 So, my name is Manoj Prabhakaran, I am a faculty member in the computer science department here. All right. So, today we have three lectures, you know one right now and then two in the afternoon. So, the first lecture is on just introducing MPC, whether we call you know even though the phrase is secure multiparty computation for whatever reason we just abbreviated as MPC, maybe when they started it they want to promise that it will be secure, but I think it is secure enough, we could have called it secure. Okay. So, here is a kind of story of MPC, so there is this company out there doing auctions for you and you know do you want to trust a company with all your private information when you are doing auction, can we do an auction without trusting a central centralized auction there. So, there are a bunch of parties, they all have some money with them, there is a seller who wants to sell some, so they all have money and they have some utilities right, so this is how much they are willing to bid for the for the whatever is being sold. So, the way you know the way it would naturally work or work in ebay is that the seller or the or the bidders will place their bets with the auctioneer, auctioneer looks at who has a maximum bid and what are there may be some conditions that the seller has set and then choose a winner according to all the criteria and then let the winner know, with the problem here is that if you do not trust the centralized authority there are a couple of problems. So, you know you want to make sure that the declared bid that the declared winner is actually correctly computed, you do not want the want ebay to you know reduce prices or something I do not know why they would do that, but you know you do not want you do not want to trust this party to do the right thing, you want to some high and forth set if you could and secondly even more a pressing problem or delicate problem may be is that you are giving all these bidding information to this central authority they learn a lot about your preferences your you know may be how much you make whatever do you want to do that. So, question is could you do all this stuff you want to get a guarantee that the auction is correct correctly computed, you want to make sure that nobody learns about your bid unless of course, you win and you know you need to do the transaction. So, except you know announcing the winner and the winning bid those who lost the auction their bids need not be revealed to anyone right all you need to know is that they lost the auction. So, that is that is one kind of motivating question here is another. So, let me put out a couple of questions and then we will get to the answers. So, think of an instance where a lot of hospitals are you know they have a lot of patient data these are you know in various countries protected by law privacy laws they are not allowed to just share the patient records with other hospitals ok. On the other hand they would like to pull all their data and do data mining on it there is valuable medical information you can get by looking at you know data from not just one hospital, but from you know all the hospitals across the country across the world ok. So, this is what you would like to do you would like to you know all these parties to kind of in some sense come together compute on their collective data. However, the data is distributed among these parties and it is private to each of them. So, who will do this who will run this data mining tool where will it be run you need to it seems trust someone some central authority to collect all the data run the data mining correctly on it and not announce I mean not leak any private information right to each other or to outsiders. So, this is a general problem both of these are instance of a general problem called secure function evaluation where you know to abstract it out there are bunch of parties with their private inputs x 1 to x n there is some publicly known function f which they want to compute on their inputs and let us say all of them need want to find out this output of this function ok. So, you want to compute a function f on private inputs without revealing information without revealing any information about their private inputs of course, they do want to learn the output. So, they do not want to reveal anything beyond what is revealed by the output itself. So, the output of the function might already reveal some you know sensitive information about parties inputs. So, you have to design your function you know to make sure there is no such problem if you worry about that, but beyond that you do not want to reveal anything right when you are out there to compute f. So, of course, you will get the output of f you do not want to reveal anything beyond that. So, these. So, secure function evaluation is a general class of problems that you know secure multiparty computation will deal with there is a little more beyond secure function evaluation. So, let me put out another example. So, you want to play poker some card game you know bunch of players and they are online. So, there is no physical cards they are not sitting around the table. So, how do you do it? If you have a central trusted dealer out there they could deal you the cards you know. So, what is what should a dealer do? So, dealer need now what do you use a dealer for? They use I mean they guarantee you that the cards are shuffle you know honestly uniformly randomly and then they are dealt correctly you know same card is not dealt to two players for instance. And there should be complete secrecy you know this player should not learn the hand dealt to this player right and that will defeat the purpose of the game. Not just that you know it is there is even there are even more demanding requirements. So, say two players collude with each other. We do not want them to exchange their cards you cannot you know if they collude of course you know they might collude outside through outside channels and they might reveal each other's cards to you know one another. But at least they should not be able to exchange their cards right. So, you do not want that kind of cheating even if multiple players collude. So, all this you know is trivial to do if you had a central dealer they will make sure when you play a card that you are playing from a card from the from the set of cards that you were dealt ok. The problem is can you do it without a central dealer. So, do you see the problem so far you know you know any questions on you know. So, it seems like a I am asking for something totally impossible right. You do want somebody to look over all the data at once make sure that you know no card is dealt in multiple hands and things like you are dealt a hand nobody knows what your hand is. When you play a card everyone should be guaranteed that you are playing one of the cards that you are dealt. But you know they did not know what that card was right. So, it seems like almost impossible if there is no trusted central party to look over the whole thing how do you ensure this correctness you know in the phase of all these privacy requirements. There is no privacy requirement everything is fine right and everybody knows everybody else's cards you can ensure correctness. But the problem is there is a privacy requirement in this kind of setting and there is no central party to take care of all the all the computation. So, that is the very ambitious goal of secure multi-party computation you know. So, without having a central trusted party you would like to do all these fancy things you know some distributed data mining auctions and so forth games on you know over the internet things like electronic voting you know nobody wants a vote to be revealed, but you want to make sure the vote is correctly tabulated and you get the sum and the sum of votes each candidate received right. So, you know those kind of settings are more abstractly secure function evaluation. In fact, this is very ambitious goal of doing any task any task for which you would have used a trusted party. Of course, you want to do it without using this trusted party. So, that is a problem of secure multi-party computation. So, I will pause for a second and take questions because you know this is all that we are going to do in the next three days. So, any questions on what MPC is or it is all I think it is all very clear hopefully because it is very simple idea, but you know if we add any confusion. So, what we are doing is you know emulating trusted computation and I want to point out this is you know when people hear about cryptography your notion of cryptography is not this I mean you are maybe not here, but you know the general computer science crowd you think of cryptography as something that is used to enforce secure communication. So, it is encrypted it is authenticated and so there we are emulating a trusted communication channel trusted in the sense nobody can look inside and if I got a message from here I know you are the you know the person who sent it is at the other end of the line right other end of the channel. So, that is what traditionally cryptography has been used for that is still the probably the only serious application of cryptography in real life you know when you use HTTPS or whatever this is all that is doing it is ensuring it is setting up trusted channels. Sometimes the channels can be a little more abstract may not be an actual wire on a network in the sense that I might write something on a hard disk come back five days later decrypted things like that. So, it but it is still some sort of a channel over time or space all it is trying to do is securing that you know the message the communication whereas, NPC I should just call it MPC you know secure MPC is redundant I guess MPC expands to secure multiparty competition. So, MPC is actually doing something instead of emulating a trusted channel it is emulating a trusted computer or a trusted center of computation. So, it is conceptually like a big leap from point of just communicating information as it is to computing on information and what do I mean by trusted a couple of things and I will expand this you know couple of times again. So, one is that it will not leak one party's information to others unless of course, the output of some computation has to reveal it and say only it will not cheat in the computation. So, this is what you are looking for in a trusted source of computation it is a little more delicate than that you know once you get to trying to define it you know what is the correct computation is not easy to define. So, we will get to that in a bit. So, one way to think about MPC is as this remarkable tool that will help mutually distrusting parties to collaborate. Secure communication in a you distrusted the outside world, but the two end points of the communication trusted each other in the sense that if one of them were corrupt and leaking information anyway there is no point in you know keeping the information secret I am sending you information because I trust it in some sense. Of course, I want to make sure that what MSA is coming to you coming to me is from my trusted peer, but you know the two parties there are two parties are trusting each other and then there is an outside world who is corrupt, but with MPC people do not trust each other right the poker players they do not trust each other the bidders in the auction they do not trust each other and you want to collaborate you want to work together. So, having a trusted globally trusted party would have enabled it in the absence of that MPC can do it for you. So, MPC will enable mutually distrusting parties to collaborate without anyone trusting anyone else essentially that is at least a theoretical goal. So, before I get to some more kind of details you know some of you have heard about MPC I have been working on it, but for others if you are kind of new to or if you are just a computer scientist you know or you are just doing your B taken computer science you may not even have heard of MPC and you would wonder is this for real everyone has heard of encryption because we use encryption does this thing you know exists. So, the point is we are getting there we are getting to a point where people are starting to use MPC in their you know in the real life. So, there are two as a starting point there are at least some there are soft there is software you can download today run it and will do some sort of MPC for you. So, there are many implementations and platforms this is just a name of the names of a few of them you know the fair play was one of the older ones, but you know. So, the security of these things improve over time in the sense that even though when the first of these implementations came out fair play in I know 2005 or 6 we already knew enough of the theory, but the implementation was for something much less secure in some sense, but over time you know people have started implementing things which are kind of meeting the state of the art in theory in terms of the security guarantees of course, there is a whole lot long way to go things are not secure enough things are not fast enough as they could be. So, there is still a lot of implementation to go, but in it is not just that there are there are software people wrote people actually tried using these things also. So, there are many practical systems which use some form of MPC you know one of these software is probably in particular there is a Danish company Partica by involving many theoretical cryptographers Ivan Damgard for one who actually had good success at least for starters in real life deployments. So, they have done some information from their website I trust them they have deployed MPC in sugar beet auctions. So, it is an auction right electricity auction spectrum auction it is kind of thing you know they have had big scams about you know big news about scams and some applications in key management where it would be good to have a trusted party you know coordinating a bunch of parties who do not trust each other. So, these are all you know multimillion maybe hundreds of thousands or maybe even millions of euros worth of business using MPC you know running on top of MPC. So, it is like real serious business then there are other kind of potential business which have not yet been really deployed as well as I can tell. So, there is a prototype for secure credit rating you know credit rating is a very kind of invasive you know in terms of privacy a very invasive procedure they need to know your you know what all you bought and everything right or what are you doing with your money. So, if you could do it kind of securely without revealing all your information to the rating agencies that will be very great. So, there is a proposal prototype for credit rating. So, it was supported by Danish banks outside of Denmark also people have done things. So, there is some proposal to do the Estonian Tax and Customs Board you know proposal to the to the board for doing their you know various procedures using MPC. So, that it will be all private. Another kind of example application people have tried. So, when I said tried what they have done is in these cases they actually implemented run it and you know looked at how fast it is for the actual amount of data that will be needed in these real life scenarios and you know they kind of look good ok. Maybe not out of there, but kind of good. So, this kind of proposal is you know different countries have their satellites spy satellites and whatever out in this space and not everyone knows about everyone else's satellites. You know that is if you are doing a spy satellite you do not want others to know about your satellite, but satellites are expensive and you do not want two satellites to come and collide with each other. So, you want to try and avoid collisions you want to see where the satellites are going. So, you need to look you know somehow you do need to know where the other satellites are ok. So, MPC would be a good fit people want to collaborate to make sure they are not colliding with each other, but they do not want to reveal the exact location of their satellites ok. So, they just want to know this one function of their private data ok. So, yes it is you know getting there it is something that would be real sooner or later ok. So, just you know that is where kind of we are now in 2017 just to flash one slide of maybe the very beginnings of MPC. This was a technical report I mean this one was published later the technical report was in 1978 by Shamir Rivest and Adelman and they asked this question you want to play mental poker you know one of our examples that we showed can two potentially dishonest players play a fair game of poker without using any cards. For example, over the phone this paper provides a following answer and I guess they wanted to be cute, but also kind of there is a paradox in MPC which this brings out. So, they give two answers first one is no rigorous mathematical proof supplied yes correct and complete protocol given of course you know the statement a little over statement now in hindsight maybe, but this is this is you know this is the spirit there is a spirit right that we can do something which is essentially impossible or in some sense you know you know impossible and still using cryptography we can actually do it if you define your goals the right way ok. So, what I am going to do for the next hour or so first of all you know kind of define or try to define security I would not do it in full flesh detail, but just enough to give you a sense of you know there is some concrete definition for security and the other thing is you know this magical impossible thing how can one do it right. So, I will try to give you a kind of warm up protocol it is not secure enough you know it is secure against a very weak kind of attacks, but still it is very crucial it is already something that is. So, I will do this very important protocol which I will call basic GMW GMW stands for the initials of the authors Goldreich, Mikali and Wigderson they had a paper in 87 and you know there is an adaptation of that thing or part of that they have their protocol which gets much higher security, but this is a very crucial component. So, we will talk about that it is very simple. So, you know good enough for a simple enough for a first first lecture on MPC. I will try to get you through that that is kind of going to be the main goal and in between I might allude to areas issues some of it will be covered in subsequent lectures in the school. So, what does it mean to be secure to begin with I will put out a kind of an important distinction or terminology. So, two things. So, we are talking about protocols right part is talking to each other. So, the protocol is basically the instructions to be honest players if you know if you are if you were an honest player who wants to be secure you are required to follow this. If you deviate from this there are no more security guarantees for you. So, the instructions tell you having seen so much stuff so far and your input what is the next thing you are supposed to do what is the next message you are supposed to send. So, parties are exchanging messages they have their local inputs possibly local randomness. So, they flip a bunch of coins or random bits and then at the end they produce some output or in the middle they produce an output if that is a kind of task. So, that is all part of this next message function for each party and that is a protocol. So, protocol is just gives this instructions a program as to what each party should do. The other crucial component or concept is a functionality. So, this is what we are trying to achieve. This is not the protocol it is not that we want to run the protocol the specific in all the cryptography and then our goal is to just be able to run an auction say. So, that is a functionality. So, the task we are trying to achieve how do you formally mathematically specify it again it is specified as a program, but now it is a program of this virtual imaginary trusted party right this guy. So, if there were a trusted party this is what that trusted party would have done for you. So, that is a functionality that is a very neat way to define what you are trying to achieve not in terms of you know how much money you will make or any such guarantees which are in some sense or if you are designing an auction there are various you know other goals you are interested in we do not as cryptographers want to get into that. We say figure all that out assume you had a trusted party would you know figure out what this trusted party need to do. So, you are all that out and now just tell me the program of the trusted party I will implement using a protocol you know using cryptography. So, that is that those are the two notions functionalities as imaginary the program of this imaginary trusted party and protocol is actually what the real party should do to get the effect of having this imaginary trusted party. Just a few kind of high level security issues. So, I said as I said repeat this a couple of times through the lecture. So, one issue that you know is that the protocol a protocol which you know you are designed may leak some party secret that is clearly a problem right if you are you know there is something that the trusted party would not have done if I send a message it would not just reveal it to everyone else. So, this is clearly an issue and this is an issue even if everybody said you know we are going to follow the protocol we are not deviating from the protocol, but if the protocol itself says you know send my input to another party the protocol is leaking information right. So, this kind of problem is really and it is a problem even against what I call honest bit curious adversaries and honest bit curious player or an adversary would follow the protocol exactly, but whatever the protocol leaks it is listening in and it will you know whatever comes to it it will try to gather all the information from it right. So, a curious party will learn things it ideally shouldn't have. Another curious another important point here from an application point of view actually a lot of people are honest, but curious and if they could help it they wouldn't even be curious in the following sense. So, if you are a hospital collaborating with some other hospital and if they send you their patient records then suddenly you have a big liability you are holding on to this you know all this information that was somebody else's privacy headache. Now, it has become your headache also you know you will be subject to the same privacy loss you know if they are from another country for instance or same auditing requirements. So, on the other hand if you are just a service provider who never gets patient data you are happy you know nobody is auditing you and so forth. Now, the whole you know picture will change if somebody is going to send their private data to you right. So, often getting a getting private data is not in your interest at least as honest part is you usually don't want this. So, you know if you so this is something you certainly want from your protocol it shouldn't leak party secrets to each other, secret inputs to each other unless it is required by the functionality. The second thing which is a little more subtle is it shouldn't give the adversary any illegitimate advantage, illegitimate influence on the outcome. So, what do I mean by illegitimate influence on the outcome? Say in poker when you are dealing the cards you don't want the adversary to somehow bias this distribution you don't want them to always get I don't know ace of spades or something right. So, you don't want the adversary to be able to influence outcome in any other way other than what they could have done in the done with the trusted party itself. For instance if in an auction of course, you are free to choose your bid right you can choose your bid based on how much money you have. So, that will be legitimate, but what will not be legitimate is if you could choose your bid in such a way that just beats everyone else's bid that is not legitimate because you don't know everyone else's bid right you are not supposed to know everyone else's bid. So, you shouldn't be able to just say it is 1 rupees more than you know the maximum among the other bids. So, that will be illegitimate influence. So, as you probably can see it is already a little subtle right how do you say enough that it is free to choose you know or a corrupt player is free to choose his or her input, but it shouldn't be in a way that is not permitted in a if you are actually talking to a trusted third party. So, to you know most cleanly define this kind of subtle security issues what we do is what I have been kind of informally doing throughout we always keep comparing with this ideal world where we have a trusted party. So, it is real ideal paradigm and we are running the protocol, but what if we had a trusted party you know would they have created the same problem that is always what we are kind of going to compare with. So, the two words the ideal world is when you have a trusted third party if it is a two party setting or trusted you know trusted part common trusted party to whom these the other players are interacting with whom the other players are interacting. So, they just send their input you know if it is auctioneer he or she does a computation gives you the answer that that is the ideal world they do not learn anything more. So, they are free to choose. So, Bob is free to choose his bit, but he should do it without knowing what exactly Alice said he might have some prior information about what Alice might send he can base it on that that is legitimate you know whatever he can do here is legitimate. And we want to make sure when they talk to each other using the protocol they do not get any more advantage than that. So, here also it is legitimate for Bob to use his prior information about Alice and you know choose his bit. So, that is what we want to capture it is a little tricky right and how do you capture all this prior information. So, we will get back to it in a in a maybe even in one or two slides, but intuitively this is going to be our security guarantee. We will call our protocol a secure implementation of the functionality if whatever could go wrong in the protocol could have anyway gone wrong here. So, what could have gone wrong here maybe because Bob knew something about Alice's preferences. So, he you know made his bid exactly 1 rupees more than Alice's. So, that is something in some sense you know went bad, but hey that could have happened in the ideal world that is not our problem. It is a problem with you know who is designing the auction or it is a problem in the world out there that Bob has some prior information about Alice, but it is not the protocol's problem right. So, we will say whatever bad thing could happen in this world if it already happened in this world then it is not the protocol's problem should consider the protocol secure. Protocol is not secure if something could new could go wrong here that could not have gone wrong there. So, this kind of is a relative security guarantee we are trying to give rather than an absolute guarantee that you know hey Bob will not be able to win the auction or we cannot give such an absolute guarantee what we will give is a whatever Bob could do there he could have done here similarly for Alice. So, whatever an adversarial party even by deviating from the protocol could have done here a party here could have done the same that party could have done the same. So, if and if that is the case you cannot blame the protocol for anything that goes wrong is undesirable. So, before I actually formally define that. So, this is still a kind of an intuitive level because you know what does it mean whatever can go wrong here what does it mean to go wrong right I will get to that in a second, but let me you know mention a couple of prominent threat models or adversarial models we use. So, an adversary we think of in this whole theory of MPC most standard way to do it is we think of it as a one centralized adversary who is controlling all the corrupt players. So, the moment you deviate from your protocol you are joining this you know big adversarial body out there and no more security guarantees will be given to you against the adversary. So, all your private information is now known to the adversary all your actions could be controlled by the adversary if it is you know if the the adversary. So, it uses. So, that is the kind of guarantee you know model of an adversary it is a centralized single adversary and it can corrupt any set of players and then it kind of gets control over all of them and sees all their information. And that is if an adversary in the real world is going to corrupt say Bob we want to say whatever it could have done in the real world by corrupting Bob it could have done in the ideal world also by corrupting Bob right not by corrupting Alice. So, in the ideal world also we want to say it is only that party who is corrupt it is only that party whose guarantees we are you know giving up right. So, all the information the corrupt party all the private information of the corrupt party even the ideal world we will say is available to the adversary. So, the ideal world adversary will corrupt the same set of players. There is a I will just mention it quickly there is a more sophisticated notion that the adversary may not ahead of time decide oh I am corrupting these guys and then we can talk about over the set of players the adversary corrupted right. Things could be a little more subtle the adversary could you know as the game is going on go bribe somebody and corrupt them right. So, they could start corrupting players dynamically in the middle of the protocol and you know we do consider that it is called an adaptive adversary, but in this tutorial we will just stick to the static adversaries where ahead of time the adversary decides there is a set of players I am going to corrupt and then in the ideal world we will say oh we will corrupt the same set of players. One important distinction between two classes of adversarial behavior is the following passive adversary and active adversary. A passive adversary does not change and it does not deviate from the protocol's instruction it will run the protocol you know this next message function honestly. But, so you could imagine it as you are running your program correctly, but you have some malware in your computer looking over everything happening there right all the what a cryptographic randomness keys anything you have all the messages coming to you all the messages you are sending out everything is known to this malware. But, it cannot touch your computation your computation your program is running correctly they just have read access to your head. So, that is a passive adversary as opposed to an active adversary who you know if you are corrupt they just change your program they can arbitrarily you know change how you behave this could be just a bug there may not be anything malicious, but we will still call it in a call a party with a bug in the implementation for instance an act a party that is corrupted by an active adversary. So, that is an important distinction a passive adversary when you are protecting against passive adversary we are mostly protecting against this information being leaked the first kind of problem that I mentioned, but against an active adversary you do need to worry about you know adversary getting undue influence on the output okay that too okay. So, coming back to the question of how to formally define security I would not write too many you know equations or anything, but it is in terms of these processes right the real and ideal word processes. So, let me tell you what the abstraction is. So, this is my ideal word now there is another new entity. So, let us see what it so that is an algorithm that is Bob I call them interface you know I have to fit it in that icon there. So, the interface is basically just if you are doing an auction it is a dummy program right takes an input saying I want to bid for this much send its bid to the central party and then the central party gives you an answer you know saying that you want the auction or you lost the auction just output that to your local environment local environment could be your local operating system some other higher level program you are running which is calling this functionality right. So, this is just the door to the functionality this is just your local you know kind of function call you will make which is supposed to talk to the functionality the trusted party and get get the result of whatever the auction is okay. So, it takes an input from the environment gives an output to its environment and this environment is a very nebulous thing it has you know some parts of the environment are Alice's computer some part of the environment are Bob's computer they are doing various other things with each other you know other protocols are running you know there are no idea what it could be right. So, we are trying to keep that abstract okay and then I have this strange guy there I will get to get to that in a second, but let us go and look at our real world. So, now Alice and Bob actually have programs running the next message function right. So, that is the protocol. So, they have the protocol I put this guy there it is supposed to be the adversary okay. So, first of all it might be able to eavesdrop on their communication unless you protect the communication using some cryptography already, but more kind of devastatingly it can corrupt a player I do not know if you can see the red thing there it can just say oh I am going to corrupt Bob okay and now Bob is completely under the control of this adversary now if it is an active adversary or if it is passive the adversary can see everything coming into Bob the message is there the input output here everything it can see and the internal state of that protocol at Bob's side. To define security we will say okay we will consider an adversary in the ideal world who can corrupt exactly the same set of parties in this case Bob. So, in this ideal world Bob is already kind of you know the adversary is mercy right the adversary can see everything Bob gets that is all we are trying to give us guarantee the guarantees are going to be mainly for Alice right. And this adversary as well as this adversary they are arbitrarily interacting with the environment we do not want to prescribe you know what information about the environment the adversary might have and what kind of influence the adversary might have on the environment okay the adversary might even been able to influence the inputs going into the parties might even know some of it okay. So, there is an arbitrary interaction between the adversary and the environment. So, this is the real world that is the ideal world now you want to say whatever could go wrong here could have gone wrong there. So, the way we say that is we will say so this is the definition as my just technical math I will write here for every adversarial strategy in the real world. So, for every adversary in the real world there exists some adversarial strategy in the ideal world okay such that I want to say whatever could have happened here could have happened there right. So, such that for in any environment okay whatever this environment sees which you could think of as the output of the environment okay whatever this environment sees is exactly what it would have seen there also okay. How do I say it is exactly the same it is not like in the environment we will see a particular message or you know particular set of messages it is a it is a random process. So, there is some distribution over what the environment could see with some probability you will see this with some probability you will see that it should be exactly the same distribution here not there okay. So, if in this environment Bob manages to withdraw cash from Alice's account in this environment with some probability and by guessing a password maybe whatever in this environment Bob should be able to withdraw cash from Alice's account with the same probability all that account and cash and everything is happening in the environment okay guessing passwords whatever even choosing passwords and setting whatever it is you know it is happening in the environment. There is one and I said these two distributions should be identically distributed they do not have to be identically distributed they should be very close to each other okay then there is a way to formalize that I will not get into that now okay. Any questions on this definition because this is you know simple as it looks the more you look into it kind of more you appreciate it more you learn about it. So, it is kind of a deep concept but you know by now we take it for granted in cryptography, but it was not at all evident in the 80s when people tried to defense a multi-party computation when Shamir Revest and Edelman had that mental poker. There's no idea of how to define you know there's no such concept of defining security by comparing real and so it's a very non-trivial concept but at some level it's also very simple it's very intuitive whatever could go wrong here by an adversarial strategy you know that an adversary could have affected in this environment it could have affected in this environment and maybe I should repeat this again so if it could do that here then it is not my protocol's problem right so that is the main security that's where the why it's intuitively definition of security that you know if something goes wrong here if it could have already gone wrong here it's a problem with your functionality or it's a problem with your environment don't blame it on my protocol okay yeah no it's okay good question the environment is the same there is no ideal environment what is ideal is a protocol here it's a protocol here it is this interaction with the functionality that's what has become ideal the environment stays the same if it was a bad environment here it's a bad environment there okay so does that make sense so that's why that's exactly the point that if something would have gone wrong here because of the environment then it'll go wrong here also because of the environment I'm using the same environment okay so for every adversary there exists an ideal world adversary such that in any environment it's the same environment I'm considering the two actions will have the same effect okay yeah it's an arbitrary computation it's an interactive computation and in standard models we'll call it a probabilistic polynomial time computation okay and it's a it interacts with these parties adversary yes yes so we have we allow it to interact with the adversaries because we don't want to make any assumption on what kind of adversarial influence could be on this environment and one important point is it interacts with the adversary even as the protocol is going on okay so the adversarial live report things to the environment or take instructions from the environment okay so environment models all the other things that parties could be doing parties as in if you think of parties as Alice and Bob this icon here is not the entire party it is not your computer it just is one program for the protocol okay so you say auction it's only this program for running the auction but this protocol gets this program gets its input like what is a bid you want to place and you know what happened at the end of this the program should tell you right so this input and output to the protocol is coming from an outside environment which includes your computer which includes you because you might look at this object and decide I want to bid for 100 rupees on it right so you have all that modeled inside this environment okay so it in some sense it includes human beings also in this environment right all the interaction and the interaction that could be arbitrarily going on between in some sense the two end points of this environment that your computer and the other guy's computer and all that is in this environment okay it's but at the end of the day it's an abstract computation it takes inputs it gives outputs of course there are you know if you're human beings involved it may be hard to model it as a simple computation but for our purpose it's some efficient computational procedure okay and think of it as a Turing machine for all practical purposes that's what it makes sense any other questions on the definition it's it's an entity as you know first class as other things in this model so I wouldn't call it an oracle as an it is in some sense the experiment itself okay this is the main component in the experiment in some sense and then you plug in either an idealized protocol with the trusted party or the real protocol into this experiment and you observe the outcome of the experiment and you want to say the two outcomes are same okay any other questions yes yes so the it's a distribution so that's why I said distributed identically and doesn't have to be identical it could be what we call statistically close okay there could be a small error how do you formalize small I won't get into that there you know we can do that so yeah it doesn't have to be identical so this definition came about only in 2001 okay even though MPC you know Rewash Shamir Rewash settlement and you know earlier works constructions like yowls garbled circuit and so forth came early in this you know late 70s and early 80s we didn't have you know this kind of a strong full-fledged definition until you know 16 years back so it's called universally composable it handles some issues like what happens if you run multiple protocols this does model that right the other protocols could be going on in the environment so that's the composition part which Muthu will mention or talk about in his talk tomorrow tomorrow no this adversary need not be passive I don't know if you can see I have put a big red blob around Bob also which means Bob is completely under the influence of this guy if I model a passive adversary then yes both protocol is running without being changed if I consider an active adversary both protocol has been completely replaced by this guy okay so yeah both models are equally valid in fact that's exactly what I want to talk about the in the next within that framework you can consider different security models or different levels of security so the classical notions of security from the 80s so it's not like in the 80s when people have protocols there in their definitions their definitions but if you now revisit them in the from the point of view of the previous slide you could think of those definitions as what we call standalone security where the environment is not interacting with the players the corrupt players in particular the honest players don't have any reason to interact with the environment once the protocol starts before the protocol ends right during the protocol they are just running the protocol they are not giving inputs and outputs the environment but an adversary might be right standalone security means the adversary is not doing so it's like Alice and Bob and all this part is got into a room and they are doing this computation without being able to talk to the rest of the world right or another execution in you know the in these computers so that's a that's unrealistic but that's still a very very strong security requirement you know so that is that is the classical security definition so it's like the environment is not it provides inputs then it stops all communication until outputs are ready and then it reads outputs and also anything that the adversary has to say at that point another model which actually makes a lot of sense and practice at least if you're considering a lot of parties a large number of parties something like an election or maybe a large-scale auction is what's called the honest majority model okay so in the honest majority model there are large numbers of parties and it's only a small minority you know some fraction who has become corrupt majority maybe not just half maybe a big majority like you know two-thirds or more we could assume maybe are honest okay and if we could do that we can get much stronger security guarantees much more efficiency you know but of course security guarantees conditioned on the assumption the condition the fact that your assumption is correct so that's called the honest majority model and we'll have you know you'll see a lot of things in this model during the rest of the school so the adversary can corrupt only a small minority of parties one thing I want to point out it's not a useful kind of model if you're talking about a two-party setting there are only two parties and a strict minority means zero parties right because if it's even one party then it's not a strict minority so in the two-party setting when one party could be corrupt honest majority security the model doesn't apply and of course if both parties are going to be honest if you could be guaranteed that both parties will be honest there is no need for all this MPC so it's not something I'll apply for two parties that may not be a safe thing when there are only a few parties but when there's a large number of parties it may be a model you could work with the other distinction this one I already mentioned passive versus active so passive adversary also honest bit curious yeah where the corrupt part is just follow the protocol earlier you know even now sometimes we have security definitions which are specific to a particular functionality okay may not be something like auction but you know some simple functionalities which you know so Muthu will talk about Zurnouch proofs today Arpita will talk about oblivious transfer and for many of these kind of specific tasks sometimes it's useful to have non-simulation based definitions they're much harder to work with they're more subtle they do leave out subtle attacks that are possible so there's no arbitrary environment it's not like anything that could go wrong in the real world will go wrong in the ideal world it's something like these specific things you know we guarantee that they won't go wrong in the real world okay that kind of definitions they are sometimes useful I mean often useful but it's not good as a final security guarantee it's useful for intermediate tools that you use but you know sometimes people do use that another kind of security model is that suppose already you were given you know some trusted party okay if you have trusted party what's the need for the protocol you just ask them to do your functionality but what if this trusted party did some very simple thing and nothing else for instance all they did was toss you know independent coins and tell you this is like some you know astronomical phenomenon which is spitting out bits which you could model as random bits you know maybe from some particular distribution or after some processing it'll be uniform distribution but you know you could so you can trust it to be doing its astronomical thing and not some adversary's bidding but you cannot ask it to do you know you know deal cards to you right secretly so you cannot get the trusted party of your choice but sometimes you can get trusted parties of some you know which do something and now can you use that trusted party which does something and build a secure protocol on that on top of that and often you can and they give you a lot of leverage so there's a lot of that's a security model you know where you are given a trusted party doing some simple functionality so and when that's the case we call that a setup okay so we'll be relying on a setup finally it's kind of my bias to a view of security definitions something called angel uc which is so uc whether it's shorthand for universally composable security from the previous slide this is a variant which is technical I won't define it or tell you what it is just want to point out that you know the full-fledged uc security you'll see in a second is impossible to achieve for most interesting functionalities there's a twist on the definition some sort of a technical modification which actually makes it possible to get security even with all this composition guarantees and so forth okay so just wanted to mention that okay so that's the security models can you achieve security is mpc possible I'm actually running quite late so let me just maybe try to speed up can we securely realize every functionality okay that's kind of basic question we would start with and the answer is unfortunately no and yes so here depends on what kind of security you're asking for so this axis is whether you allow the adversary to only corrupt a small number of players so you're an honest majority or can the adversary corrupt an arbitrary subset of parties and these two settings this is an computationally unbounded adversary okay so in cryptography we often rely on computational hardness so we model adversary as being probabilistic a polynomial probabilistic polynomial time okay ppt so the polynomial time is a putting a bound on how much computational power the adversary has lot of interesting cryptography relies on that you can do some cryptography quite a bit actually without relying on any computational assumption so so you could model a world where the adversary might be computationally unbounded so in particular if you have honest majority it doesn't matter how much power the computer the adversary has you can do every functionality okay I won't tell you how today but we'll see that on the last day Vassilis will talk about it however when the adversary can corrupt arbitrary number of parties you know you do need to rely on computational hardness but even there the answer depends on what kind of security you are looking for so here the answer is a clear no you know doesn't matter even for the weakest security definition like passive security it's no but for this world which is kind of the realistic world you know you don't want to put an arbitrary number of parties to be corrupt or you worry about two party settings so this is a realistic setting and it's okay to live here because this is what real world does if you ask for uc security unfortunately the answer comes out no irrespective of you know being in a computationally bounded world however if you slightly go down that level of security the answer becomes yes okay you can do every functionality securely so the genie you know can have any program you'll get security in any of these security definitions okay okay so in the remaining half an hour I'll try to give you a glimpse of how to do it how to get kind of magical security I will yeah let me just first I'll give you a simple example which doesn't probably give you the actual heart of the problem glimpse of the heart of the problem it's a simple example still it's it's good to know that you know some things can be done without any cryptography okay so the simple example is an auction okay I'll think of it as a two party two parties bidding but it could be any number of parties called it an auction it's a fancy word it's basically just finding a max okay and here are my here's my variant of this probe auction so bid is an integer okay and it's in a small range so it's around a hundred here and Alice can bid only even numbers and Bob can bid only odd numbers okay ultimately you could think of it as when there are ties you know Alice wins okay so Alice has one set of numbers Bob has a disjoint set of numbers and person with the higher bid wins we want to find out not just who wins but also what was their winning bid but we don't want to reveal anything else okay so I cannot send you my bid so that you can tell me if I won or not because you know that will reveal to you my bid even if I was not winning right of course it has other problems also so here is a very simple secure protocol protocol goes as far as you count down from hundred okay and at each round so round numbers go 199 98 at each round even round and Alice has to declare if the round number matches her input if it does she will raise her hand and that's the end of the protocol and if not she will pass then Bob takes his turn and you know if he also passes it comes back to Alice and so forth and back and forth until somebody raises their hand and the protocol stops okay this is actually so what do we learn in this what does somebody say for now passive adversary what does it learn it learns a winning bid right clearly that's when it stopped it also learns that the other parties bid is lower than this they didn't stop the auction but hey this what it means for it to be a winning bid so you didn't reveal anything more okay so it's clearly passively secure and in fact in it's also standalone secure i won't talk about that so it's actually a real life protocol it's called the dutch flower auction instead of round numbers you have some clocks counting down there's a you know people these are the flowers and these are the bidders and this you know is a there's a slightly stylized version of the dutch flower auction okay so that is a very simple example and it convinces you okay there are some cute things you can do without needing any cryptography you know encryption nothing okay just do it in the right order but unfortunately that can go only so far most things need more cryptography so let me tell you another functionality okay it's oblivious transfer it's about transferring one out of two things the way this is modeled here without revealing which one was trans you know which are without the sender knowing which one so let me give you a little quick story so the sender here has you know can predict stocks and there is a receiver here who'd like to know this stock values right so i'm giving you the ideal word whether that's what that's what what's oblivious transfer okay so for simplicity assume this guy has only two stocks you know whose values he is predicting and the prediction is just a bit up or down okay just every day he predicts the stock A went up stock B stock A will go up stock B will go down things like that so the receiver is interested i want to find out this thing but you know she has to pay him to find this prediction so she just wants to find one you know she is only following an A right so she says okay i just need one prediction he says okay sure tell me your which company which stock you are interested in i'll give you the prediction but she says no no i can't tell you it's my private information as to which company i am following so i can't tell you which one i'm interested in but i want just one okay so there are going to be stock this is one of those impossible things which you cannot do without cryptography against a computerly unbounded part difference okay but if you had a functionality so let's we have in the trusted third party setting we'll abbreviate oblivious transverse ot that's an abbreviation you'll see a lot in this school okay so then this guy will just send his two predictions to the central authority or the trusted party and she will send her choice whether she wants A or B to the central authority and this guy will respond with just the corresponding answer right so there are two pieces of information she could go up and pick one of them up without this guy knowing which one she picked up and without her knowing the other value so she doesn't know what B is going to be okay she will only know what A is okay so that's you know this guy has two inputs x0 x1 this she has one choice bit B and she learns x sub B so B equal to 0 she learns x0 B equal to 1 she learns x1 let me show you a quick protocol for that okay kind of a rough and you know now it's only passively secure okay so it's only when we secure against a passive adversary an active adversary can easily circumvent it and i don't want to bring in too many there are many many protocols for oblivious transfer i want to give something which looks familiar so this is in terms of an encryption but there is some public key encryption which i hope more of you are familiar with than OT than with OT and it's not a so i'll say what mean by special in a yeah you know it's not a standard public key encryption there's some special property okay so here's how the protocol goes so this party now this is a protocol gets an input x0 x1 this party gets the input B and she picks two she is going to pick two public keys for this encryption scheme so what is the public key encryption scheme there is some algorithm called key generation algorithm and you run it you get a pair of a secret key and a public key a public key is something you'll publish which anybody can use to encrypt messages but you need the secret key to decrypt okay so that's you know she'll pick up such a pair but she will also sample a public without running the ski generation algorithm she'll just go and pick a random public key and often public keys are just random bit strings so you know just pick a random bit string call it your public key so that is a that's what's special about it though you know it's not always the case that you can you know in say rsa encryption you cannot get a public key kind of without actually going you know taking two primes multiplying them and things like that but suppose you could you know do this sample a public key without having no idea of the without having any idea of the secret key that will be you know that's a special property so she picked two keys pk0 and pk1 i call them pk b and pk1 minus b if b equal to 0 this is pk0 and this is pk1 if b equal to 1 this is pk1 and this is pk0 okay so pk1 minus b the one she doesn't want is sampled so that she doesn't know the secret key so now the protocol should be not too you know it should be kind of obvious so she sends these two public keys to the sender and he will encrypt the two messages c the x0 and x1 using the respective public keys okay so though he gets to ciphatex c0 c1 which he sends to alice or the receiver she can decrypt only c b for which she has a secret key and c1 minus b remains you know see c1 minus b is completely you know looks like a ciphatex which she cannot decrypt so she doesn't know what the message inside it is on the other hand from the point of view of the sender what did he see he saw two public keys both are valid public keys you know honest public keys of course one was generated in a way where the you know sender the receiver knows the secret key the other was generated differently right but he doesn't know how they were generated he just sees two things which are coming from the same distribution so he doesn't know anything about me okay so any quick question so that's kind of only you know crypto protocol you'll see I'll have more another protocol coming up but it's in have this kind of encryption flavor okay fine okay so you know we can do we can do oblivious transfer this totally breaks down if she was actively corrupt you know why would she do that she will pick both of them using the key generation algorithm but for passive security this is good enough okay so what I'm going to show you now is a protocol for two-party secure function evaluation for any arbitrary function okay so any function in fact there are there could be two functions f and g so Alice and Bob feed x and y Alice gets g of x y Bob gets f of x y okay that is called secure function evaluation we already talked about secure function evaluation in fact you could have something more fancier something fancier where the functions are not deterministic functions they could be randomized functions so that corresponds to this central part authority picking more an additional input a randomness right so not just these parties inputs x and y but an additional input r and these two outputs g and f are computed on x y r and x I mean on x y r okay f of x y r and g of x y r and of course they should you know we don't want the parties you learn this r okay so there's a little bit of question of the system pick the randomness when you implement it as a protocol neither party should know what their randomness is we'll get to that in a second but going back to ot ot fits a deterministic secure function evaluation model where you know the g the power the sender gets nothing the output is nothing and the receiver gets x of b the inputs this is the x this is a y okay so that's a special case of secure function evaluation one kind of specialized subset of secure function evaluation problems is when only one party gets the output and ot is such a protocol such a functionality okay so simple thing first before we do the whole thing the general model the general problem I said I gave had both parties getting the output that's not so crucial even if I could do even if I figured out how to do functionalities in which only one party gets the output okay so there's only f g is absent you can easily use that to construct so suppose you had a trusted party doing for you of you know an arbitrary function in which only one party gets output then I can use that trusted party to implement a protocol in which both parties get the output okay actually since I'm short on time I'll just skip that you can do it using some very simple you know one time pad kind of approach but that's not very crucial to my point here the point is actually a single output is not very crucial either the point is any SFE you can reduce to this oblivious transfer suppose I had a party doing this simple oblivious transfer for me okay so it takes two bits from me one choice bit from the other guy and gives them that chosen input just that trusted party I'll use that trusted party many many times could be used to do any function securely okay and I'm going to only stick to passive security in this tutorial but in this lecture but it'll work for other active adversary also okay first of all why is oblivious transfer why is it got this kind of a universal power the simple thing how can you use it to do anything okay so here is a proof of concept they'll you know kind of demystified I guess it's not very efficient but oh okay actually I'm going to tell you the plan for so this is what I'm going to tell you next and this is not something I'm going to tell you there's a protocol called yours gobble circuit which I'll talk about in the afternoon which will do it this is what I'm going to really tell you this gmw protocol which uses oblivious transfer no other computational assumption so that's called the information theoretic setting the computationally unbounded setting to do any SFE function and in fact all this is for passive security but it works even for active against active adversaries okay so let me start with this proof of concept it's just one quick slide so it's a single output setting so you know only one party gets output bob gets output Alice has x bob has y bob wants f of x y so Alice doesn't know y okay but you know there are only so many possible values of y well there can be many possible values of y but it's finite set for us so she will enumerate f of x y she knows her x she enumerates f of x y for all possible values of y okay so she makes this big list and let's imagine the in a bit is a single bit output or something here so she will make this big list of n capital n which is 2 to the number of bits of y right y is a you know 3 bit string then there are 8 possible values of y so she'll prepare this list of 8 possible values of f of x y one for each possible value of y and then they will engage in an oblivious transfer slightly different from the oblivious transfer I showed you earlier and instead of being 1 out of 2 there's a 1 out of n oblivious transfer so Alice has this list bob wants to come and pick up the y-th entry right he knows which entry he wants to pick up because he knows y he has no idea what the x was but he knows that you know the y-th entry in that list was correctly computed for the correct x so he wants to go sneakily pick up f of x y the y-th entry in this list without learning any other entries because if he learns other entries and he will start learning something about x and of course you don't want Alice to know about which entry he picked up that's exactly what ot gives you so without learning anything about the other entries bob will go pick up f of x y so that's why you know ot would be useful if you can do ot of course the catch here is that is 1 out of n ot n and is n as exponentially large in the number of bits of y so for most interesting functions this will be or for many interesting functions this will be prohibitively expensive i should tell you how to do 1 out of n ot because i told you only 1 out of 2 ot but that's cc because so this is 1 out of n ot you know first party has n inputs second party has 1 input first party gets nothing i called it f so it's only what the second party gets the second party gets x i x sub i if you had 1 out of 2 ot already to get to 1 out of n ot is trivial you run n instances of 1 out of 2 ot and in each instance the 2 inputs that Alice should feed are x i and some fixed things say 0 so she feeds x i as a first input 0 as a second input in the ith instance of ot and in every instance bob you know goes in with this bi or actually calling bj yeah so in jth instance bob goes with bj bj is going to be i have it here okay so this is the these are 2 inputs that Alice gives 0 as a first input x j has her second input bob goes in with bit bj so bob doesn't want to know x i x j for i not equal to j right so for i not equal to j he will set bj to be 0 here so that he'll pick up this for i equal to j he'll set bj to be 1 so that he'll pick up x j okay so that's trivial if it's passive secure we are looking for passive security even for active security is not much harder actually I mean it's a little more subtle of course but you can do it so that's just some you know aside okay 1 out of n ot we can do that's not the problem the problem is when this n is really large okay okay so we need to somehow break down a function instead of using this kind of you know truth table representation one value for each one you know entry for each value of y so there will be exponentially many entries that's kind of too bad we need a more compact representation of functions and the compact representation of functions we'll use for most part is a digital circuit okay could be Boolean circuit could be arithmetic circuit so Boolean circuit means you know so familiar wires are bits and you have gates like and or and you know xor and so forth and each wire comes out of a unique gate but it could fan out right you cannot just put two wires together on you know you cannot tie two wires without a gate in between but you can split a wire and feed it into two gates and you evaluate this circuit bottom up so you know once you set all the inputs you can so these are the input wires then you can you know there's a topological sorted order in which you can evaluate everything until you get to the output okay so these are simple basic digital circuits no memory gates nothing here okay just you feed inputs you get output so you know if you have some small function like or the truth table I mean it's just already a single gate but even if you have something you know like x greater than y so that's the truth table where x and y are let's say two bit inputs you can build a small circuit which you know corresponds to this right in fact any function any say a Boolean function like this you can take the truth table and there's a mechanical way of writing out a circuit for that unfortunately that circuit will be pretty large okay so that doesn't really get our what we wanted but the point is it's not like we want to do any arbitrary function on you know some two domains we are interested in doing specific functions for which you already have some sort of program right like auction okay so you take that program you can convert it if the program is efficient you can write a small circuit and so you know interesting problems already come as small programs or small circuits okay so I just want to point out so I'm not trying to do every function I'm trying to do every function that has an efficient computation efficient insecure computation I want to compute you know you computed using a secure multi-party computation which is similarly efficient okay here is my protocol protocol from GMW but not quite they don't have it this way but subsequent work used it that way and it uses oblivious transfer as a trusted third party okay so that's how I'm going to describe it and no other computational assumptions and the idea is something very kind of important it uses something called secret sharing okay there are different flavors of secret sharing this is a particularly simple form of secret sharing but it's a very crucial concept I'll try to explain as we go so okay so here is what secret sharing basically suppose there is some secret okay some value yes which I want to give to two parties Alice and Bob so said neither party knows what the secret is but if they come together they can reconstruct the secret okay so here is a simple way of doing that so write the secret as sum of two field elements okay so let me be more specific think of them as all bits this thing works over arbitrary finite fields but where you can do addition and multiplication actually just groups would be fine where you can do addition but you know think of them as bits for concreteness so addition in the binary field corresponds to XOR okay the unit of the identity of addition is zero the inverse is for itself for a number so it's a you know and the multiplication is and okay so so when I say I take a secret so it's a bit and I share it what I mean is it's a randomized procedure I pick A and B randomly uniformly randomly conditioned on A XOR B being equal to my secret bit okay so basically you could think of it as I pick A uniformly at random and then set B to be S XOR A for the binary field plus and minus at both XOR okay but yeah more generally if you're working with a larger field you want to say set B to be S minus A so that A plus B equal to S so A and B each are uniformly random elements in the field but their sum they're correlated so that their sum is equal to this particular element S and whenever I do this procedure I'm going to write so this is my secret I shared it into two shares so I'll say S1 and S2 inside these boxes means you know they are the two shares generated according to this procedure so it's a random variable right I get them is from this random process okay so I'm going to now you know show how to use this on to compute a function that's given to us as a circuit the circuit has gates which you know for the Boolean circuits I'm going to use XOR and AND gates okay that's all I need it's a complete family or more generally for a fields the two gates I'm going to use a plus and product okay and of course constants and so okay I want to evaluate any function that's represented using a circuit using those gates so here's a plan I have five minutes to tell you that so consider any wire in the gate if we actually evaluated this circuit consider wire in the circuit if I actually value the circuit this wire will have some value think of that as a secret you may or may not know what that value is okay what we're going to maintain is that this value should not be known to anyone so we're going to maintain a secret sharing of that value between the two parties between Alice and Bob okay so they each will have a random say bit which XORs to this bit since they don't know the other part is bit they won't know anything about this bit other than what they could you know figure out without knowing the other part is input okay so that's a plan throughout we are going to you know we are going to evaluate this circuit like in the topological sorted manner I described wire by wire or gate by gate so each output gate you know for each gate it's output wire I need to compute the value for so I'll do it in that order and at any point for any wire I'll have the wires value secret shared okay so so you know so there's another wire V and that secret shared once I have both UNV I'm ready to evaluate this so I need some procedure so that from these shares of UNV the parties can end up with shares of W okay so W will be the value you you know the gate applied to UNV okay that's what I want to do first of all for addition gate okay when the gate is addition this is very trivial or very simple at least so you want W to be equal to U plus V we already have U1 plus U2 equal to U V1 plus V2 equal to V we are going to just define W1 as U1 plus V1 W2 as U2 plus V2 so those are two random bits XOR together these are two random bits XOR together but if you XOR W1 and W2 you'll get W it's just you'll be doing U1 plus U2 plus V1 plus V2 which is U1 plus yeah so which is U plus V2 right you'll be doing U1 plus V1 plus U2 plus V2 which is equal to U1 plus U2 plus V1 plus V2 okay so for the addition gate and it's why is this a secure thing to do they didn't even talk to each other so by doing this in a one step you didn't learn anything more than you had before that one step okay so that is nice the problem is what about multiplication okay okay for multiplication if I were to write it so I want W1 plus W2 equal to W so what is W? W is U times V U is U1 plus U2 V is V1 plus V2 okay now unfortunately if you open the brackets you'll see that you know I cannot there is no value that this guy can compute as W1 and this guy can compute as W2 just using the local values such that in W1 plus W2 looks like that in particular there are terms like U1 V2 and V1 U2 there right U1 V2 and V1 U2 and they cannot compute that right just without communicating they cannot compute that so here is where they are going to use OT so here okay let's start you know get started so they want to compute this secret sharing one thing we can do is okay we know each bit by itself has to be random that's the definition of secretion so we'll use a fresh bit fresh random bit W1 so Alice just picks her shares she doesn't need to know Bob share at this point but now somehow we have to make sure Bob picks W2 consistently and for that they will just use OT so what do I mean by that we already know you know this is a small function you know so it's a small function in which W2 if you expand that write W2 equal to something minus W1 from Alice's point of view the only unknowns there are U2 and V2 okay that's Bob's input so two bit input so there are only four possible values Bob can have we can do our naive protocol we make a list of four things Bob comes and picks up one of them okay so that's a very conceptually simple protocol you can do better than that but you know it's a one out of using one out of four OT you can do this multiplication so at the end of that they end up with W1 W2 which will be a secret share a fresh secret share of W okay any questions on that was that too quick so this is kind of the heart of that protocol okay so I said you know there's a two-party thing but actually you can do it with arbitrary number of parties so m parties always will maintain an m-way secret sharing instead of a two-way secret sharing which just means that the you know s will be a sum of random m bits uniformly random condition on their sum being s and addition is as before multiplication is you know I'm gonna slightly different description here which actually is a little more efficient than the other one so again you expand this you know all the terms you get terms of the form ui vi that's good a low party i can compute ui vi itself but you also have terms of the form ui vj and vi uj and same thing so what we'll do is ui vi party i computes to compute ui vj so what we'll do is yeah ui vj we will create compute a sharing of ui vj such that the ith party has one share party i has one share and party j has the other share okay how do we do that well this we will use an i-e algorithm it's a two-party protocol now between party i and j so party i picks a ij and let the other j party come and pick up this this actually needs only you know one one out of two ot to compute ui vj and then there's other term vj ui which again there's another ot to do and so once you have all pairs ui vj's and everybody locally can define their share wi in this way okay so it works that's all i wanted to say about this very simple protocol so you know we have been a little quick about that protocol but it's a it shows you some of the key elements right the secret sharing and why ot is useful mpc i just going to conclude with a couple of slides so you know we are not going to be able to cover everything about mpc in this tutorial because it's a whole big world out there like there are several dimensions in which you know this problem can be varied the kind of what we talked about some passive actor there are other things like covert static adapters and how many parties you can corrupt what kind of simulation is it efficient inefficient there will be you know the timing model there are a lot of complexity parameters including efficiency parameters like amount of communication how it grows with the size of input so forth but also other complexity parameters like what kind of computational complexity what kind of computational hardness are you assuming to create your protocol right so those are also parameters so and this picture is by no means complete people keep coming up with you know variations which do make sense in special cases so we are certainly not going to cover all of it we'll cover a few things so what we are going to do just to so today afternoon mutu and arpita she is on her way and she is already on campus so mutu will talk about zernolge proofs came a little bit before this dmw paper i was talking about it's just a special case of multiparty computation and there's a lot of concepts which are key to you know things like simulation came out of defining zernolge proofs so it's a key ingredient in going from passive to active security in in conceptually and arpita will talk about a particular protocol called garbill circuit yaw's garbill circuit this was the very first protocol that could do general two-party computation it was only passive secure now of course there are variants of that which are secure against active adversaries but it's very simple very efficient and still many of the implementations i showed you in the beginning are based on garbill circuits so it's a very key key primitive it has used beyond mpc you can use it because it's efficient you can use it in some sort of a fancy as some sort of a fancy encryption in some sense on which you can compute so it gets get some you know more use has some more uses tomorrow yaw arpita muttu and i will talk and yaw will talk about something called rano is encoding it's a really interesting and by now important concept in second multiparty computation something that yaw and his co-authors have been instrumental in developing it has applications beyond mpc but it has a lot of applications in mpc yaw's garbill circuit could be thought of as a special case of randomized encoding so yaw will talk about all that arpita will come back and talk about oblivious transfer so i already told you what oblivious transfer is one key component in oblivious transfer is something called ot extension as used in practice it makes things much more efficient than otherwise so she will describe all that muttu will talk about composition i mentioned universal composition but there are other various intermediate notions of composition and basically it's always the question of if you run two or more instance of the protocol same protocol different protocols will it still be secured if you know how do you define security so it'll remain secure when multiple instances run and i'll talk about something a little different from you know kind of practical applications the more theory questions step back and ask some fundamental questions of you know which functionalities are easier and which are harder in in some cryptographic sense right so it's a study of functionalities so i'll talk a little bit about that the final day vasillus will he's not here yet assuming his flight will be on time and so forth um well he's supposed to arrive on Tuesday so it should be should be there he'll talk about honest majority mpc which is you know very important part of mpc literature because then we can give very strong security guarantees and also turns out it's useful as not just as an mpc protocol but as a representation of computation some sort of a robust circuit if you will okay and you all will start from there you know of using this idea of mpc as being some sort of a robust encoding of computation so he'll talk about a cool idea called mpc in the head which is like well you'll see what it is it's a very versatile technique for creating mpc protocols a lot of the you know theoretically best protocols out there are now you know have mpc in the head in there and finally vasillus will talk about asynchronous mpc so everything we talked about till then would be in a slightly idealized model of computation of networks called asynchronous network things get kind of uglier when you have asynchronous kind of more realistic model of network and if you want to keep your efficiencies without implementing a synchronous network on top of that you need to do things differently so vasillus will talk about that okay so that's all I have I'll make a couple of any questions before I close the talk okay okay so yeah thank you that's all the talkers