 So the final talk of the session is called one over P secure multi-party Computation without honest majority and the best of both worlds. It is by and was by Mel you who the Lindell Iran omri and Ilan aller and Will be given the talk. Hey Good morning, my name is Ilan oven today We will be presenting one of your P secure multi-party Protocol without an honest majority and it's usage in achieving the best of both worlds This is a joint world with Thomas Bamel you the Lindell and the run over me. I Would like to state our results in a glance. It might be no so not so clear for now But I hope it will be clear later So in this world we explore one of your P secure multi-party protocols without an honest majority Well, one of your P security is a relaxed notion of security We achieved the following positive result We constructed one of our P secure protocols for constant number of parties for computing any function with polynomial size range generating any number of corrupt parties in In addition we proved the following complimentary possibility result We proved that there is no general one over P secure protocol for a non constant number of party This result explains why the number of parties is constant in our protocols In addition we discussed the best of both worlds We constructed a single protocol that has the following nice property If there is a full if there is an honest majority in the system, then the protocol is fully secure While if there is no honest majority in the system the protocol is one over P secure So this protocol achieves the maximum security possible if there's honest majority and it does not collapse when there is no honest majority So this talk has four parts background our results the ideas of our protocol and a summary and open questions We start with the background So every talk has to have a motivating story. This is ours What's of you forgot it, but today's more feds birthday and All the smell decided to buy a birthday gift. They decided to buy a book There are two books on sale Harry Potter and algorithms And each mouth has a preferred book Therefore they decided to compute the most popular one which is in this case Harry Potter In fact, they decided to execute a protocol for this computation And our goal is to construct a protocol that we be secure as much as possible against Anniversary that corrupts some of the parties and wishes to cause damage to the protocol Next describe the model. So there are M parties in the system that execute an our own protocol Where the number of rounds are is bounded by a polynomial in the security parameter There is an adversary in the system that runs in a polynomial time and it is malicious. It corrupts and controls some of the parties The adversaries are rushing adversaries It means that in each round it first sees all the messages of the honest parties and only then it chooses and sends messages of the of on behalf of the malicious parties Those messages can depend on the messages of the honest parties This is more realistic than a simultaneous channels model We also assume a broadcast channel. It means that each message sent by each party is seen by everyone I will describe the security definitions So the common security definition involved a comparison between two worlds The real world, which is the protocol running in the model described in the previous slide and an ideal world Which is an imaginary world that assumes an existence of a trusted party that helps with the computation I will describe in detail The ideal world. So this is the ideal computation of a function. There are M parties where each party holds an input There is a trusted party and an adversary who corrupts a subset of the parties and It can change their inputs Next each party sends its input input to the trusted party who in turn computes the function and sends to each one of the parties the output Observe that changing the inputs is the only thing that the adversary can do in this model Therefore many nice properties are guaranteed for example privacy correctness and fairness Well, fairness informally states that the corrupt part if the corrupt parties get the output then the honest parties get the output as well So after we define the ideal world of computation we can define the definition of full security In full security we compare the real world, which is the protocol and the ideal world that assumes A trusted party and we say that a protocol is fully secure if no real world Adversary can do more harm than an ideal world Adversary and as the ideal world is secure then the real world is secure as well So is this definition of full security achievable Goldach Mikhaili Invictus on at 87 prove that any polynomial time function F can be computed with full security without with an honest majority However, Cleve at 86 prove that any our own MParty coin tossing protocol has a bias of 1 over r without an honest majority So we can conclude that it is impossible to achieve full security without an honest majority for general functions For example, we cannot achieve full security from coin tossing So what can be achieved without an honest majority? a GMW 37 suggested the following relaxed definition called security with a bolt This definition achieved without an honest majority However, it does not provide any fairness. In fact, the adversary can learn the output while the honest parties learn nothing So can we get a reasonable fairness without an honest majority and the answer is yes We can have one of our peace security So one of our peace security is a definition defined by Gordon and Katz at 2010 And in this definition we compare the previous two worlds the real world which is the protocol and the deal world which is in fact the same real world in the definition of full security Recall that in full security will require the real world to fully emulate the real world While in one of our peace security We require the real world to emulate the ideal world within a competition distance of one over p So in other worlds the adversary can cause damage to the protocol in probability of at most one over p In their work Gordon and Katz show the feasibility result for two parties They proved that for every function F were the size of domain or ranges polynomial There exists the one over p a secure two-party protocol and It holds for every polynomial P in addition they Prove the following possibility result they prove that domain or range have to be polynomial Next they ask if this result can be extended to the multi-party case In our work we give both positive and negative answers for this question So now we'd like to state our results our main result is a feasibility result for multi-party Informally we constructed one over p secure protocols for a constant number of parties More formally we prove the following theory we prove that for every function F Where the number of parties M is constant and the size of range of F is polynomial There exists a one over p secure protocol that tolerates up to M minus one corrupt parties So that M minus one corrupt parties is the maximum number of corrupt parties possible And it holds for every polynomial P in a different protocol if We showed that if the corrupt if the number of corrupt parties is less than two-third of the total number of parties and And the function F is deterministic and the size of domain of F is constant Then we can have the number of parties to be non-constant. It can be All of log log of the security parameter On the negative side, we prove the following Impossibility result But first I would like to state a special case of our possibility result So we prove that there exists a one over p secure protocol when the number of parties is constant And the function F is deterministic and the size of domain of each party is polynomial And our possibility result states that such protocol for deterministic function Where the size of domain of each party is polynomial is not possible when the number of parties M is non-constant and This explains why the number of parties is constant in our result Next we discuss the best of both worlds So GMW 37 prove that any polynomial time function F can be computed by a protocol with full security with with an annus majority But if there is not as majority the above protocol this protocol does not guarantee any security and So our goal is to have a single protocol that achieves a fully security if there is honest majority in the system And some weaker notion of security if there is no honest majority in the system. We will call it a fallback security Ishaa Katskoshe levered slindel and Patrang define this problem and suggested protocols achieving several models of fallback security But they did not achieve the exact above goal They had some good reasons for that In our work we consider one of our security as a possible fallback And we achieve it. So informally one of our peace security is possible as a fallback security for constant number of parties More formally we prove the following theorem. We prove that for every function F For M parties if both the domain and range are polynomial and the number of parties M is constant Then there exists a single protocol that is fully secure if there is an honest majority And it is one of our peace secure if there is no honest majority And this is the best of both worlds And as Ishaa Taal proved that security with abort is not possible as a fallback security Then we get another strong motivation for discussing the definition of one over P security Next Give some of the ideas of our protocol So we'll not have enough time to describe the whole protocol, but here are some of the ideas This is the structure of our protocol the structure was used in other constructions as well So our protocol has two steps the preprocessing step and the interaction step In the preprocessing the parties executor secure it about protocol In which they give their inputs as an input and in exchange they receive a set of shares and send messages for Executing an our own protocol In the interaction step there are our rounds well in each round each party bought cuz its message that it got in the previous In the previous step and each subset of parties learn a value this value is used if other parties abort We have a special round called I star After round I star each subset of party received the actual output of the function F While before the round I star each subset of parties receives a value that depends only on the inputs of the parties in this set and Our protocol has the following nice property that to cause the damage to cause the computational distance Adversely must guess exactly the value of I star and it is quite hard as the value of I star is well concealed And as I told you the structure was used in previous constructions But in our protocol we had to face with new challenges and to suggest new ideas So challenge number one how to conceal the value of I star in multi-party setting Challenge number two how to deal with any possible abort of any subset Here are some of our solutions for those challenges All different information is shared in a few layers of secret sharing and After an abort there are many parties execute a protocol And this protocol has to conceal the value of I star It is quite hard and many of our ideas are behind this So let's sum up sum up the talk and suggest some open questions So we explore a one over PCQ multi-party protocols without an honest majority We achieved the positive the following positive result we constructed one over PCQ protocols for constant number of parties and Next we proved that there is no general one over PCQ protocol for non constant number of parties And this result explains why the number of parties is constant in the protocol In addition we discuss the best of both worlds We constructed a signal protocol that is fully secure if there is an honest majority in the system and It does not collapse if there is no honest majority It achieves one of will be security in this case. So we'd like to suggest some open problems Question number one is there are one of all PCQ protocol for function F with non constant number of parties And polynomial size range and domain Recall that our impossibility result does not rule out this possibility Another question are there more efficient one of your PCQ protocols by efficiency? I mean the number of rounds so I didn't tell you about it But a in the protocols there are the number of rounds is double exponential in the number of parties And as the number of parties is constant It is okay, but we would like to see a protocols with less number of rounds Another question is can you get full privacy in partial fairness in secure multi-party computation without an honest majority Recall that that in the definition of one over p security with probability of one over p the privacy can be totally lost So maybe we need to suggest new definitions to solve this question That's all any questions, okay