 אוקיי, תודה, סני. אז זו את הופעה של פרקת בוילד, דיפש דתה ופה בלוברצ'ק ובסוף, אנחנו מדברים על סקיור מולטיפרטי קופיטציון אנחנו עושים פרטי, רוצים לתת משהו, ביחד עם סקיור מנהל אנחנו עושים הרבה רגעים, רגעים, רגעים, רגעים קלאסיק, ורקות שיכרו להפתחות מאוד מפרסיבות So, mostly, the classic protocols dealt with Byzantine agreement or secure function evaluation, and in those protocols, every party talks to every other party. So, if you look at the communication graph of the protocol, we have a complete graph. And that's okay if we have a small set of parties. But what happens if we have many, many, many parties? What happens if we have a large-scale setting of secure computation? Then, if we have a complete graph, that might be a big overhead for the computation. And a very natural question is, do we actually need this overhead? Maybe we can use a partial communication graph and still compute the function in a secure manner. This is a very old question, almost since Byzantine agreement came to life in the 80s. People already studied this question. Can we have a partial graph? And the first model that this question was analyzed in is a fixed partial graph. In this model, the communication graph is known ahead of time. So, I know which other parties I can talk to. This is fixed ahead of time. And because of it, the corruptions can be a function of the topology of this graph. And in this model, we have a great source for lower bound results. For example, for Byzantine agreement, the connectivity of the graph is linear in the number of the corruptions. So, if we have a linear number of corruptions, it's linear in the number of parties. As a result, the communication complexity of Byzantine agreement in this model is quadratic in the number of parties, if we have linear number of corruptions. So, normally, if we analyze protocols in this setting, we go for weaker notions of correctness and privacy, like almost everywhere agreement or protocols that are exposed to the residual function attack. Another model which is more recent is a dynamic graph. In this setting, every party can talk to every other party, but it only chooses who to talk to dynamically during the protocol. And this model is managed to overcome many of the lower bounds in the fixed graph setting. So, for example, we know how to have Byzantine agreement with the linear communication complexity up to polylog factors. And we have scalable protocols or protocols where every party only talks to sublinear many other parties, even to polylog many other parties. So, again, just to compare between these two models, well, in the fixed graph, most of the results are lower bounds. In the dynamic setting, we actually get good things, we get many upper bounds. And the fixed graph has been studied since the 80s, it's well studied. That's not the case with the dynamic setting. In this setting, we don't understand it that well, and that's what we try to contribute in this work, to have a better understanding of this model. So, the main question we have in mind, what are the properties from the graph that are necessary for running a secure protocol? If we look at how previous works look at this question, the goal in prior works was to start with the protocol and to think what kind of properties we want from this protocol. For example, low communication complexity, locality. To get this protocol, we need a partial graph. So, this is kind of a side effect of what we want. In this work, we look at it more broad of a question, and we have a foundational study of the dynamic graph model. And we have a framework to analyze various graph properties, and for example, locality, and since we have low locality, we know that we can overcome the connectivity lower bound, and some are a very natural next step to see whether we actually need expansion in the protocol or not. But this one can be used to analyze many, many, many other graph properties. So, what's an expander? In formally speaking, it's a potentially sparse graph that has a very strong connectivity properties. And all of the protocols that we know from the literature actually induce a communication graph which is an expander. So, if we go back to the classic protocols, it's a complete graph. If you look at the more recent protocols with sublinear locality, in a very, very strong way, they induce an expander. So, for example, if every party randomly chooses who its set of neighbor is going to be, so which other parties it will send messages to and which other parties it will listen to, will get an expander. So, a bit more formally, I think that's the only technical slide I have. So, if you don't, if it's too early in the morning, you can close your eyes and it will be okay for the rest of the talk. But just what kind of expansion we're looking at? We look at edge expansion. If we have a graph of a node, then we look for every subset of nodes at the ratio between number of edges going outside of the set to the size of the set. Then we look at all of the sufficiently small sets and look at the minimal such value. And if when the number of nodes grows, we can bound this value from below by some positive constant, we say that the family of graph is an expander. And this is an example of a graph which is not an expander. If we can split the graph into two linear size sets, where we have only sublinear number of edges going between them or a sublinear cut, then the graph will not be an expander. So, now we can look at a more focused question. Must the communication graph of a secure protocol that tolerates a linear number of corruptions be an expander? Like everything in life, the answer is it depends. So the main results we have in the paper are first we show in upper bound. We show that there is a very large class of protocols that the communication graph is not an expander in a very, very strong sense. Those upper bounds work in the PKI model, so we need some form of trusted setup and we show it in very different models. So static corruption, adaptive corruption, information theoretic, protocols are computational, with or without small locality. On the other hand, we also show a lower bound. So we show that in some settings, namely if we don't have setup and if we have adaptive corruption, there are functions that any protocol that securely realizes them must induce an expander. And that's what I'm going to talk about during the rest of the talk. First upper bound, then a bit on the lower bound. So let's get started. Let's assume we have the digital signatures and we have a secure function evaluation protocol in the PKI model that can tolerate a quarter minus epsilon for any arbitrarily small positive epsilon fraction of static corruptions. And the communication graph of this protocol is not an expander. And the high level of the protocol is as follows. So let's for simplicity assume we have an even number of parties. We have 2M parties. We split the party set into two, two linear side sets. P12PM and PM plus 1 to P2M. The left side of the parties invokes some kind of ideal functionality or a trusted party. The parties give their input to this party and this trusted party elects two polylogarithmic committees, one on the left, one on the right and it tells the left committee what are these two committees. It signs, using the signature, it signs the identities of the committees and it also secret shares all of the left side inputs and gives the committee shares of those inputs. Next, we have a bridge. The left committee transfers the secret shares to the right committee. Now, the right committee doesn't know that they were a committee, that they were elected to be a committee, but that's where the public infrastructure comes into play. So because the identity of the committee members are signed, they can verify that they were indeed elected and using the PKI, we can avoid all kind of flooding attack of the adversary. Next, the right-hand side invokes a trusted party. Everybody gives their input, but also the committee gives the shares they received. This trusted party can now reconstruct the values and compute the function and give the output to all of the right-hand side. Now, the left side needs to know it, so we have another bridge. The right committee gives the output back to the left committee and now we have another trusted party that is only used to distribute the output among the left committee. So we do have this layout of a graph where we have two linear-sized sets, but we have a polylogarithmic cut. So in a very, very strong sense, this is not an expander. But we still need to instantiate those trusted parties and using different protocols, we get different results. So if we use the BMR protocol, we get the statement I gave at the beginning about static corruptions and computational security. But if we use the protocol of Boil et al of Chandra et al, we can get polylogarithmic locality and a graph which is not an expander. And also, since we only use PKI for setup, we can use information theoretic PKI and get information theoretic protocols. Now, we didn't have an information theoretic protocol with polylogarithmic locality, so with the site compression, we actually had an information theoretic analog of the BGT protocol that gave us this corollary. But that's all nice, but we have committees. What about adaptive adversaries? It's a very nice result, but it doesn't seem to hold against strong adversaries. So what goes wrong if we look at adaptive corruption? So first, the adversary can see the communication if we only use private channels, let's say. And there's no way to go around this problem. So what we do is we use the same ideas from Chandra et al and we use the hidden channels. So if two honest parties communicate, the adversary doesn't know about it. And this is inherent if we want to have adaptive corruptions and low locality or sublinear cuts. So that's okay that we can live with. But still, we have committees. If the adversary learned the committee, it can corrupt all of them. But what if he doesn't have the ability to learn the identity of the committee? What if each committee member only learns whether he's in the committee or not? He doesn't know who else is in the committee. Then the adversary, if he corrupts a party on the left-side committee, he will learn the corresponding partner on the right-hand side and vice versa. So that reduces the threshold of corruption by half. But we still get security against adaptive corruption if we adjust the ideal functionalities appropriately. So now we can actually get corollaries that also hold for adaptive corruptions. So in the computational setting, we can even get polylogarithmic locality and adaptive corruption and protocols which are not an expander. And we can also use the information theoretic protocols which are adaptively secure and get information theoretic protocols which hold adaptive corruption and are not an expander. So that was about the upper bound. Now the lower bound. Sometimes protocols not only must be an expander, but we showed that they cannot have any sublinear cut in the graph. So when you start to think about it, we have a linear number of corruption. We are guaranteed that the graph will have a sublinear cut. Isn't it trivial? Why won't we simply corrupt the cut? It's adaptive corruption. So if you think about it a bit longer, there are some subtleties that come into play. So first, the graph is dynamic. We don't know where the cut is going to be. But not only that. Let's say that we do identify the location of the cut. Maybe one side of the cut is fully corrupt by corrupting the bridge parties. Maybe we can corrupt all of... We will have to corrupt all of them and that won't give us any contradiction. If we want to show an attack, what we need is two honest parties that we can isolate on both sides of the sublinear cut. Maybe we can guess where the cut is going to be. Nah, there are exponentially many options that won't really work. What if we wait until we identify where the graph is? We'll start to see how the communication forms and only then we'll corrupt the sublinear cut. We can do that. But information might have already gone through. So again, we'll corrupt the cut, but we won't get a separation between the honest parties. So when you start to think about it, that becomes a very subtle attack. The approach we take is that we gradually learn how the graph has been formed, but we block all of the information flow during this time where we learn until we identify where the sublinear cut is going to be and only then we cannot block information flow forever and only then information starts to propagate. But to carry out this attack, we need to have multiple adversarial strategies and we have to analyze the information flow. So we have a lot of information theoretic arguments and we use graph theoretic arguments. So it's a very nice attack. I encourage you to read it, but I won't have time now to go over it. But I'll just a statement. So the setting that we're looking at is adaptive corruptions. We don't have setup and we have private channel, like the standard private channel where the adversary can't see honest honest communication. And these two properties, they're no setup and private channels are different than the upper bound we have for adaptive corruptions. We look at parallel broadcast or interactive consistency as the function that we're attacking. So this is a function where we don't even need privacy. We only attack correctness. In this function every party has a value and it broadcasts this value and the output is a vector of values where if the ice party is honest, the ice coordinate will be its input. And the statement is if we have a protocol that is a parallel broadcast protocol and it tolerates a constant fraction of adaptive corruptions, then there cannot be any sublinear cut in the communication graph of this protocol. And in particular, the graph must be an expander. And you can, we hope to have the full version on the apron soon so you can actually see the beauty of this attack. To summarize, we initiate a foundational study of the dynamic graph model. We have an upper bound where we showed a protocol that in a very, very strong sense is not an expander and we show a setting where every protocol that instantiates some function must induce an expander. But that leads us to some interesting open questions. So first, we have a gap between the upper and lower bounds. We need to close this gap. So in the upper bounds, we have trusted setup, we have hidden communication channels for adaptive corruptions, whereas in the lower bounds, we don't have setup, we need visible channels, yet private. So to close the gap is an interesting question. Another natural question is what other graph properties are interested to be analyzed. We are happy to talk to people about other interesting graph properties that we can analyze using this framework. And finally, we have a new connection between graph theory and secure computation. So maybe the fact that we must have expansion can give us some new lower bounds on communication complexity. So there are many nice things in this framework. And here I'll conclude, so thank you.