 Hello, my name is Reo Eriguchi. In this video, I talk about a non-interactive secure multi-party computation for symmetric functions revisited, more efficient constructions, and extensions. This is a joint work with Kazuma Ohara, Shota Yamada, and Koji Noida. First, we introduce a non-interactive multi-party computation. This is a variant of secure computation that allows each player to send only a single message depending on their private inputs. Players send their messages to an output player called the evaluator. In this model, players do not need to communicate with each other, and so they can realize a synchronous multi-party computation, which is especially important in applications to voting, auctions, and statistical surveys. We note that a standard MPC protocol assumes a simultaneous interaction between players, and so some player may need to wait for messages from others. That leads to a delay in completion of protocol. Previously, it is known that unconditionally secure an MPC protocol for all the n-input functions is possible. However, such a protocol must result in exponentially large communication complexity because of a non-lova bound. So in this work, we focus on a special class of practical functions with applications to voting, auctions, and so on. We aim at reducing communication complexity of NIMC protocols for those specific functions. Here we summarize our contributions. First, we propose an efficient NIMC protocol for symmetric functions, which can be applied to voting and auctions. Our protocol improves the best known communication complexity for symmetric functions. We also propose an efficient NIMC protocol for linear classifiers. They perform a classification based on a weighted sum of NIMPs. They include support vector machines and logistic regression. Our protocol is the first one tailored to linear classifiers, other than the general but inefficient construction for all the functions. In addition, we revisit a previously known technique to strengthen privacy of NIMPC. It's an important technique for an NIMPC, and actually we use it in the above efficiency improvement part. However, we reveal that their sub-protocol used as a building block does not satisfy the security requirements, and so their technique is not secure either. In this work, we also fix that security issue without increasing their communication complexity. In summary, their statements still hold true, but it is necessary to replace their building block with ours. In this talk, due to the time constraint, we only explain our NIMPC protocol for symmetric functions and our security analysis. First, we provide the definition of NIMPC. We consider a class of NIMPUT functions H, and an NIMPC for H consists of three algorithms. First, a randomness generation algorithm takes as input a function to compute, and outputs a correlated randomness. Each piece R i is sent to the i-th player in the setup. Then, each player computes an encryption function on their private input and their randomness. Then, he sends a message mi to the evaluator. Finally, the evaluator computes a decryption function on all the messages. The efficiency of an NIMPC protocol is measured by a communication complexity, which is defined as a maximum number of bits to send randomness and messages. Then, the correctness of NIMPC is straightforward. Specifically, for any function H and any n inputs, we require that an output of the evaluator is equal to the output of the function H. The privacy requirement of NIMPC is more involved and is a bit different from that of standard multi-party computation. Specifically, we assume an adversary corrupting a subset of players C, as well as the evaluator. Then, the adversary obtains a randomness of corrupted players and messages from honest players. Using that information, the adversary can locally compute a function H on all the possible inputs of corrupted players, combined with the fixed inputs of honest players. This kind of information leakage cannot be avoided in NIMPC, and so require that a protocol leaks nothing beyond that information, which is why we call that privacy requirement a best possible security. Formally, we define a residual function whose input variables are those corresponding to corrupted players, and whose output is a value of H fixing the inputs of honest players. We say that an NIMPC protocol is zero best if it leaks nothing beyond the residual function. Formally, there exists a simulator that perfectly simulates the adversary's view, only from the oracle access to the residual function. We simply say that a protocol is zero best if it is zero best for all subsets of size at most T, and we also say that a protocol is fully robust if it is N robust. So, through robustness is a strongest privacy requirement of NIMPC. Next, we provide our NIMPC protocols for symmetric functions. Before we give the formal definition of symmetric functions, we introduce a generalized notion of Abellion programs. Let G be an Abellion group, and S1 to SN be subsets of G, and F be an arbitrarily function from G to 01. Then an Abellion program, HF, takes as input N tuples from the product set of S1 to SN, and it computes the function F on the sum of N inputs. Then we define the class of Abellion programs as a collection of all HF, each associated with function F. We note that the class of Abellion programs include all symmetric functions. Indeed, let H be any symmetric function, that is, a value of H does not change, even if we arbitrarily permute the input variables. We can observe that H of X depends only on the vector VX, rather than X itself, where each entry VJ counts how many inputs are equal to J. Then let G be the direct product of these cyclic groups of size N plus 1, and S1 to SN be all the set of all unit vectors. And because of that property of H, there exists a function F such that its value on VX is equal to H of X for all inputs X. From that observation, H can be viewed as an Abellion program associated with that function F. In summary, the class of Abellion programs includes all symmetric functions, and so from now on, we construct NIMPC protocols for Abellion programs, rather than for symmetric functions. Before going into the details, we make an important remark on the definition of Abellion programs. In the definition, we specify input domains S1 to SN. This is because how to set input domains affects how much information leaks from the residual functions, which is directly related to the privacy requirement of NIMPC. For example, I consider an Abellion program HF, and it's a residual function when the nth input player is corrupted. Then if the input domain of the nth player SN is equal to G, that of the residual function is also G. That means an adversary is allowed to compute HF on all the elements from G, combined with the fixed inputs of honest players. However, if SN is a strict subset of G, the adversary is only allowed to compute HF on elements from the subset. In summary, NIMPC protocols for Abellion programs whose input domains are all G is allowed to leak more information than NIMPC for Abellion programs whose input domains are strict subsets. We must distinguish two cases because the corresponding privacy requirements are completely different. Now we show the details of a result. First, we consider the case where input domains are all G. Then we propose a fully robust NIMPC protocol whose communication complexity improves the best known result. An important point is that because of the known lower bound, the complexity cannot be sublinear in the size of G. So the exponent of our result is minimum. We also consider the case where input domains are strict subsets. We propose a T-row best NIMPC protocol whose communication complexity again improves the best known results in terms of the size of G. Now we explain our NIMPC protocols. First, we deal with a case where input domains are G. Our high level idea is extending another previous protocol that is tailored to the cyclic group into a general Abellion group. So the communication complexity of our protocol is also similar to that of the previous protocol. We briefly recall that protocol for a symmetric function. Inputs are N group elements and we want to compute function F on the sum of N elements. Instead of directly dealing with group elements, they express each element G as the G iteration of a special map sigma, which shifts elements by one. Then the protocol proceeds as follows. First, N inputs are expressed by N corresponding maps and the protocol securely performs a composition of these maps. Because of the number of iterations is now the sum of N inputs, it is possible to compute a value of F on the sum. An important part of this protocol is to securely perform a composition of these maps, but it can also be done by Kylian's randomization technique. It uses N minus 1 pairs of a random number and its inverse. Each input R is masked with these random numbers. But if they are multiplied, the desired composition can be obtained. Our protocol roughly follows that previous framework. We have to generalize the representation of the cyclic group to a general Adelian group. For that, we use the regular representation of G. It expresses each element G by a map tau G, which shifts elements by G. An important feature of this representation is composition of N representations is equal to a representation for the sum of N elements. Using that property, our protocol proceeds as follows. In the setup, N minus 1 random permutations are generated. Then each player is given a couple of representations masked with these permutations. Then players choose a masked representation corresponding to their input and send it as a message. Finally, the evaluator performs a composition of these maps. Because of that property, he can obtain a value of F on the sum. However, this protocol is not final. The complexity is quadratic in the size of G, because we need to send masked representations for all group elements. However, our important observation is that it is sufficient to send only representations for generators, because players can locally compute a masked representation corresponding to their inputs from them. Furthermore, the number of generators is also bounded by the log of the size of G due to the fundamental theorem of finite Adelian groups. So we can achieve the desired complexity. Now we explain our protocols for Adelian programs where input domains are strict subsets. We construct it based on our formal protocol for Adelian programs where input domains are all G. To restrict input domains, we use a previously known technique to strengthen our privacy of NIMPC. It transforms any zero-best NIMPC protocol into a zero-best one, while it involves some overhead in communication complexity. Specifically, that transformation technique transforms any zero-best NIMPC protocol into a zero-best one for the same class of functions. We use it to restrict input domains. Consider a class of functions whose input domains are all set X, and also consider its restriction to subsets. Suppose that we are given a fully robust NIMPC protocol for functions with input domains X. Clearly, it's also a zero-best NIMPC protocol for the same class of functions, because full robustness is a stronger security notion than zero-bestness. Then, our important observation is that a zero-bestness still holds, even if input domains are strict subsets. The reason is a bit complicated, but roughly speaking, the notion of zero-bestness does not involve the residual function, and so it's not affected by what input domains are. Finally, we apply their transformation and obtain a zero-best NIMPC protocol for those functions. It involves some overhead in communication complexity. Now, we can apply our previous technique to Abellion programs. The overhead in communication complexity comes from the last step of applying their transformation. So far, we have used the transformation proposed by Benjamin Hamed et al. In this work, we revisited and revealed that their original transformation has a security issue. In the following, we give a brief summary of our security analysis. Again, their transformation technique transforms any zero-best NIMPC protocol into a zero-best one. As a building block, their transformation needs a fully robust NIMPC protocol for what they call outputting message functions. Let A be a matrix over a finite field, U be a vector, and M be a scalar. An outputting message function associated with them outputs a message M exactly when any input satisfies a linear equation. Actually, they propose an NIMPC protocol for those functions. However, we reveal that their protocol does not satisfy even one robustness, and so their transformation is not secure either. In this work, we also propose a technique to fix their security issue without increasing their communication complexity. In summary, their statements still hold true, but it is necessary to replace their building block with ours. Finally, we summarize this talk. In this work, we propose two kinds of efficient NIMPC protocols for practical functions. The first one is for symmetric functions, and we improve the best known communication complexity for symmetric functions. The second one is for linear classifiers. Our work is the first proposal other than the general bat inefficient construction of NIMPC protocols. In addition, we revisit previously known techniques to strengthen privacy of NIMPC. We reveal that their sub-protocol used as a building block does not satisfy the security requirements. We also fix their security issue without increasing the communication complexity. A possible future work is closing a gap in communication complexity between our app abounds and the best known lower bound. This is the end of my talk. Thank you for listening.