 Hi everyone and welcome to this talk on efficient information theoretic multi-party computation over non-commutative rings, which is joint work with Daniela Scudero from Ohus University. So first of all, let's define what's multi-party computation. Multi-party computation allows a set of mutually distrusting parties to compute on their private data. And a classical example for this is the millionaire's problem, where there's four parties here in the picture who want to know who's the richest among themselves, and they don't want to reveal their wealth to each other. So a way to solve this problem without cryptography would be to appeal to some trusted third party to which they could send their inputs. This party would carry the computation on their behalf and just return the answer back to them. This is the ideal world that might not be visible in reality, so what multi-party computation does is replacing this ideal world functionality with a set of cryptographic techniques. So parties are going to exchange messages according to some protocol, and the issue here is that there's corrupted parties participating in the protocol. So we will say that our protocol will be secure as long as it is indistinguishable from this ideal world with a trusted third party. Since there are many kinds of NPC protocols, let us narrow the scope to the ones in this work. So we will be dealing with an adversary that might actively deviate from the protocol specification and which is more over unbounded in terms of computational power. Due to this, we need to restrict ourselves to a scenario where less than half of the parties will be corrupted, and we will also look at this scenario where less than a third of the parties are corrupted. Since we have this restriction in the corruption threshold, we can achieve a warranted output delivery or robustness if you are more familiar with that term. And in terms of the model of computation, we will follow the offline-online paradigm or pre-processing online paradigm, and we will base our results on the secret sharing over a non-commutative ring R. So this allows us to compute arithmetic circuits over a non-commutative ring R. And I have a small food note here to bring up that our work could be easily adapted to deal with mixed circuits, where some gates would be over a non-commutative ring, such as a matrix ring, and other wires and gates could be over the ring that this matrix ring is defined. Since our work will be based on a generalization of Shamir's linear secret sharing scheme to non-commutative rings, let us begin by reviewing this instruction over finite fields. Imagine four parties wanted to share some secret Y over the finite field with eight elements. Here in our example, c-square plus c. What they could do is sampling a polynomial of degree equal to the maximum amount of corrupted parties among themselves in such a way that this polynomial evaluates to the secret Y at some fixed public point alpha 0, which is 0 here in the example. Once this is done, by fixing other public values alpha 1 up to alpha 4, each of them corresponding to parties 1 to 4, we have defined their share of the secret Y as the evaluation of the polynomial P at this point alpha i. So we will use this double bracket notation to define the secret sharing of the value Y. And sometimes we will have this sub-index T to denote the degree of the polynomial that was used to share the secret. We know that this protocol is secure because T plus 1 points are needed in order to reconstruct the polynomial of degree T, and we only have T corrupted parties. So what happens when we actually want them to come together and find the secret? Well, things are a little bit more complicated than just trying to interpolate, but the good news for us is that Shamir's secret sharing scheme is a rich Solomon code, so parties can announce their evaluations of the polynomial and then they will try to interpolate. And depending on the corruption threshold, they will be able to do either error detection or error correction and thus find the secret or detect if the adversary is trying to abort this reconstruction procedure. And something that is very important here to note is that in order to do this interpolation, parties need to compute the inverse of the differences between their public values alpha i. And this works perfectly fine when you are in a finite field, but we will see that this is more complicated in more general rings. Before moving to more general structures, let's have a look at some properties of Shamir's scheme. First of all, Shamir's scheme is linear, meaning that we can multiply a secret with a public scalar by locally computing the product between the scalar and the shares. Moreover, we can do this on both sides and add the results together, resulting on what you would expect. So what's formally happening here is that the vector of evaluations of a degree t polynomial is a vector space. Another interesting property is a strong multiplicativity, meaning here that given two degree t-sharings of secrets x and y, a degree 2 t-sharing of x times y can be locally compute as a component-wise multiplication of the vector of shares. And crucially, both of these properties are enabled by the fact that the polynomial evaluation at some fixed point alpha is a ring of morphism, meaning it doesn't matter whether you first evaluate two polynomials, and then you add them together, or if you first sum the polynomials and you evaluate afterwards, and the same property for the product of polynomials. Prior to our work, Aspoilerol showed how to generalize Shamir-based protocols to commute at different rings. We won't spend much time reviewing the result, but the main takeaway from their work is that as long as the set of evaluation points has the exceptional property, field-based protocols carry over to commutative rings. We say that a set is exceptional if the difference of any two elements is invertible. If you remember, this is a property we had for granted in finite fields, but the presence of zero divisors makes it more difficult over rings. As an example, consider the ring of integers modulo 2 to the k, which has no exceptional set of size bigger than 2. This is due to the fact that any set of three elements will contain two elements with the same parity, so their difference is going to be a multiple of two, and hence a zero divisor. The solution to this problem is the same as when we want to compute over f2, namely we move to a Galois extension of the integers modulo 2 to the k, that is of the grid of arithmetic in the number of parties. The result is known as a Galois ring, and for the purpose of this talk, the only thing you need to understand is that exceptionally bigger exceptional, sorry, exponentially bigger exceptional sets can be found by moving to these extensions. We are now ready to define Shamir's secret sharing over non-commutative rings, but before that we need to understand how do polynomials look when their coefficients are in a non-commutative ring. So as mathematicians, we will just pick the definition that best suits our interests. In our case, we will uniquely define a degree D polynomial as the formal sum of D plus 1 coefficients in the non-commutative ring and powers from 0 up to D of an indeterminate x. Addition in this ring works as in the commutative case, but multiplication will look a bit different, as we want to keep the invariant of expressing polynomials as above. In order to do this, we will artificially make indeterminate commute with the coefficients of the polynomial. So for example, P1x times Q1x will result on P1 times Q1 times x squared, rather than P1 times x times Q1 times x. As a result, polynomial evaluation is no longer a ring omomorphism. In particular, we have broken the multiplicative group omomorphism for a general alpha. You might ask why do we define polynomials in this seemingly arbitrary way, and the reason is that we need this in order to prove a series of results leading to error detection and error correction, and even prior to that, a unique polynomial interpolation. Actually, we will have two different evaluation maps, which replaced indeterminate with the point alpha either on the left or the right-hand side of the coefficients. Depending on the choice of the evaluation map, we interpolate two different polynomials and also depending on this choice, we will have either a left module or a right module structure. Again, the key thing to have in mind here is that this is for an arbitrary alpha. So once again, the most important aspect for Schmiere secret sharing will be the properties of the set of evaluation points. We know from prior work that this set has to be exceptional. Over an uncommutative ring, we will additionally have two different cases. Here, this set is contained on the center of the ring, in which case everything works essentially the same way as overfinding fields, or if we relax the commutative requirements for these alphas so that they only need to commute with each other, we obtain secret sharing schemes which are not multiplicative and which will be linear either on the left-hand side or the right-hand side, according to the choice of the evaluation map as we show on the previous slide. We are then presented with a trade-off. If we look, for example, at the ring of n times m matrices over the integers modulo 2 to the k, the biggest exceptional set that is contained in the center of this ring has size 2, whereas in the more relaxed setting, since the degree m value extension of the integers modulo 2 to the k is a commutative subring of this ring of matrices, we can find a suitable exceptional set with this relaxed commutative property of size 2 to the m. Most of our work looks at this scenario since if we were to emulate the arithmetic of this matrix ring using prior work, that would basically require using a Galois ring element for each entry of the matrix ring, even though this can be amortized using some prior works. Now that we have our signature in scheme, let's see how the online phase of our protocols looks like. Linear operations will be local according to the modulo structure inherited by the choice of the set of evaluation points. If these are contained in the center of the ring, we have a bi-module and everything works as overfined fields. If the evaluation points just commute with each other, we have a left module which we denote with these straight brackets if interpolation is according to evaluation on the right and we have a right module which we denote with angle brackets if we interpolate according to evaluation on the left. As usual, multiplication will be more complicated and we will use some preprocessed randomness for that. Let's review some standard protocols for multiplying secret shared values x and y. The first one uses double shares which are sharing of the same random value r using a degree t and a degree 2t polynomial. Due to the multiplicative property, parties can locally compute a degree 2t sharing of x times y from their degree t shares of x and y. Using the degree 2t sharing of r as a mask, they can reconstruct x times y plus r and from that, they obtain a degree t sharing of x times y using the remaining share. This approach will fail unless the evaluation points are contained in the center of the ring since that is needed for polynomial evaluation to be a ring homomorphism when we are in an uncommediated ring. The second approach uses Viver triples for which we do not rely on the multiplicative property of the secret sharing scheme. Nevertheless, this approach also fails if the evaluation points are not in the center in the ring since that is the only way we can have a by-module. Finally, the first working solution in this challenging setting will be to enhance Viver triples with additional correlated randomness. The first step looks as in the classic procedure, but in order to overcome the lack of a by-module structure, we will need an intermediate step as shown on the slide. The issue with this approach is that it doubles the round complexity of the online phase. Nevertheless, in the paper, we show how to go back to the usual round complexity by employing some function-dependent preprocessing, so I invite you to check that out on eClient. I will conclude this talk by showing how to produce the preprocessing material for the case when the evaluation points are not contained in the center of the ring. I will show two different protocols. The first one is black box on the choice of the ring and the second one will be more practical and restricted to the case of matrix rings. The black box preprocessing is based on representing elements of the ring R as elements of the group of three times three invertible matrices over R. Namely, an element A in R will be represented by the identity matrix, where the top right entry is replaced by A. The sum of two elements can be computed by multiplying the representing matrices and multiplication is also possible using some specific public matrices J1 up to J5. Since the formulas representing over R, the generation of sextuples, have fixed size and since we have reduced this to a problem of secure computation over non-abillion groups using the work by Benoar and Cliff, we can apply existing MPC protocols in this setting. The work by Cohen and Errol is a solution here, but unfortunately their efficiency is merely polynomial in the number of parties. Let's now turn to our more efficient non-black box preprocessing for the ring of M times M matrices over the integers modulo 2k. Remember that here we have secret sharing schemes which are not multiplicative and they are either left or right modules as long as the matrix size is logarithmic in the number of parties. We need to produce sextuples as shown in the slide, which we will simplify in the three following steps. First of all, assume that we can generate this even bigger amount of correlated randomness which lacks the straight bracket sharing of a times b and additionally shares entry by entry these matrices a, b, and s, which we denote with the double brackets and the gr subscript. By leveraging the multiplicative properties of Shamir's scheme over the Galois ring, we can compute the value a times b plus s reconstructed and using the straight bracket sharing of s, we cover a straight bracket sharing of a times b. This is a simplification of what we actually do since we encode matrix entries into Galois ring elements more efficiently using previous work from Asia-Crypt last year, but let's stick with this. In order to generate the correlated values from step one, we use hyperinvertible matrices which are extremely powerful when the correlations that we want to produce are linearly correlated. The important question here is over which structure are these values linearly correlated? In this case, that's the integers modulo 2 to the k. So we can look at the secret sharing with the straight brackets, angle brackets, or double brackets as set to k modules. The problem is that we do not have hyperinvertible matrices in this ring, so we have to move to an extension in order to find them and this was a similar issue in in the previous works. So what we will do, reasoning about pencil products, is producing finally these values for step one and this is a bit too fast to grasp and also leaving a lot of details aside, but hopefully this gives you a general idea of how this preprocessing works and you can check this more carefully in our paper. That's all for this talk. I would like to thank you for your attention and invite you to check the full version of our paper on Eprint as well as a small thread on Twitter where I have added an additional slide where I tell more details about efficiency if you prefer to check that rather than the Eprint paper. Thanks a lot and have a good day.