 Hello everyone, I am Eliu. The title of our work is Making Private Function Evaluation Safer, Faster, and Simpler. This is the joy of working C1 in Xiumin U. PSE Mainly Private Function Evaluation In the two-party scenario Consider the case where there are two parties, Alice and Bob. Alice has a Private Function F and Private Interface. And Bob has a Private Input Y. These two parties intends to compute FSY And finally, one or two parties obtains the result. And in this picture, Bob obtains the result. PSE is the General Case of Secure Function Evaluation. SFE For SFE, the Function F is public. And Bob party knows that. However, for PFE, the Function F is private. And as a private input of one party. There are several ways to realize PFE. First of all, it is straightforward to realize PFE using fully homomorphic equation. However, today, fully homomorphic equation still has very high computational overhead. And the second is to use universal circuit. Universal circuit is a circuit that also takes the discretion of the input circuit C and input S and output CS. However, for circuits of size n, the corresponding universal circuit has additional log n overhead. And the constant factor and low order term are also significant. And the light-up approach avoids the usage of FHE and UC. One is based on oblivious evaluation of SWH network, which also has additional log n overhead. And the other light-up work starts from CAS and Monca. The PFE protocol has linear capacity and constant route. Recently, it was shown that the Tessily Secure PFE protocol performs the state-of-the-art Tessily Secure UC-based PFE protocol. Following this light-up work, there are several improvements. The paper MS-13 generalized and improved the protocol. Then, recently, a reusability property with respect to given parties is added. This means the two parties only need one initiation for function F, and then they can evaluate F on different inputs directly. Here is an illustration for your reusability. These two parties initiate for private function F and then evaluate F on different inputs. For example, S1 and Y1 should derive F, S1, Y1 and S2, Y2 to derive F, S2, Y2 and so on. This property leads to better performance when the protocol is discussed more than one time for the same function S. But those PFE protocols are passively secure, so what about active security? In the original KM11 paper, the author introduced how to achieve active security against malicious input provider. Then, the protocol in MSS-14 achieves full security. However, the number of rounds of the protocol is equal to the number of gates. And to the best of our knowledge, there is no constant round of active security PFE protocol with linear complexity. In our work, we provide the first constant round of active security PFE protocol with linear complexity. Meanwhile, we provide a previous secure PFE protocol and our true protocol which is global reusability. Global reusability here means that the private function holder, this can perform a global initiation for her private function F. Then a party Bob can use this information and start the evaluation of F when at least multiple times. At the same time, another party Charlie can also use this information and start the evaluation of F when at least. So the initial F is global. In this talk, I will focus on our active security PFE protocol. As I have mentioned, in the KM11 paper, the author introduced how to achieve active security against malicious input provider using classical techniques for Gabel circuit. And here we mainly focus on malicious function provider. And these two results can be combined to obtain a fully secure PFE protocol. Here we suppose that the private function F is implemented by her circuit that only consists of no end gate. And we also have public parameter like the circuit has data gates and input bits and end output bits and other information about the circuit is hidden. We will work on Cyclic group G or prior to Q with a decision Diffie-Hellman Assumption hole, a DDH assumption. And in this talk, we will see that Alice only has private input F and both obtains the evaluation result. We would like to know that it's easy to extend the protocol to support Alice's private input Fs. We first introduced how to describe the circuit. For example, as we can see, this circuit has 5 input wires and 3 output wires. And we call a wire outgoing wire if the wire is the input wires of the circuit the output wires of gates. And here the wire is when orange colors are outgoing wires. And we call a wire incoming wire if it is the input wires of gates. So these blue color wires are incoming wires. So for circuits with data gates and input bits and end output bits we have N plus data outgoing wires and 2 data incoming wires. For example, in this circuit data is equal to 6 because it has 6 gates and N is equal to 5 and N is equal to 3. So we have 11 outgoing wires and 12 incoming wires. Because all gates are not N gates the circuit can be described by the wire connections. To formalize the connections of wires we use the concept which is 10D permutation or EP. EP is the mapping pipe that maps the number between 1 to N to a number between 1 to N such that for every S in the set of 1 to N there is this 1 number Y in the set of 1 to N such that Y is equal to pi X. For circuit discretion given an index of an incoming wires pi maps it to an index of an outgoing wires that connect it when this incoming wires. This is an illustration of this 10D permutation for the example circuit as we can see 1 incoming wires connected with an outgoing wires while 1 outgoing wires may connect it when several incoming wires. Because the outgoing the output wires of the circuit neither outgoing wires 9, 10 and 11 do not connect it when incoming wires we do not need to consider these wires in the 10D permutation mapping. So we let M equals to N plus theta minus N so A in this example and N is equal to 2 theta so 12 in this example and like in this mapping the connection like incoming wire 5 and outgoing wire 1 they are connected in this mapping. Now we know how to describe the circuit at the beginning of the protocol the circuit provider Nammin was engaged she first named the input wires of the circuit and then all wires connected when gate and we introduce how to name the wires in detail in our paper then we can extract the 10D permutation pi from this circuit now the circuit provider at least holds the circuit and the 10D permutation pi so we can let so we can let both garbles or gates respectively I want to note that because we divide a wire into an incoming wires and an outgoing wires both can garbles gates but it still does not know the connection between wires at the same time at least knows the 10D permutation she should know how to divide incoming wire labels from its connected outgoing wire labels to evaluate the garbles circuit but she should not know other wire labels so to know how to divide incoming wire labels from outgoing wire labels at least needs to take part in the wire label generation the procedure of our garbles circuit generation is here this is one of the first generate random random GI in the group for each outgoing wire and send them to Alice so each outgoing wire I has an element GI then Alice performs the inverse of pi on those GI so as in this picture either to wire connected they will have the same values then Alice randomly TJ then computes the TJ powers of each GI pi J like this and sends them to Bob so each one is leads to TJ power because TJ is random those GI pi J to the power of TJ do not list any anything about the extended permutation pi and naturally receiving those elements more randomly piece alpha 0 and alpha 1 then for labels when value B Bob computes the alpha B power to the corresponding elements as for this example Bob computes for this incoming wire 1 computes the labels for value 0 in this form and the labels for value 1 in this form and wire labels for gate is like this left hand side gate now given those wire labels both can get more use to input wire labels as the keys to increase the corresponding output wire labels for the output wire and this is what we will done in classical gavel circuit approach now let's see how to evaluate the gavel circuit to derive the wire labels of incoming wire the wire labels of outgoing wire now let's focus on one gate even one of the true labels of the incoming wire 5 and one of the true labels of the incoming wire 6 we can decrease the corresponding labels of the outgoing wire 8 and now to derive the labels of the incoming wire 7 let's see what this label should be according to this extended permutation pi incoming wire 7 is connected when the outgoing wire 8 so pi 7 is equal to A now we can see it will compute the T7 power to the label which are secret corresponding incoming wire labels so Alice can follow this approach to evaluate the whole gavel gate to obtain the final gavel output and let me summarize the procedure first of all above stands random growth element GI for each outgoing wires I and Alice perform the extended permutation of those GI and randomly piece T3 and compute the T3 powers of each element and Alice send those elements to Bob Bob will randomly choose half of 0 and half of 1 to compute the wire label and then send all gavel gate together when he gavel inputs for wire to Alice and Alice will evaluate the gavel study using gavel gate gavel inputs and the extended permutation pi and teach it to obtain the gavel output and send it to Bob finally Bob can obtain the evaluation result from the gavel output and we can divide the procedure into two phase the initiation phase and the evaluation phase and because we work on the group where DDH assumption holds the DDH assumption allows Bob to generate different half of 0 and half of 1 and to partly execute the evaluation phase for half modified times using different inputs to achieve active security because the evaluation phase is similar to classical gavel circuit and Alice only needs to evaluate the gavel circuit in fact the authenticity of gavel circuit ensure that Alice cannot have the security of the protocol so now we only need to focus on active security of the initiation phase let's see the message in the initiation phase we need to ensure that Alice send correct message and this means that we need a zero-knowledge pool of knowledge for value extended permutation pi performed on those cool elements and we also need a zero-knowledge pool of zero-knowledge pool of knowledge of the power Tj to be stressed in the security proof for these two goals we first focus on the second one we may first try to use zero-knowledge pool of knowledge of this great block with them however, when we use such a protocol the elements GPiJ should be given and then the extended permutation pi is liquid our solution is to use the gamma in question of the elements since it is moderately homomorphic and we can compute the Tj power so the procedure is here suppose that Alice generates a path of key for the gamma in question and the private key is that such that the private key H is the power of GS and then Alice first inquires GPiJ then she can compute the inquiry element to the power of Tj over the cyber test CJ after that Alice send the tool cyber test to Bob and pool the knowledge of Tj and finally Alice can help Bob decrypt the cyber test CJ to the power of Tj and due to the inquisition GPiJ is preserved and the extended permutation pi is hidden now the first protocol is that even GI and ALGAMAR cyber test CJ the proven of RJs and valid extended permutation pi such that CJ is inquirting GPiJ to prove this statement we can describe the ALGAMAR cyber test in a different way as we can see these pictures for the extended permutation each incoming wires connected with exactly one ALGAMAR wire so we can define a vector E for each incoming wire such that if pi maps J to I if I's entry is equal to 1 and otherwise the entry is equal to 0 so for the multi instantiation form only the elements GPiJ remains so we can rewrite ALGAMAR cyber test in this form so now we can say that an extended permutation pi is valid even only ALGAMAR cyber test CJ can be represented in this new form such that the inner product of vector 1 and EJ is equal to 1 this means that all entries of the vector EJs is equal to 1 and entrywise product between the vector EJ and the vector EJ minus the vector 1 is equal to 0 this means that each entries of EJ is either 0 or 1 so this condition equals to the condition although EJI is equal to 1 if piJ is equal to I and 0 otherwise we can rewrite the second condition as the entrywise product of true vector EJ is also equal to EJ I also would like to note that now the cyber test CJ can be laid out as an ALGAMAR commitment to the vector EJ let's see the first statement we need to put that all sub-test CJ satisfies the conditions that the sum of all entries of EJ is equal to 1 and in fact we can batch the statement of all sub-tests together we let the verifier fit a random challenge omega for the prover then both party computes the product of all sub-tests raised to the power of omega to the power of J and we call this new sub-test C and in fact is the commitment to such a vector E and because omega is random it the sum of omega to the power of J times the condition is equal to the sum of omega to the power of J then all conditions holds an overwhelming probability so we can let big omega equals to the sum of small omega to the power of J A is enough to only for that the inner product of vector 1 and vector E is equal to big omega now we can use the new statement that is vector E and random calls are E such that E is the committed value inside C and the inner product of vector 1 and E is equal to big omega this is the inner product for committed vector and we provide a modified version of protocol in the bullet proof paper to prove this fact now let's move to the second condition to prove that this condition for all sub-tests we can follow a similar procedure as before we let verify a bit to random challenge as and why for the prover then both party computes the result of each sub-tests that are raised to the power of S to the power of J and similarly we can already got a result in sub-tests C as the algorithm commitment to such a vector D because S is random either sum of S to the power of J times the entry-wise product to vector EJ minus the vector D is equals to 0 then the condition for all J holds with overwhelming probability let vector D E J equals to S to the power of J times vector EJ we let vector D J star vector EJ equals to the sum of times EJ I times Y to the power of I then if the vector D J star EJ is equals to 0 then the entry-wise product of vector D J then EJ is equals to vector 0 with overwhelming probability so we can batch the condition for all J as an equation and the sum of vector D J star vector EJ plus minus vector vector 1 star vector D is equals to 0 and this statement can be proven by zero-knowledge argument introduced in the paper BG12 and we also provide an improvement of the photocall in our paper now let me summarize our modification to Meta-Initiation Actility Security now the message from Alice for each incoming wire is to several tests together when there are elements for the question of the second several tests and Alice also need to prove the zero-knowledge of her value extended permutation pi of T J and the knowledge of the private key for the Algama Inquestion Skin and the complexity of this photocall is linear in the numbers of wires in the circuit and the numbers of wires in the circuit is linear in the numbers of gates in the circuit so the complexity is linear in the numbers of gates an important thing is that our message from Bob in the initiation phase are random so they can be generated by random auto-to-meta-initiation phase no entities and all party playing the roles of Bob can verify Alice's message and start the evaluation phase when Alice so for this global reusability Alice published and no entity initiation phase and other party can download this information verify the correctness and then start the evaluation phase when Alice for the private function as and that's all on my top you are interested in this work please find the full version of Equince thank you very much