are the product of the monomials of UI and the monomial of VJ and since these two polynomials have at most T non-zero coefficients, the number of non-zero coefficients of the product will be upper bounded by T-square. So our tool is to compress a secret chain of UI outer product with VJ between part P i and P j only and UI outer product with VJ is a vector of this kind. So in particular it is a C-square dimensional vector and its entry is a T-square sparse polynomial of degree at most 2N. So since these are all sparse vectors, we can use the same techniques that we used before for alpha 10s X and alpha 10s Y. In particular we can just compress a secret sharing of each entry and the latter can be rewritten as the sum of T-squares unit vectors of the dimension 2N. These on the slides are those associated with this entry that you see on the top and yeah now we are able to compress secret sharing of unit vectors using DPFs and so we provide the parties with these keys that leak no information about the non-zero elements and the special positions. Furthermore all this material is of small size now. Indeed we just have C-square times T-square pairs of DPF keys and their size is logarithmic in N because we are just working with two party secret sharings. So the last term that remains to be compressed is alpha 10s X times Y and as we did before we noticed that alpha 10s X times Y can be rewritten as the sum over i, j and k of alpha k times X i times Y j where alpha k, X i and Y j are the shares of party pk, pi and pj respectively. This can be again rewritten as the sum over i, j and k of alpha k times the inner product between a and ui times the inner product between a and vj and as we did before this is equal to the sum over i, j and k of alpha k times the inner product between the outer product of a with itself and the outer product with between ui and vj. Finally we can move alpha k inside the inner product so this is equal to the sum over i, j and k of the inner product between the outer product between a and itself and then alpha k times ui outer product with vj. Okay now suppose that the parties have a secret sharing of alpha k times ui outer product with vj between party pi, pj and pk only. Due to the linearity of the inner product and of the sum the parties are able to convert this and to the third secret shareings into a single secret sharing of alpha times X times Y between all the parties and this operation requires no communication. Moreover notice that since this is a three-party secret sharing we leak no information about alpha k, ui and vj to that indeed the only way to leak some information is if all the three parties are corrupt and in that case the adversary already knows alpha k, ui and pj. Notice also that a two-party secret sharing wouldn't be enough here because for instance if it was only between pi and pj and pk is honest if pi and pj are corrupt we would leak information about alpha k that the adversary shouldn't know. So our goal now will be to compress these secret shareings here. Previously we have noticed that the outer product between ui and vj is a vector of this kind in particular a c-square dimensional vector where each entry is a t-square sparse polynomial of degree at most 2n. Now if we multiply everything by alpha k their structure remains the same that's because alpha k is a field element so the only consequence of this multiplication is to change the value of these colored squares but their position and their number remains the same as before. So we conclude that alpha k times the outer product between ui and vj is a c-square dimensional vector where its entry is a t-square sparse polynomial. So in order to compress a secret sharing of these between pk, pi and pj we can use the same techniques as before. In particular we can compress a secret sharing of its entry and the latter can be rewritten as the sum of t-square unit vectors of dimension 2n and the secret sharing can be compressed using a dpf in particular a three-party dpf. So these keys that are obtained leak no information about the non-zero elements and the special positions and their size is small. In total we have c-square times t-square triples of dpf keys but their size is now not logarithmic in n but o of square root of n and the reason is because three-party dpfs are not as efficient as two-party ones. So there is one last issue that we need to fix in our construction specifically dpfs usually outputs secret shareings over binary groups whereas our pcg needs secret shareings over a large prime filter the same one that we use in speeds. So generalizing the known constructions for two parties is rather simple but for the three-party case it is tricky. Specifically the best construction for three-party is by a boon et al and it outputs secret shareings over zero one to the n. Thanks to a trick by boon et al it is possible to generalize this construction to groups of polynomial cardinality but these techniques don't apply to large prime fields. So at the beginning we thought we were completely stuck but then we realized that our pcg is secure even if we allow some leakage in the three-party dpf. In particular if two specific parties of the three-party secret sharing are corrupt we allow the adversary to learn omega the special position of the unit vector. If we allow this leakage it is possible to generalize the three-party dpf by boon et al to large prime fields. The reason why our pcg is still secure is because when p i and p j are both corrupted the adversary already knows the special position omega. Indeed we use the three-party dpf to compress secret shareings of alpha k times the outer product between ui and vj and since alpha k is a field element the special position are uniquely determined by ui and vj. When p i and p j are both corrupted these terms are already known to the adversary. So to summarize our pcg generates n authenticated bigger triples and we were able to compress the terms x and y using the ring and piano assumption into material of size c times t times o of log n. And the complexity in the number of parties is linear. So this applies also for y that has the same form as x. The term x times alpha was compressed using two-party dpfs into material of size c times t times o of log n and the complexity in the number of parties is square. Same happens for y times alpha. Moving on to the product x times y we compress this material into values of size c square times t square times o of log n times n square using two-party dpfs. And finally the last term x times y times alpha was compressed into material of size c square times t square times o of square root of n times n to the third. So we understand that the dominant term is this one. So the final seed size of our pcg is o of square root of n. After having designed our pcg we focused on the protocol for the generation of authenticated bigger triples. In particular we designed an actively secure protocol that sets up the third-party dpfs keys and then we designed another protocol that generates and distributes the pcg seeds with active security and with little communication. I won't describe these constructions in details because they are both rather complex and the techniques that we used are not extremely interesting. Anyway regarding efficiency our protocol generates an authenticated bigger triples with sublinear communication in n, in particular o of square root of n. There is however a term that scales as the number of parties to the fourth so for a very large number of players our solution may not be the best. Regarding computations the complexity scales as n log n. So we analyze the efficiency of the protocol by considering the stretch which is defined as the ratio between the total size of the outputs and the total communication. So the larger the stretch the better. We observe that the stretch becomes greater than one for a very large number of triples in particular for n approaching 2 to the 24 which is close to 16 millions. Anyway even for smaller values of n our protocol is practical based on estimation by Boilethal. Moreover the total communication is roughly 10 times better than overdrive.