 Hello, this work is about multi-key 40-hole morphic encryption in the plan model, I'm Zheng Zhongjin from Johns Hopkins University. This work is joined with propangian anans, abstract gen, and Julio Malavota. The notion of multi-key 40-hole morphic encryption was proposed in LTV12, and it is defined as follows. Suppose there are n-parties. Firstly, each party runs on key generation algorithm and obtain a public key and a secret key. Then each party outputs their public keys. Next, anyone with these public keys can use them to encrypt some messages into ciphertext. So let's consider if there is a circuit C, then anyone can do a homophic evaluation of C over this ciphertext and obtain an encryption of the output. However, to obtain the actual output of the circuit C, all these parties need to be involved in a multi-round decryption protocol, and finally recover the output. For the properties, we require this scheme to satisfy the compactness, which means the homophically evaluated ciphertext has a size independent of the circuit being evaluated, but we allow the size of the new ciphertext to depend on the depth of the circuit being evaluated. For the security, we require that any adversary can only learn the output of the circuit and nothing else. We want to emphasize that here there is implicit reusability, which means the decryption protocol can run for different homophically evaluated ciphertext without regenerating the public keys or the ciphertext. For example, if there is another circuit C prime, and we obtain a homophical evaluation of C prime over these ciphertexts, then to decrypt the homophically evaluated ciphertexts, all these parties only need to do another decryption protocol and finally recover the output of C prime. So all these parties, they don't need to generate some other public keys or ciphertexts. Later, in the work of MW16, they proposed a multi-key FHE with one-round decryption property. So instead of doing a multi-round decryption protocol in the previous work, in MW16, the decryption protocol is in one round, where each party outputs some partial decryption of the homophically evaluated ciphertext. And finally, all the parties with this partial decryption can publicly recover the output of the circuit. Multi-key FHE has found many applications in cryptography. The first application is two-round multi-party computation in MW16, and later this notion was also found useful in other areas. For example, it's also used in the spooky encryption and the homophic security sharing, obfuscation and functional encryption, multi-party obfuscation and homophic time-lock puzzles, as a whole multi-input functional encryption, etc. On the previous works of multi-key FHE with one-round decryption, we find that all the existing contractions either need a trusted setup or need some strong assumptions, such as some exponentially secure indistinguishable obfuscation. So we write the following natural question. In the plan model, does multi-key FHE with one-round decryption exist? And here is our results. Our first result is the construction of multi-key FHE with one-round decryption in the plan model, from learning with error, ring learning with error, and a decisional small polynomial ratio problem. And for this construction, we also achieve a constant number of party multi-key FHE from only LW. For our second result, we show a construction of a multi-party homophic encryption from LW. So this is a notion we introduce as a weakening of multi-key FHE. We will introduce this new notion in the next slide. Now we introduce this new notion of multi-party homophic encryption as a weakening of multi-key FHE. This notion is very similar to the multi-key FHE, in the sense that it also has a public key generation phase. And anyone can use these public keys to encrypt some messages and obtain some separate texts. Now given a circuit C, one can also do the homophic evaluation of C over these separate texts and obtain an encryption of the output. And it also has a one-round partial decryption procedure, where each party can output some partial decryption of the new separate text. However, for the public recovery, instead of only takes the partial decryptions as input, this new notion allows the public recovery to also take the circuit being evaluated as input. However, this notion is still non-trivial, so since it already implies two-round reusable multi-party computation with compact communication complexity. To obtain our results, here is our approach. In the previous work, they construct two-round MPC protocol from the multi-key FHE. However, in this work, we go the reverse direction. We construct the multi-key FHE from the reusable MPC, and the reusable MPC is defined as follows. It is a special two-round MPC protocol. So in the first round, as any two-round MPC protocol, every party outputs some encoding of their own private inputs. Next, in the second round, if they want to jointly compute some circuit C, then they output some second round messages. For the reusability here, we mean the first round messages are reusable. For example, if this party wants to jointly compute another circuit C prime, then what they need to do is simply output another second round messages. Well, the first round message can remain unchanged. The notion of reusable MPC was also proposed and constructed in the BL-20 from Benignia Max, and also in the recent work of BGMM-20 from the Decisional Delphi-Hellman assumption, or any succinct first-round message MPC. In this work, we try to construct reusable MPC from one time MPC. However, to make our transformation work, we need the one-time MPC to satisfy a special succinctness property that I will explain later. For the rest of the talk, I will show you the construction of the reusable MPC to the key FHE first, and then I will show you the transformation from one time MPC to reusable MPC. Our starting point is the observation that LTV-12 is in fact in the plan model, but it has a multi-round decryption protocol. So here is the overview of LTV-12, and it has a multi-round decryption protocol. So our idea is to run a reusable MPC for the decryption circuit of LTV-12. So we don't need to run this multi-round decryption protocol. Specifically, in the one-round decryption, we simply output the reusable MPC second-round messages. And since the first-round message of this reusable MPC doesn't depend on the circuit being evaluated, we can put the first-round message into the public keys. Next, I will show you the transformation from one time MPC to the reusable MPC. Our idea is to use a self-synthesis approach. To illustrate this idea, I will firstly show you the transformation from one time MPC to two times MPC. So the idea is to use one time MPC to generate two sets of fresh new first-round messages of one time MPC itself. For example, so suppose we have one time MPC and there are M parties, and they have input from M1 to Mn, then in the first-round, as in any MPC protocol, these parties, they output some encoding of their own private input. Next, they consider the following circuit G, where G takes the messages M1 to Mn as input, and the output two sets of fresh new first-round messages of one time MPC. So in the second round, these parties, they jointly compute the circuit G, and after the second round, they obtain the output of G, which are two sets of fresh new first-round messages. So they can use the first set for the first time use, and use the second set for the second time use. However, if we try to use this idea, we will encounter a problem. So, since we can only obtain the sets of fresh new first-round messages after the second round. All these parties, they need to involve in a third round to compute the actual circuit they want to compute. To solve this issue, we borrow the ideas from the reasonable works. So we apply the wrong compression techniques. So the idea is to gobble the third round next message function, next type, to compress the protocol into two rounds. Now here is an overview of our initial attempt. Instead of for the circuit G, instead of output the new first-round messages directly, we output a label of it. And also in the second round, we output the gobbling of the next message function. Now we have shown how to go from one time MPC to two times MPC. So how about from two times reusable to the reusable? The idea is to recursively apply the self-synthesis approach. So recall that from our one time to two times transformation, we use our one time MPC to generate two sets of new first-round messages for one time MPC itself. So we can apply this self-synthesis approach recursively to the two fresh one time MPC. And continue doing this. Now consider given a circuit C, how do we choose the one time MPC according to the circuit? So the idea is to walk down the tree according to the bit representation of C. For example, if the first bit of C is zero, then out of the new node, we choose this left child. And if the second bit of C is one, then in the next step, we would choose this right child. We continue doing this until we reach the leaf node of the tree. And we evaluate the circuit on that one time MPC. However, if we use this approach, we would encounter a time complexity blow up. This is due to the falling effect. So for the one time MPC in the plan model, the time complexity of the first-round message is proportional to the size of the circuit and some polynomial overhead of the security parameter lambda. So let's say at the bottom level, the time complexity of the first-round message is C times lambda. Then in the second and last level, the time complexity becomes C times lambda squared. And if we go all the way up to the new node, then the time complexity becomes exponential in the security parameter lambda. To solve this issue, we firstly identify the necessary condition for recursion. We find that if we assume the one time MPC is succinct, which means its wrong complexity of the first-round message is independent of the size of the circuit being evaluated, then such a recursion can go through. And we also observe that the MPC construction in the work of MW16 satisfies this succinctness, but their construction is in the CRS model. So we use the different MPCs at each tree node. At the root node, we use a plan model one time MPC without any succinctness. But for the rest of the nodes in the tree, we use the succinct MPC in the CRS model. And finally, in fact, we showed that such a succinct one time MPC in the pre-processing model suffices for our recursion. This is because we can generate such a CRS in the MPC. And this concludes our generic transformation. Thank you.