 Hello everyone, so this is a teaser to my talk non-intractive secure computation of inner product from lpn and lwe This is a joint work with Mariams are as a day So non-intractive key exchange is well known in cryptography It has a very appealing interaction pattern and parties simultaneously broadcast a single message They're a public key and given these simultaneous broadcasts each pair of party can locally compute its shared key And the nice way of this interaction pattern is that it avoids n square overhead of a naive pairwise key exchange So it's a very appealing interaction pattern And so something which will be quite desirable would be to achieve a similar interaction pattern for some Secure computation functionalities key exchange is one goal, but secure computation offers us many other interesting goals So in secure computation, we will want n parties to broadcast an encoding of their input And then each pair of parties should be able to retrieve its output without any further interaction Just by computing some output function on its local states and the encoding of the other party And again, this will have the very appealing effect of avoiding the quadratic overhead of doing pairwise secure computation In this work, we will describe non-intractive secure computation for computing shares of the inner product functionality And this is very useful. It has many applications And in particular if you want to compute multi-party inner products and not just shares of the inner product You just need to broadcast a single element of the field at the end of the protocol. So it's quite efficient Non-intractive inner products have many natural applications. I'm listing a few here It includes among other things biometric authentication pattern matching and many more So to for example with biometric authentication, you could have n client and m servers. It has a fingerprint stored So all parties will first broadcast an encoding of their fingerprint And then at any time a server and a client could locally compute the hamming distance between the two fingerprints Hamming distance can be reduced to computing an inner product without further interaction And afterwards the client and the server will have shares of this hamming distance And the client will just have to broadcast a single element From which the server could reconstruct the hamming distance between the two and check whether it's below the acceptance threshold So that will lead to a very efficient multi-party authentication mechanism biometric authentication mechanism So how do we do that? I'll give more details in the talk But the key idea is that we start from alekhnovic key exchange, right? So it's a well known way to Non-intractive key exchange protocol based on the learning parity with noise assumption And we show that since computing the shared key in alekhnovic key exchange natively includes doing some local inner product, we can actually Use this homomorphic property of alekhnovic and embed some inner product computation Inside of the alekhnovic key exchange computation So by embedding in the right way some input input vector x and some input vector y Inside this alekhnovic key exchange Computing the shared key actually boils down to computing additive shares So that we see here minus k and k Of the inner product between x and y plus some noise term And the communication we show is very efficient So for standard parameters, it will be 6m where m is the length of the vectors So really a small constant factor overhead and asymptotically it becomes Very close to just sending the inputs in the clear so optimal And the computation is quasi linear using standard Variants of lpn based on quasi cyclic codes and can even be made strictly linear Using more exotic assumptions variants of lpn So this solution has some leakage because there is an error and when you use this in a multi-party setting This error translates into some leakage of information about the noise that for example the servers could obtain If you want to remove the leakage we describe two variants one based on lwe which achieves negligible errors directly at the cost of Larger communication and we also describe a very nice way to do preprocessing to remove the errors So it uses interaction, but this preprocessing is input independent and has communication sublinear in the size of the vector So it really has adds only a minimal overhead And we also describe some new zero knowledge proof to enhance the security of our protocols in the malicious setting The new zero knowledge proof might be of independent interest, but for that you will have to see the talk I'll be happy to see you online