 Hello everyone, my name is Mark Upspool and thank you for joining my talk on work I did together with Ronald Kramer, Yvan Damgaard, Daniel Escudero, Maciej Rambeau, Chaoping Ching and Chen Wan on asymptotically good arithmetic secret sharing schemes over Gavel rings via means of elementary lifting and applications to multi-party computation. I'm going to start by jumping straight into some of the mathematics that illustrates what we are going to be looking at today. Let's take the ring of integers modulo of prime power p to the k. From this ring we get a homomorphism pi to the finite field of order p. This homomorphism is surjective, so if we take any element a in the finite field then there exists a lift b in the ring upstairs such that the projection downward of b equals a. Since the homomorphism is not in general injective the lift is not uniquely defined. If instead of taking a finite field downstairs of prime order we take an arbitrary finite field the corresponding ring we get upstairs is a Galois ring. More specifically for any Galois ring upstairs we get a corresponding projection homomorphism pi. Since we can express the finite field of q elements where q equals p to the h as a quotient of a polynomial ring in fp we can also write the Galois ring in a corresponding form. For the Galois ring we quotient out by the ideal generated by g where g is a monic polynomial with coefficients in z modulo p to the kz and the reduction of g modulo p is irreducible in fpx. Again we get a surjective projection homomorphism pi from the Galois ring to fq and we can lift any element downstairs to an element in the Galois ring. However in this work we are not interested in lifting single elements but we are interested in lifting larger structures. Concretely we are interested in the lifting of linear secret sharing schemes. So the question that arises is if we take a linear secret sharing scheme defined over fq can we now lift this secret sharing scheme such that we get a secret sharing scheme over r and if so what properties of the secret sharing scheme are preserved by this lift? Now the reason we're looking at these liftings is because we want to achieve asymptotically good arithmetic secret sharing schemes over the galois ring in order for us to be able to use them for multi-party computation protocols. An asymptotically good secret sharing scheme is briefly put a family of secret sharing schemes with lengths or the number of players tending to infinity over a fixed finite field so it has a constant share size. Using this we should be able to get a linear complexity multiplication protocol which is optimal. You might think why not use Shamir scheme is because it's in fact not asymptotically good. So in Shamir scheme the number of players is bounded by the field size which for fields is not too much of a problem in practice because usually in MPC you're computing over a large field usually a large field of prime order but for galois rings this constant or the the bound and the number of players is different so for a galois ring with characteristic p to the k and degree h we need p to the h to be larger than n which means that if we're looking at the case for example p equals 2 then h already needs to be log n starting from the very beginning so even if we have just four players who already need to get h equal to 2. For information theoretic multi-party computation protocols we basically have two regimes we have the adversary corrupting less than a third of the players or the adversary corrupting less than one half of the players. For the adversary corrupting less than a third of the players we are able to achieve perfect security so zero error probability this requires strongly multiplicative secret sharing schemes we're able to use Shamir scheme which also works for the maximal adversary so t strictly less than n over three but Shamir scheme has the downside of requiring that the number of players be less than the field size you can also do it over a fixed finite field using algebraic geometry codes if we allow a small linear gap between the privacy and reconstruction thresholds both of these constructions have been transported to Gala rings but the algebraic geometric construction requires lots of complicated geometry over Gala rings in our approach we look at the different regime which is t less than n over two here with Shamir scheme we can get n log n complexity and over fields the state of the art is the protocol by Beth Sasan Ferenostrovsky from 2012 we are going to be adapting this protocol in our work thereby also improving the state of the art for the t less than n over two case even though it is not what we focus on with our elementary lifting techniques here with our elementary lifting techniques we're going to look at lifts of self dual codes or algebraic geometric codes in any case codes that are asymptotically good then in this setting we're able to achieve a linear complexity in the online phase however because the preprocessing phase in the bfo 12 protocol still relies on polynomial interpolation we still get an n log n complexity for the offline phase here let's briefly recap linear codes over finite fields a linear code over fq is a vector subspace of fq to the n it has a dimension namely it's dimension as a vector space it has a minimum distance which is the minimum number of coordinates that is non-zero excluding the zero vector and it also has a dual with respect to the standard inner product on on fq to the n since the dual is also a vector space and hence a code we can also look at the dual distance of the code c now it's been known since messy that there is a correspondence between linear codes and linear secret sharing schemes over fq namely if we get a linear code c then we get a linear secret sharing scheme with the dual distance minus two privacy and the length minus the distance plus one reconstruction in this correspondence we designate one of the coordinates of c to be the secret and the remaining coordinates to be shares of the players for the multiplicative property on codes we look at the span of all coordinate-wise products of two vectors you denote this space by c square if this space is not the full space fq to the n then it means there is some linear relation between the coordinate-wise products of any two vectors in terms of secret sharing this means that if we have two secret sharing and the players locally multiply their shares then they are able to linearly reconstruct the products of the two corresponding secrets now recall our projection homomorphism pi from r to fq you can also extend this over n coordinates and if we have a linearly closed subset of fq to the n we can lift this and take the earlier in a span and then get an earlier nearly closed subset upstairs the question arises what properties of the code downstairs are preserved in this manner now if we insist on c hat the code upstairs being a free module over r then we can show that the distance and dual distance of the code upstairs are lower bounded by the corresponding parameters of the code downstairs also we can show that some uniformity remains uniformity in the context of secret sharing means that the distribution of the share of any particular player or any privacy set is uniform unfortunately as we already indicated multiplication does not lift and we shall demonstrate this with a counter example however for p is larger than 2 we will show that we can find a specifically chosen lift that preserves self orthogonality of a code downstairs so if we take a self orthogonal code then we can lift it in a particular way such that we get a self orthogonal code over the gal ring and the nice thing about self orthogonal codes is that they have a multiplicative property now we insist on c hat being a free module and we can easily see why we need this for example take the code over f2 to the n which just has the all ones code word and the all zeros code word now if we lift this code to z modulo 4 then we can add the code word 2 comma 000 which projects down to the zero code word so we get a non free lift the minimum distance of the code downstairs is obviously n but now we have a lift with minimum distance one which is the worst possible distance now in slightly more detail if we have a t-dimensional code over the gal ring and taken into the definition of code we assume that c is free and we look at the reduction of c modulo p and we can lower bound the distance and dual distance of c by the distance and dual distance of c bar also we can show that c dual is in fact a free module of rank n minus t for uniformity we have that if we take the projection of c onto any set of coordinates that is of cardinality less than the dual distance minus one then we have that we get the whole space now we will show why multiplicativity does not lift and we will do so with a counter example take two codes c1 and c2 to find over fp of the same dimension k now we take generators x1 up to xk of c1 and we're going to lift them individually to r we're going to do the same with generators y1 up to yk of c2 the lifted generators we'll call them x1 hat to xk hat and y1 hat to yk hat now for the code upstairs we will define it to be x i hat concatenated with p multiplied by y i hat now if we take this code and we look at its reduction c bar then we can see that since we included a multiple of p for the generators of c2 they collapsed to zero this means that the dimension of c bar squared is equal to the dimension of c1 squared however if we look at the dimension of c squared then it is surely at least larger than the dimension of c1 squared and the dimension of c2 squared so it also depends on the dimension of c2 squared now c2 has a bad square for example say the dimension of c2 squared is very large then we can see that c also has a large square however c bar square might have a small square if c1 has a small square so we can lift an arithmetic secret sharing scheme but in lifting we lose its arithmetic property so we need another way to get multiplication now for p and odd prime we can find a specific lift that preserves the self-orthogonality of a code so if we have a self-orthogonal code defined over the finite field then we can lift it to a self-orthogonal code over the galvar ring this is no longer about the structure that is preserved under an arbitrary lift we have a specific single lift that works for this case i'm not going to go into much detail on what the lift looks like specifically but the idea is roughly that we take the code over the finite field and stepwise we will increase the power of p by one and lift it to a self-orthogonal code now just to give a rough idea of what this process looks like let's take a generator matrix for c bar the code that we want to lift that is defined over fq we're going to take a canonical lift to the galvar ring with characteristic p square this canonical lift does not include any factors of p now again we get a matrix in systematic form so we get this sub matrix a on the right hand side and based on this sub matrix we're going to define a new matrix a2 note that in this expression we have the factor one half so we need to be able to divide by two which is why this method that we have found does not work for the case p equals two we do not know if there is another method that does work for this case also note that we have this factor i plus a times a transpose in the definition of a2 and given that we know that c bar is self-orthogonal we know that this is this expression evaluates to zero in fq hence if we take the lift to the galvar ring of characteristic p square we know that this expression is inside the ideal p times r this means that if we reduce a2 modulo p then this entire second term evaluates to zero hence if we look at the code with generator matrix i and a2 if we then reduce it modulo p then we again get our original code c bar now we can show that the code we have generated just now is self-orthogonal and to get the self-orthogonal code over r we simply repeat this process now the whole point of looking at self-orthogonal codes is that self-orthogonal codes have this multiplicative property and we know that they exist over fields as we have shown our method for lifting self-orthogonality does not work for the case p equals two so we need a different way to get multiplicativity we will use an existing technique where we take secret sharing in both c and c dual since we know that the inner product between a vector in c and a vector in c dual is zero we have a linear relation of the coordinate wise products of these two vectors which is precisely what we need for multiplicativity the downside of this approach is of course is that it doubles the share size with these results about lifting codes from finite fields to Galois rings in hand we now apply them to what we already know to be true for codes over finite fields recall that the point was to get asymptotically good arithmetic secret sharing schemes over Galois rings now we define slightly more precisely what we mean by this a family of codes is a sequence of linear codes with the respective lengths tending to infinity for such a family of codes we can look at the relative distance which is the limit of the dimension divided by the length of the code and also the relative dual distance in a similar manner for fields we can we know that there exists a family of codes with the relative distance and relative dual distance approaching one half in fact these codes even exist when we require strong multiplication also a family of self-dual codes exists also tending these bounds given what we now know about lifting we can simply take such a family of codes defined over a finite field and lift each code individually to r the parameters will follow from what we discussed in the previous slides and to get multiplication for the family of codes that we have lifted we use either for p greater than two the self orthogonality trick or for p equals two we use the trick where we secret share using both c and c dual if we want an asymptotically good arithmetic secret sharing scheme with these results about asymptotically good arithmetic secret sharing schemes over r we now look at the communication complexity of multi-party computation over r we're going to look at information theoretic mpc within the computationally unbounded adversary that corrupts less than a fraction one half minus epsilon of the players additionally with humor broadcast channel which is needed in this setting and we are in the model of statistical security now there are three specific settings we consider first we consider passive security second active security with a board and third the best model full security with guaranteed output delivery so the adversary cannot do anything to disturb or alter the computation and it is guaranteed to finish recall that in shamir secret sharing scheme based mpc we always have an n log n communication complexity where the log n is due to needing to move to a larger gal bar ring in order to accommodate an increasing number of players however with asymptotically good secret sharing schemes we can actually get a linear communication complexity as we shall see this factor one half minus epsilon instead of just one half comes from the fact that we need a linear gap between the privacy and reconstruction thresholds for these asymptotically good secret sharing schemes for shamir scheme we would be able to tolerate up to one half of the players however then it is inherent that we need the size of the shares to grow with the number of players for passive security we generate random double sharings in a double sharings in a pre-processing phase which are sharings of the same random element r in both c and c squared to then multiply two elements in the online phase we simply take local products of two secret sharings and then use these random double sharings to move from a sharing in c square to a sharing in c one problem that arises is that the random matrices that are invertible and are of sufficient size do not necessarily exist over r a solution here is to move to an extension of gal bar rings for active security with a board we simply take the passively secure protocol from the previous slide then we use an existing compiler to compile this passively secure protocol to a protocol which is actively secure with the boards we can do this because the protocol from the previous slide is not just passively secure but it is also actively secure up to additive attack this means that the multiplication protocol is private and the only thing an adversary can do is introduce an additive error at each gate the compiler then works by taking secret sharings x and r times x and keeping this as an invariant where r is a secret random value that is the same for the entire circuit at the end it will be verified whether the output sharings satisfy this form everything basically just works using this existing compiler and the result is a protocol with linear communication complexity per multiplication for the regime of guaranteed output delivery we require a lot more work the previous state of the art for this setting over gal bar rings adapted a protocol that was not state of the art over fields it has a communication complexity of n square log n and it was chosen because it simplified the exposition of the other techniques that were needed to adapt shamir secret sharing scheme to gal bar rings in this work we chose to adapt the state of the art over fields in this setting which is worked by ben sazon fir and astrosky from crypto 2012 for this we had to overcome various challenges that are posed by adapting this considerably more complicated protocol over gal bar rings to give an idea of a few challenges that we had to overcome our secret sharing scheme for p equals two recall that we doubled the share size by taking secret sharings in both c and c dual um this means that we can no longer nicely move to a extension of gal bar rings which is needed to reduce the error probability we managed to overcome this by taking the tensor product of our secret sharing scheme with a suitable extension of gal bar rings and as a result we do get a secret sharing scheme defined over this gal bar ring extension some other challenges were that the correctness check of the protocol from bfo 12 relies on the invertibility of elements and we no longer have this over gal our rings um another thing is that the authentication tags are based on twisted sharings which are secret sharings with the secret coordinate corresponding not to the zeroth coordinate but to a different coordinate which corresponds to one of the player's shares and this is done to minimize the complexity of these authentication tags or minimize the overhead of introducing them for the pre-processing phase um bfo 12 introduced a polynomial trick for batch verification which reduced the communication to uh n log n basically the log n factor comes from the fact that you're using polynomials over a field um similar to the fact that we have this n log n communication complexity for Shamir scheme unfortunately we're not able to improve on this um for our gal bar ring setting hence we are stuck with this n log n factor in the offline phase however in the online phase we do get the benefits of our asymptotically good secret sharing schemes and we reduce the communication to linear also our work in adapting bfo 12 also it also works for the setting of t less than half of the player is using Shamir secret sharing scheme and our work also improves the state of the art for this setting note that combining art techniques together with results from crypto this year we can actually reduce the communication even further to a linear complexity in the online phase all right to sum up we have shown that arbitrary lifts of codes from a finite field to a gal bar ring preserve both distance dual distance and uniformity for p greater than two we have shown that with a judicious choice of lifts we can preserve the self orthogonality of the code downstairs using results over fields we can get asymptotically good linear codes over r by simply lifting each of the codes in a family of field family of codes individually we can get arithmetic secret sharing by either using our self orthogonality or we can get a sharing using both c and c dual we get a linear complexity mpc protocol both with passive security and for active security with a board using existing techniques for guaranteed output delivery we get a linear complexity online phase with an n log n complexity reprocessing phase per multiplication that sums up my talk thank you