 Hello, everyone. My name is Yifan Zhang. Today, I'm honored to give a talk about our result. Guaranteed output theory comes free on its majority MPC, co-authored with vapor goya, and the change is true. Multi-party computation allows several mutually distrusting parties to evaluate the function on their private inputs. It guarantees that the protocol execution does not leak anything about the individual inputs beyond what can be inferred from the function output. Usually, the functionality is represented as a circuit, and in particular, here we chose to use a arithmetic circuit or a finite field. The circuit supports addition gates and multiplication gates. In this work, we are interested in the honest majority setting. Assuming broadcast channel and the peer-to-peer private channels, our goal is to construct an unconditional secure MPC protocol with guaranteed output delivery. Before we move on, I would like to motivate my talk by answering the following two questions. First, why do we care about unconditional MPC? The future of unconditional MPC is that we do not need any extensive cryptographic primitive, such as public key encryption, or obvious transfer. And the protocol is secure unconditionally. Comparing with protocols in the computational setting, one major benefit is that protocols usually do not require complicated and time-conservant local computation. And it is possible to achieve fairness and guaranteed output delivery in the setting. So without the most efficient MPC protocols are in the unconditional MPC paradigm. Second, why do we focus on communication complexity? Since the local computations are typically simple, often just a series of linear operations, the efficiency of a protocol in the real world is dominated by its communication complexity. There are two different types of adultery. One is a semi-onionist adultery. This kind of adultery follows the protocol honestly, but tries to learn extra information from what he received. The other one is a fully malicious adultery. It can debit from the protocol arbitrarily. If an MPC protocol allows a premature abort, then we say this protocol is secure with abort. If an MPC protocol can ensure the success of the computation, then we say this protocol is fully secure or guaranteed output delivery. In general, to achieve malicious security, we need to compare semi-onionist protocols using additional tools. For example, GMW of compiler in the computational setting and a verifiable security sharing in the anchors method. Apparently, security against fully malicious adultery is more difficult to achieve than semi-onionist adultery. Therefore, we ask the following question. Is it necessary to pay for malicious security? In this work, we show that we can achieve basically the same efficiency as the best known protocol in the semi-onion setting. Here is the comparison of recent constructions of communication efficient MPC in the anchors majority setting. In the semi-onion setting, the best known construction is the DM protocol, which requires six elements per party per gate. This can be viewed as a baseline for the communication complexity. Recently, there are two works, CGH plus 18 and Mv18, both achieving 12 elements per party per gate in the setting of security with abort. In this work, we obtain the first secure with abort MPC protocol, where the communication complexity matches the semi-onion DM protocol. We make a further improvement of the DM protocol, which allows us to reduce the communication cost from six elements to 5.5 elements. In the setting of guaranteed output delivery, the best known previous constructions have bad dependencies on either the circuit depth or the circuit width. In BSFO 12, it has the term order of D times N square, where D is the circuit depth. In AKB plus 16, it has the term order of W times positive N, where W is the circuit width. The efficiency of these protocols will suffer when either the circuit depth is very large or the circuit width is very large. In this work, we give the first construction where the communication complexity per party is linear in the circuit side. Our protocol achieves 5.5 elements per party in the best case, and 7.5 elements when one or more crafted parties are identified. This result is obtained by compelling our secure with abort protocol into a fully secure one. Here is an outline of this talk. We will start with the best known semi-onion communication between the protocol in the semi-onion setting, then show how to get a secure with abort protocol in the fully Malaysia setting. And finally, how to reach a fully secure protocol with comparable efficiency as the best known semi-onion protocol. We will use square brackets x with subscript t to represent a degree t-sharing of the value x. It requires at least t plus one shares to do reconstruction, and any t-share do not leak any information about x. Here are two properties of Schemer's secret sharing scheme. The first one is linear homomorphism, namely adding two degree t-sharing x and y yields a degree t-sharing of the secret x plus y. The second property is that multiplying two degree t-sharing x and y gives a degree 2d-sharing of the secret x times y. The best known semi-onion protocol in this setting was proposed by Dan Gard and Nelson in 2007. Recall that a semi-onion adversary follows the protocol honestly, but try to learn extra information from the messages it has seen. The highlight of the idea of the DN protocol is to compute a degree t-sharing for each wire. By the nature of Schemer's secret sharing scheme, the shares held by cryptic parties are not enough to reconstruct the secret, and therefore are just several independent values. This ensures the security of the protocol. To make this idea work, we need to take care of multiplication gates and addition gates. Recall that the Schemer's secret sharing scheme is linear homomorphic, therefore for addition gates, all parties can simply add their shares locally. The core idea of the DN protocol is how to evaluate the multiplication gate. Assume the input shareings are x and y, we know that all parties can locally multiply their shares to obtain a degree 2d-sharing of x times y. Therefore, it is sufficient to do a degree reduction to this sharing. The idea of the DN protocol is to prepare a pair of random shareings of the same value of r. One share is a degree t-sharing, and the other one is a degree 2d-sharing. To do a degree reduction, all parties use the random degree 2d-sharing as a mask. Then the first party collects all the shares, reconstruct the secrets, and sends the result back to other parties. Finally, all parties can locally subtract the random degree t-sharing and obtain the share when they want. We observe that all parties do not need to know the reconstruction result. P1 can instead distribute a share ring of the result. All parties can still get the correct share ring they want. Also, we do not need to keep the reconstruction result secret. P1 can choose the last t-share to be 0. Using this t-share and the secret e, P1 reconstructs the whole sharing and only distributes the shares to the first t-plus-1 party. The last t-parties take 0 as their shares. These two observations allow us to reduce the communication cost from 6 elements to 5.5 elements. Now let's switch to a fully malicious auto-tree. A fully malicious auto-tree can arbitrarily deviate from the protocol. So it is clear that the DM protocol is no longer correct in the fully malicious setting. For example, private parties can distribute inconsistent share rings or even refuse to participate in the competition at some point. Surprisingly, it has been shown that the DM protocol provides perfect privacy on the inputs of other parties before output phase. One approach to obtain the malicious security is to first run the DM protocol until the output phase, then check the correctness of the computation, and finally reconstruct the output. Note that addition gates are evaluated locally, therefore it is sufficient to only check the correctness of modifications. This approach has been used in several previous works. In our construction, we rely on the technique in BBCG-plus-19 to achieve sublinear communication in the number of multiplication gates. Compared with BBCG-plus-19, we extend the use of this technique to the MPARTY setting. The original technique is for zero knowledge and fully linear PCPs. We modify this technique to make it more suitable for NPC. Furthermore, we explore recursion to make it even more efficient in practice. Our idea is inspired by two other techniques. One is an extension of the DM protocol to handle inner product operations. The other one is specialized modification verification introduced in BSF-412 and its extension for inner product operations introduced in NV-18. For the extension of the DM protocol, the main point is that all parties can locally obtain degree 2D sharing of the inner product of two vectors x and y. Then it is sufficient to do a degree reduction to this sharing. This becomes the same problem solved by the DM protocol. Note that the communication cost is independent of the dimension of the input vectors. This extension has been observed and used in many previous works, for example, the work CGH-plus-18. The second technique is batch-wise modification verification. Given a batch of M multiplication tuples, the goal is to check whether all the tuples are correct. In fact, combining the DM protocol and the batch-wise modification verification already yields a secure result board protocol. This is exactly the construction in NV-18. However, we will see that the verification requires additional M multiplications, where we want to verify the multiplications with sublinear cost. At the head level, we want to construct three polynomials f, g, and h, such that for the first M evaluation points, f i, g i, h i, corresponds to z i multiplication tuples. Furthermore, we want these three polynomials to satisfy that h equals f times g if all the multiplication tuples are correct. In this way, verifying the multiplication tuples becomes verifying whether h equals f times g. For example, in this toy case where we have three tuples, we can list the requirements for these three polynomials in the table. Note that for both f and g, they can be polynomials of degree M minus 1. We can use the ground interpolation to compute the coefficients of f and g using x i and y i respectively. If we want h to be f times g, h should be a polynomial of degree 2 times M minus 1. However, we only have M points, which are insufficient to determine the polynomial h. Therefore, we will compute another M minus 1 multiplications to provide enough points for the ground interpolation. For example, in this toy case, we first compute the shear wings of both f and g at the evaluation points 4 and 5. Then compute the multiplications, and the results are divided by d4 and d5. Now we can do interpolation to compute the coefficients of h. Now we have our three polynomials to test whether h equals f times g. It is sufficient to test a random evaluation point alpha. Our parties generate a random challenge alpha and compute three shear wings f alpha, g alpha, and h alpha. Note that this reduces the problem of checking M multiplications into a check of a single multiplication. The overall communication cost of batch-wise multiplication verification is out of M multiplication dates. An extension of the batch-wise multiplication verification is to check the correctness of a batch of M inner product tuples. This extension is first noted in the work NV-18. The idea is basically the same as the check for multiplication tuples, except that we will need additional M minus 1 inner product operations instead of multiplication operations. However, recall that the Dean protocol allows us to evaluate an inner product gate with the same cost as a multiplication gate. Therefore, the communication cost of batch-wise inner product verification is the same as the one for multiplication tuples. That is, requires order of M multiplication operations. In essence, this technique allows us to reduce the check of M inner product tuples into one check of a single inner product tuple. Given M multiplication tuples, our idea is to first transform this M tuples to a single inner product tuple of dimension M. Furthermore, if one of the original multiplication tuples is incorrect, the single inner product tuple should also be incorrect. Therefore, it is sufficient to only check the single inner product tuple. To obtain a single inner product tuple, a straightforward way is to set the first vector x to be x1, x2 to xm, y to be y1, y2 to ym, and z to be the summation of ci. However, this is not sufficient. For example, if the adversary causes c1 to be x1 times y1 plus 1 and z2 to be x2 times y2 minus 1, the errors are cancelled in this tuple. Consider the following two polynomials f and g. The coefficients of f are xi times yi. The coefficients of g are zi. Then the task becomes checking whether these two polynomials are the same, which can be done by testing a random point alpha. Therefore, we can set the shear wings x, y, d in this form. We can verify that the inner product between x and y is f alpha and z is g alpha. This way, we only need to check the single inner product tuple. However, we note that the dimension of this inner product tuple is m, where m is the number of multiplication gates. Even checking a single inner product tuple would cost us proportional to m. Therefore, our idea is to reduce the dimension by a factor of k, where k is the parameter. In step two, we want to reduce the dimension by a factor of k. For each of the two input vectors, we separate it into k sub-vectors of the same dimensions. By using the d and inner product protocol, all parts computed the inner product for each pair of xi and yi. For the last pair, instead of using the d and protocol, we simply set dk to be z minus the summation of the first k minus one result. In this way, if the original inner product tuple is incorrect, then at least one of the new inner product tuples is incorrect. Therefore, we only need to check the correctness of this new k inner product tuples. Note that the communication cost is just k multiplication operations. To this end, we use the batch-wise inner product verification to reduce the check of k inner product tuples into a check of a single inner product tuple. In particular, the dimension becomes m over k. The overall communication cost of step two is just out of k multiplication operations, which is independent of m. In the last step, we just repeat step two enough times until the dimension of the final tuple becomes one. To simplify the verification of the final tuple, we borrow the idea from NV18. In the final iteration, we add a random multiplication tuple as a mask. This allows us to directly open the final multiplication tuple and check the correctness. As for efficiency, we need to repeat log km times in step three. Since each iteration requires order of k multiplication operations, the overall communication complexity is out of k times log km multiplications, which is sublinear in m. A follow-up work has implemented our protocol and compared with the previously best known implementation result, the work by Cheetah and others in crypto 2018. The experiment used arithmetic circuit with one million multiplication dates in the line setting. The final tuple is the 61-bit Mercent field. All the numbers are the running time in milliseconds. We select two different kinds of circuits. One kind has steps 20 and the other one has steps 1000. Different colors respond to different number of parties participating in the computation. We can see that when the circuit depth is 20, our protocol is about 1.7 times faster. When the circuit depth is 1000, our protocol is about 1.6 times faster. This experiment results show that our protocol is also efficient in practice. So far, we have shown how to efficiently check the correctness of modifications. Combining with the DM protocol, we obtain a secure with the board protocol with the same efficiency as the semi-onest DM protocol. In the last part, we will focus on full security. The protocol is obtained by compelling the secure with the board protocol. At a high level, we follow the idea of this build control introduced in BT-H06. This is a general strategy to achieve full security efficiently. The idea is to divide the circuit into small segments. Then our parts evaluate each segment in sequence. When the computation of boards, our parties find the various things went wrong and then rerun the current segment. When we look into a transcript of an aborted computation, either there is a corrupted party who does not follow the protocol, or there is a pair of parties who do not agree on the message sent from one party to the other. The main difficulty of using this build control is to efficiently identify corrupted parties or disputed parties when the computation aborts. Recall that in our secure with the board protocol, in the end of the multiplication verification, our parties only need to verify a single multiplication table. Our idea is to compute a virtual transcript of this automated table. A virtual transcript is not executed, but all parties should agree on the messages appearing on the transcript. Concretely, all parties will together compute a virtual transcript of the automated table, as if they directly compute this table using the DM protocol. In this case, if the ultimate table is incorrect, it is sufficient to only examine this virtual transcript. Our idea is to follow the multiplication verification of our secure with the board protocol. At each step, we will compute a virtual transcript from the transcripts of the input samples. One feature of our approach is that all virtual transcripts can be computed without interaction. It means that we can obtain virtual transcripts for free, and the overall communication complexity remains the same as the secure with the board protocol. We briefly discussed other issues of achieving full security. The first one is how the protocol is perceived if one or more corrupt parties abort. Note that when we use the DM protocol to evaluate the multiplication gates, the first party needs all the shares to reconstruct a DP2T sharing. When one or more corrupt parties abort, key one will not receive enough shares to do the reconstructions. Our idea is to do a small surgery to the input sharing of each multiplication gate, such that the shares of aborted parties are zero. In this way, P1 no longer needs the aborted parties to send their shares. Our approach only requires two additional elements per party. This results in 7.5 truth elements when one or more corrupt parties abort. The second problem is that when we examine the ultimate transcript, we may find that the input sharing or the random double sharing are inconsistent. Note that the virtual transcript do not contain the generation of this sharing. We cannot know which party is cheating by just checking the virtual transcript. Instead, we need to go back to the generation for size of this sharing. To this end, we borrowed the idea from BSF-012 to add a very fair ability to share mirror-sector shareings. This technique has overhead only epsilon elements per party per gate, where epsilon is an arbitrarily small constant. We refer to our paper for more discussion about these two problems and our solutions. As a conclusion, we first see the construction of DM protocol, which is the best known semi-onest protocol. Suppresently, DM protocol provides some kind of security when running in the fully managed setting. Based on this observation and the technique in BBCG plus 19, we are able to achieve security with the board with the same efficiency as the DM protocol. To further achieve full security, we rely on the general strategy called dispute control. However, three problems arise when considering the detailed design of the protocol. We rely on the virtual transcript, small surgery, and a very fairable secret sharing to overcome the difficulties. And finally, achieve full security with comparable efficiency as the DM protocol. Thank you.