 Hello, everyone. My name is Yifan Zhang. Today, I'm happy to give a talk about our results. At last, efficient and scalable MPC in the honest majority setting, co-authored with V4Goya, Han Jun Li, Refuel Ostrowski, and Antigone Polychroneado. Multi-party competition allows several mutually distrusted parties to evaluate a function on their private inputs. It guarantees that the protocol execution does not leak anything about the individual inputs beyond what can be inferred from the function output. Usually, the functionality is represented as a circuit, and in particular, here we choose to use an arithmetic circuit over a finite field. The circuit supports addition and modification operations. In this work, we focus on the information series setting with honest majority and assume a P2P channel between every pair of parties. We are interested in both the semi-unsecurity and the malicious security with a bot. In the following, we use N for the number of parties and T for the number of private parties. Before we move on, I would like to motivate my talk by answering the following two questions. First, why do we care about the unconditional MPC? A key feature of the unconditional MPC is that we do not need any expensive cryptographic primitive, such as public encryption or obvious transfer, and the protocol is secure and conditionally. Comparing with protocols in the computational setting, one major benefit is that protocols usually do not require complicated and time-consuming local computations. As a result, the most efficient MPC protocols are in the unconditional MPC paradigm. Second, why do we focus on the communication complexity? Since the local computations are typically simple, often just a series of linear operations, the efficiency of a protocol in the real world is dominated by its communication complexity. A real known semi-unit protocol was introduced by Damgard and Nelson in 2007. We refer to this protocol as the DM protocol. It only requires to communicate six elements per modification gate per party. Due to its simplicity and the efficiency, the DM protocol plays a central role in the progress of efficient secure computation. Many subsequent works have used the DM protocol to achieve security with a bot or guaranteed output delivery. However, any improvement to the basic DM protocol has been hard to come by. An exception is the recent work of Goya and others who proposed a marginal improvement from six elements to 5.5 elements. In this work, we propose atlas an unconditionally secure MPC protocol in the under-majority setting with reduced communication complexity over the celebrated DM protocol. Currently, we improve the basic DM protocol leading to a communication complexity of four elements per modification gate per party. We also construct a run-efficient MPC protocol whose communication capacity is 4.5 elements per modification gate per party, but having the number of runs. In the semi-unit regime, the well-known DM protocol requires to communicate six elements per modification gate per party. Recently, the work of Goya and others proposed a marginal improvement and achieved 5.5 elements per modification gate per party. Both of our constructions achieve better communication complexity compared with these two works. In the meanwhile, our second protocol enjoys the feature that the run complexity is reduced by a factor of two. In the malicious security regime, relying on recent techniques, both of our protocols can achieve malicious security with a bot without affecting the concrete efficiency. Our work makes use of the standard Shamir secret sharing. Informally, a Shamir secret sharing uses a random polynomial to hide a single secret as evaluation point zero. Because that T is the number of corrupted parties, in our construction, we use the Shamir secret sharing with degree T. It satisfies that the secret can be reconstructed with any T plus one shares and any T shares are independent of the secret. We use the square brackets of X with substitute T to represent a degree T Shamir secret sharing of the value X. Here are two properties of the Shamir secret sharing scheme. The first one is linear homomorphism, namely, adding two degree T sharing X and Y yields a degree T sharing of the secret X plus Y. The second property is that multiplying two degree T sharing X and Y gives a degree 2D sharing of the secret X times Y. In conclusion, we will first introduce our construction that improves the concrete efficiency over the semi-onest DM protocol. We first review the DM modification protocol, which is the core of the DM protocol. Given two input sharing X and Y, our goal is to compute an output sharing of the secret X times Y. The second observation is that multiplying two degree T sharing Y yields a sharing of the correct value but higher degree. Therefore, the main task is to reduce the degree of the modification result. The DM modification protocol starts with a pair of random sharing of the same value. One is a degree T sharing, and the other one is a degree 2D sharing. These two sharing are referred to as double sharing. All parties first locally compute a degree 2D sharing of X times Y plus R. Each party simply multiplies shares of X and Y, and then adds its share of R. Then the first party P1 receives the whole sharing of X times Y plus R, reconstruct the secrets, and distributes the results to all other parties. Finally, to obtain the correct results, all parties subtract the random degree T sharing of R from the reconstruction result. This completes the description of the DM modification protocol. Note that the only interactive step is the second step, where the first party needs to receive the whole sharing of X times Y plus R, and distributes the results to other parties. In GSC 20, Goya and others observed that the first party may send shares of the reconstruction results rather than the result itself. Recall that in the original protocol, the reconstruction result is used to compute the final sharing of X times Y. This is achieved by subtracting the random degree T sharing of R from the reconstruction result. Note that if the first party sends shares of the reconstruction results, all parties can still obtain a sharing of the modification result by subtracting the random sharing of R from the sharing distributed by the first party. This observation leads to a marginal improvement in GSC 20. Different from GSC 20, we make two observations when the first party is an honest party. First, when the first party receives the whole sharing of X times Y plus R, since P1 is the only receiver, corrupt parties do not receive any messages. Second, when the first party sends shares of the reconstruction result to other parties, corrupted parties only receive uniform values as their shares. These two observations hold even if the adversary knows all the shares of double share rings that are used in the modification protocol. Therefore, if the first party is an honest party, then corrupted parties do not learn any information even if we do not use uniform double share rings. In other words, uniform double share rings are only needed when the first party is corrupted. Indeed, during the protocol execution, we cannot distinguish whether the first party is honest or corrupted. Our idea is to play the role of the first party in a wrong robin way. It ensures that at least a half of modification gates are handled by honest parties. Hopefully, we only need to prepare uniform double share rings for modification gates handled by corrupted parties. To this end, our second idea is to use TWS independent double share rings. It ensures that the double share rings used by corrupted parties are uniformly random. In summary, our idea is to play the role of the first party in a wrong robin way and rely on the TWS independence. We show that all parties can locally transform t pairs of uniform double share rings into m pairs with TWS independence. Note that we do not need to change the original DN protocol, but just replace the double share rings used in the protocol. As for the company efficiency in the DN protocol, the amortized communication complexity per pair of double share rings is four elements per party. During the online phase, all parties need to send their shares of a degree 2D sharing to the first party and receive the reconstruction from the first party. Therefore, in the online phase, each party needs to communicate two elements per modification gates. In total, the DN protocol requires to communicate six elements per modification gate per party. Our work reduces the number of random double share rings. Specifically, we only need t pairs of random double share rings to evaluate n modification gates. Therefore, we reduce the cost per pair of double share rings by a factor of 2. That is, two elements per party. The total communication complexity of our protocol becomes four elements. Now, let's see how to reduce the round complexity without affecting the concrete efficiency. Can we evaluate a two-layer circuit in parallel? If we can answer this question affirmatively, then we can evaluate the whole circuit two layers each time and reduce the round complexity by a factor of 2. Clearly, the main difficulty is that getting the second layer requires results from the first layer. For a modification gate in the second layer, how should we evaluate this gate without learning the inputs? We first recall the notion of B or triple. A B or triple contains three share rings. The secrets of these three share rings satisfy that the third secret is equal to the modification of the first two secrets. For two public values, U and V, we may write U minus A times V minus B as U times V minus U times B minus V times A plus A times B. Then if we replace A, B and A times B by their corresponding share rings in the B or triple, we obtain a share ring of the modification result of U minus A and V minus B. Therefore, with the help of a B or triple, all parties can locally multiply the two share rings U minus A and V minus B. Now let's go back to our problem. For each modification gate in the second layer, if the first input share ring is in the form of U minus A, the second input share ring is in the form of V minus B. And all parties how the B or triple A, B and A times B, then all parties can locally evaluate this modification gate as what we just described. We observe that to prepare the B or triple, we only need to know the first two share rings A and B. In particular, the two public values U and V can be learned afterwards. Therefore, if the protocol for the first layer satisfies that the output share ring is in the form of U minus A, that is a constant minus a share ring, and all parties learn the share ring A before evaluating this gate, then all parties can prepare the B or triple at the same time as the evaluation of the first layer. Fortunately, the original DM modification protocol perfectly fits our need. Note that this is the whole precise of the DM modification protocol. First, note that the output share ring is in the form of a constant minus a share ring. Specifically, here X times Y plus R serves as the role of the constant value U, and the share ring R serves as the role of the share ring A. The first property is satisfied. For the second property, note that the share ring R is a part of the double share rings used in the protocol, and this pair of double share rings is prepared before the running of this protocol. Therefore, all parties learn the share ring R, which serves as the role of the share ring A before evaluation. In summary, our evaluation strategy works as follows. All parties first use a pair of random double share rings to evaluate the first modification gate. Then all parties use a different pair of random double share rings to evaluate the second modification gate. In the meantime, all parties use the sharing A from the first pair of double share rings and the share ring B from the second pair of double share rings to prepare the B or triple for the modification gate in the second layer. Note that these three steps can be done at the same time. Finally, all parties can locally evaluate the multiplication gate in the second layer with the help of the Beaver Triple. In conclusion, all parties can evaluate a two-layer circuit in parallel. We would like to clarify the question that why we do not prepare the Beaver Triple in the preprocessing phase. This is because in the real execution, one input-sharing of a multiplication gate in the second layer may come from the output-sharing of an addition gate in the first layer. In this case, the first two-sharing A and B in the Beaver Triple are only known during the execution, which means that we cannot prepare the Beaver Triple before evaluating the previous layers. As for efficiency, in other layers, all parties need to use the original DM multiplication protocols. This is because we need the output-sharing from other layers to satisfy our requirements. For even layers, we only need to prepare the Beaver Triples, which can be done by our new multiplication protocol. Assuming that the number of multiplication gates in other layers is the same as that in even layers, the amortized communication complexity is five elements from the multiplication gate per party. Although we cannot directly use our new protocol for multiplication gates in other layers, we show that we can still use TYC independence to improve the original DM protocol from six elements to 5.5 elements without changing the output form. Therefore, we can achieve 4.5 elements for multiplication gate per party at the end. We test our two constructions and compare them with the previously best-known result GST-20. Our experiment generates a random circuit with one million multiplication gates. We set up our experiments in the LAN setting and used a 61-bit Martin field. The numbers in the table are reported to running time in milliseconds. The experiments show that when using the proper variant, our protocol is about 1.4 times faster than GST-20. We note that when the circuit depth is... When the circuit is shallow, for example, when the circuit depth is 20, our TYC independence variant is better than our wrong compression variant. When the circuit is deep, for example, when the circuit depth is a thousand, our wrong compression variant performs better than our TYC independence variant. In reality, we can choose the proper variant based on the circuit depth. In summary, in this work, we construct a new efficient multiplication protocol that achieves the communication complexity of four elements from multiplication gates per party. Our idea is to use the DN protocol, play the role of the first party in a round robin way, and rely on the TYC independence. Then we improve the round complexity to achieve a better concrete efficiency. Our idea is to carefully combine the idea of pure triple with the original DN protocol. As a result, we managed to evaluate a two-layer circuit in parallel, which allows us to construct a round efficient protocol whose communication complexity is 4.5 elements from multiplication gates per party, and the round complexity is reduced by a factor of 2. Altogether, our protocol at last is the fastest MBC protocol in the answer-moderality setting. Thank you.