 Hi, yeah, thank you for the introduction. My name is Sai Krishna. I'm going to talk about Promise Zero Knowledge and its applications to round optimal MPC. This is joint work with Vipul, Abhishek, Yael, Dakshita, and Amit, most of whom are here in the audience today. So let's recall the definition of secure multi-party computation that we have heard over the last two talks. So consider a set of n parties, p1 up to pn, each with their respective inputs, x1, x2 up to xn. And their goal is to run a protocol to securely compute a function f on their joint inputs. The correctness requirement states that, at the end of the protocol, all the parties learn the output of their function on all their joint inputs. And for security, we require that, suppose an adversary corrupts some subset of these parties. Let's say, for example, it corrupts the first two parties, p1 and p2. Then informally, what we want to say is that the adversary should not learn anything at all about the honest parties' inputs, apart from whatever it can deduce just from the output of the function. In this work, we will work with the following setting. We'll consider the plain model, that is, there is no trusted setup. We'll consider a malicious adversary that can corrupt up to all but one of the parties, that is, this is the dishonest majority of parties. Furthermore, we'll allow the adversary to be rushing, which means that it can wait to receive the honest parties' messages in each round before it sends its own messages in that particular round. And finally, we will require that in the security proof, our simulator can only run in polynomial time. So with this setting, let's look at the brief history of the round complexity of MPC protocols. The first was the seminal work of Go-Rack et al, which gave a feasibility result in polynomial rounds. And then, Beaver et al introduced the study of constant round MPC protocols. And this is improved over a long line of work. This is not an exhaustive list. I might have missed a few, but I was citing a few of them. What about the exact round complexity of MPC protocols in this setting? As you've seen in the previous talks, the works of Katz and Ostrowski and Garg et al showed that MPC in less than four rounds is impossible. And this brings us to the work about four round protocols. So last year, Siampi et al showed how to build two-party computation in four rounds. And then two concurrent works of Brackersky et al and Ananth et al showed how to build four round MPC protocols from sub-exponential time assumptions. So the question we would like to focus on in our work is can we build four round MPC from standard polynomial time assumptions and not rely on sub-exponential time hardness assumptions? We answer this question in the affirmative. So we build a compiler that takes any two round semi-malicious secure MPC protocol and transforms it into a four round malicious secure MPC protocol, assuming only two round oblivious transfer and dense crypto systems, okay? Note that a semi-malicious adversary is very similar to a semi-honest adversary except that it can pick bad randomness, okay? And we note that all these primitives, including the two round semi-malicious MPC can be instantiated only from DDH alone or quadratic residuosity alone or the nth residuosity assumption alone. And recently in a work by Brokersky and Dotlink subsequent to our work, it was shown that these primitives can also be instantiated only from LWV alone, okay? By plugging in these assumptions, the corollary we get is we achieve a four round MPC protocol malicious secure only from DDH or quadratic residuosity or nth residuosity or LWV and this completes the line of work on round optimal MPC protocols. Concurrent to our work, Halevi et al also achieve a four round malicious secure MPC protocol based on the same assumptions as us but also requiring an additional assumption of enhanced trapdoor permutations. You'll hear more about this talk from Antigone after me. So just to put our results in perspective, we achieve a round optimal MPC from standard assumptions. So at a high level, how does a protocol structure look? We're gonna follow the GMW paradigm, that is we will take a semi-malicious MPC protocol and put it into the third and the fourth round of our round optimal malicious secure MPC protocol and then we will require parties to prove that they behaved honestly in this underlying semi-malicious MPC. In order to prove that they behaved honestly, we require each party to give a commitment to its input and also give zero knowledge arguments that it behaved correctly. That is along with the first round of the semi-malicious MPC, the party will have to prove using a three round zero knowledge argument that it behaved correctly in this first round and then in the fourth round of the malicious secure MPC protocol, the parties will have to prove that they behaved correctly in the second round of the underlying semi-malicious MPC. Furthermore, we will require these other primitives, the commitments and the zero knowledge arguments to have a delayed input version of them, which means that the input to these protocols are known only at the time of the last round. They're not known when the protocol is about to begin and they're not getting the details of how this is implemented. But the biggest bottleneck with this high level approach is that we know that standard zero knowledge arguments with black box simulation are impossible in just three rounds. Recall that in order to prove that the first round of the semi-malicious MPC is correct, the parties will have to send a three round zero knowledge argument and so this seems problematic. At this point, I'd like to mention that a recent work by Witanski et al showed how to construct three round zero knowledge using non-black box simulation from a new assumption. However, our focus is to build round optimal MPC protocols from well-studied polynomial time assumptions. So in order to build a three round zero knowledge, we introduce a new version of zero knowledge called Promise CK and we show how to build such a primitive in three rounds and how it's sufficient to build round optimal MPC. So now let me tell you about this new primitive. First, let's recall the definition of a standard zero knowledge argument. Consider the prover and a verifier who both have access to a statement X and the goal of the prover is to convince the verifier by interaction that the statement X is indeed in some NP language. At the end of the protocol, if everything goes correctly, the verifier is convinced that the statement X is indeed in the language. And now the soundness property states that suppose we have a malicious prover, then this prover should not be able to convince the verifier about a false statement being in the language. The zero knowledge property states that an adversarial verifier should not be able to distinguish whether he's interacting with an honest prover that has access to the witness or he's interacting with a simulator that does not have access to the witness. So the adversary's view should be indistinguishable in both these executions. However, we cannot achieve this strong notion of zero knowledge in just three rounds and we're going to relax this notion of zero knowledge in our new definition of promise EK. So our new definition goes as follows. Let's say the first two rounds of protocol execution have completed between the prover and the adversarial verifier. Now recall that the adversary is rushing, which means that it waits for the prover to send his third round message before responding. And now suppose the adversary sends a third round message that is valid with some non-negligible probability, where the validity of this message is defined by the protocol to be a function of the entire transcript so far. Then the guarantee we want to enforce is that if the adversary sends such a valid message with non-negligible probability, then its view should be indistinguishable in the real and ideal worlds, okay? So to restate this a bit more formally, the zero knowledge property now holds only against all adversaries that with non-negligible probability cause the honest prover to not abort at the end of the protocol, okay? So this is a relaxation of the standard zero knowledge property. Let's stop and think again about this definition and see whether it actually does make sense. So let's consider an honest prover interacting with the malicious verifier. Let's say the first two rounds of execution have completed. Once again, the prover sends his third round message before the adversary responds. And then the adversary sends his third round message. But now notice that the adversary's view consists of the first three rounds of messages from the prover. And this view of the adversary is already determined and fixed before the adversary responds with his third round message, right? So it seems bizarre that the validity of the adversary's third round message affects whether it learns anything about the witness or not from messages it saw earlier, right? So it seems like this notion of promise ZK, though defined in a contrived way to be relaxation is not really a relaxation and it implies standards zero knowledge itself. So if you can hope to build promise ZK in just three rounds, it might imply standards ZK in three rounds, which we know to be impossible from black box simulation. However, if you think about it a little more carefully, it is indeed a relaxation because the validity of the adversary's third round message also implicitly affects the validity of the adversary's first and second round messages. For example, consider a scenario where the adversary gives an encryption of some message in the first round and in the third round, he has to open that this encryption was indeed correctly generated. Now, when you consider a malicious adversary in the context of standard zero knowledge arguments, you have no guarantees whatsoever that in the first round, the adversary indeed gave a valid encryption, right? So this definition is therefore strictly a relaxation of standard zero knowledge and so we can hope to build such a primitive and we indeed do so and show that we can build three round promise zero knowledge from standard assumptions. So now I will not have time to tell you how to build promise zero knowledge, but let me tell you briefly how to use promise zero knowledge to build round optimal MPC. Let's recall that our protocol structure was to use a semi-malicious MPC and to prove that party behaved honestly in this underlying semi-malicious MPC. Now, as we saw from the definition of promise ZK, the primitive only works against adversaries who do not abort in the third round. However, when we deal with malicious adversaries in the context of MPC, we want to handle all adversaries, including ones that do abort in the third round. So in order to get around this, we devise a new proof strategy which we call partition simulation and it works as follows. Suppose the adversary does send a valid third round message with some non-negligible probability. Now from the guarantees of the promise ZK protocol, we can simulate it and we will go ahead and do so. On the other hand, if the adversary does not send a valid third round message and aborts, we can no longer simulate the promise ZK protocol. Instead, we will just run the first three rounds and stop since the adversary did not respond with a valid message in the third round and we will use a separate sequence of hybrids to argue that this is okay. And in order to do so, we rely on a three round strong witness and distinguishable argument recently built by Jane et al and I'll not get into the details. And in both these analysis, we also require a new construction of a three round revinding, secure witness and indistinguishable argument which we build again from standard assumptions. So I'll not have details to tell you more about how this works, but I'd like to use this opportunity to also address another common concern that arises in constant round protocols. Recall that when you're building constant round protocols, we have several different primitives that are running in parallel. So we not only have to build and use non-malleable primitives, we also have to ensure that there is non-malleability across different primitives that are being parallelized. Several previous works in constant round protocols used complexity leveraging to address this issue, but then that results in using sub-exponential time hardness assumptions. Recall that our goal was to use just polynomial time standard assumptions, and so we use the technique of level revinding to circumvent this issue. At a high level, the technique works as follows. Suppose we have three primitives, A, B and C, that are being run in parallel. We will design primitive A such that its secret can be extracted using one rewind. Primitive B will be designed in such a way that its secrets are secure even in the presence of one rewind, but they can be extracted in the presence of two rewinds. Primitive C will be defined in such a way that its secrets are secure even in the presence of two rewinds, but they can be extracted in the presence of three rewinds and so on. I don't have details to tell you more about our round optimal MPC protocol, but I'd like to use the remaining time to tell you a little bit about another cool application of Promise DK in the context of coin tossing. Recall that in standard coin tossing, there are a set of N parties whose goal is to interact in a protocol, and at the end of the protocol, they all wish to learn a random output, a random string that can be used to generate a CRS or something. Now, unfortunately in the same series of works, Katz and Ostrowski and Gargett all showed that coin tossing is also impossible in less than four rounds. We'd like to circumvent this lower bound. In order to do so, we define a new primitive called list coin tossing, which is a relaxation of standard coin tossing. Recall that in standard coin tossing, the simulator gets a single external string, and he has to force this output onto the adversary. In a list coin tossing protocol, the simulator has a little more flexibility. It gets a polynomially sized list of random strings, and can now choose which one it wants to force on as the output to the adversary. So this is a relaxation of standard coin tossing, and we show that this is in fact, not only sufficient for natural applications, such as generating a CRS, but can also be realized in just three rounds from standard assumptions. And I don't have time to tell you how this works. But to conclude, we introduce a new primitive, a new version of zero knowledge called promised zero knowledge and show how to build it in three rounds. We use promised ZK to construct round optimal MPC from standard assumptions, completing this line of research. And we also introduce a new primitive called list coin tossing and show how to build it in three rounds. And some open problems are, can we come up with other applications of promised ZK? Can we build more efficient or simpler round optimal MPC protocols? Or can we also build three round MPC for other natural functions apart from list coin tossing? Thank you.