 Thank you for introduction. My name is Yifan Song. Today I'm honored to introduce our recent work, Communication Efficient Unconditional NPC with Guaranteed Output Delivery. Co-authored with Pogoya and Yan Yiliu. Multi-party competitions allows several mutually distrusted parties to securely evaluate a function on their private inputs. So it guarantees that the protocol execution does not leak anything about their individual inputs beyond what can be inferred from the function outputs. So in this work, we consider the siting where unparties would like to evaluate an arithmetic circuit over a finite field. We assume the existence of private channels between every pair of parties. We aim to construct a protocol against one sort of corruption with unconditional security and output delivery guarantee. So we stress that fairness and output delivery guarantee are crucial in many settings. For example, for voting and the coin flipping, if results fairness or output delivery guarantee, malicious parties can simply abort if the result is not satisfactory. For fair contract sending, malicious parties can receive the signed contract while preventing unparties from receiving it. In this way, malicious parties can vary the contract while unparties cannot. So our goal is to construct a communication efficient protocol. This is supported by the following observation. So in the unconditional siting, local computations are typically simple, often just a series of linear operations. Therefore, the efficiency of a protocol in the real world is dominated by its communication complexity. So by representing the functionality as an arithmetic circuit, there are two main types of gates we need to handle, addition gates and the multiplication gates. Addition gates are typically free, requiring no communication. Therefore, the communication complexity depends up on the number of multiplication gates in the circuit. So it leads us to the following question. Is it possible to construct an unconditional MPC with guaranteed output delivery for one-third corruption such that the communication complexity from multiplication gates is linear in the number of parties? Having linear communication complexity means that the work done by a single party is independent of the number of parties participating in the computation. And as a result, the circuit, sorry, the protocol is fully scalable. Previously, best known result in this setting was provided by Tribune 01 Hertz in 2008. So in their construction, their protocol has communication complexity order of c times n plus dm times n squared plus n cubed. Here sees the side of the circuit and dm is the depth of the circuit. So we note that when the circuit is narrow and deep, dm times n squared becomes the dominating term and the communication complexity from multiplication gates can be as high as order of n squared. Unfortunately, this term dm times n squared appears in many previous works. It led Ben Sensen, Ferrer and Oztrowowski to ask whether this term is inherent in their work in 2012. So in this work, we gave the first construction where the communication complexity from multiplication gates is linear in the number of parties. Concretely, our protocol has communication complexity order of c times n plus n cubed. So this represents a strict improvement over the previously best known result. For convenience, we use square bracket a with subscript d to represent a d plus one out of n Shamir circuit sharing referred as a d-sharing. Let the shares be a one, a two to a n, especially the aspect CS party PI hosts as share AI. It is well-known that when t is smaller than n by three, a t-sharing can always be reconstructed even if some t-shares are incorrect. Before introducing our main techniques, we would like to mention two useful techniques which are well-used to construct efficient NPC with all of the guarantee in the unconditional setting. The first one is party elimination framework. It was first introduced in the work of her tomorrow predicted tech in 2000. So it is a general strategy to efficiently achieve perfect security. The first step is partitioning the whole circuit into several segments. All these segments will be evaluated in sequence. After evaluating one segment, all parties reach a consensus on whether the evaluation is successful or not. Say if it is successful, then all parties can continue to evaluate the next segment. Otherwise, a pair of parties who do not agree with each other, referred as disputed parties, is identified. Disputed parties will not participate in the rest of the computation, and the same segment will be re-evaluated. So in this way, we only need to focus on how to find a pair of disputed parties when a failure occurs. The second technique is BR triple. It was first introduced in the work of Beaver in 1991. A BR triple consists of three t-sharing, A, B, and C. Here, A, B are two random field elements and the C equals to A times B. To compute a multiplication gate with input-sharing X and Y, all parties need to reconstruct two t-sharing, X plus A and Y plus B. Then the output-sharing C can be represented by using two values, X plus A, Y plus B, and the three t-sharing, A, B, and C. Note that these techniques transform one multiplication operation into two reconstruction operations. Now let's have a quick review of the construction of Trubini-01 Hurt. After preparing enough BR triple during the preparation phase, the main task is to reconstruct several t-sharing for multiplication gates. In their work, they provided a protocol to reconstruct a batch of t-sharing at one time. The overall cost per batch is order of n squared and as a result, the average cost per gate is just order of n. However, only multiplication gates in one layer can be handled each time. Since each layer requires at least order of n squared communication, there is an overhead order of dm times n squared in their construction. To overcome this barrier, our starting idea is letting one party to our reconstruction. A special party pqn is selected in the beginning. Then to reconstruct the t-sharing, say X plus A, pqn simply collects all shares from the rest of the parties, reconstruct the results, and sends the result back to them. In this way, the cost per gate is just order of n, even if only one gate is evaluated. However, if pqn is corrupted, then pqn may distribute any incorrect value or even send different values to different parties. It means that we need to check the correctness of the reconstructions. Where still, we find that this check is actually required every layer. Without check, not only the correctness cannot be guaranteed, but also a malicious pqn can learn the full value of an internal wear of the circuit. We give an explicit attack in our work for these simple two-level circuits which computes X times Y times W. The main security issue is that a t-sharing has too much redundancy. Piquing only needs t plus one shares to reconstruct a t-sharing and even recover every shares of this sharing. The high-level idea of our attack is letting a malicious pqn send an incorrect value to one honest party. Since this party uses an incorrect value, further shares provided by this party are also incorrect. However, pqn can use all shares except the share from this party to reconstruct the t-sharing and compute the correct share that this party should hold. By comparing the correct value and the incorrect value of this party, pqn can actually gain extra information. Note that each check is a consensus that is all parties should agree on whether the evaluation is successful or not. It is known that reaching a consensus requires at least n-square communication. Therefore, we still have this dm times n-square overhat in our construction. To avoid this check every layer, the high-level idea of our construction is using n out of n-sixth sharing. In this way, we can remove the redundancy of t-sharing and avoid the attack mentioned above. However, without redundancy, cheating becomes easier and finding a cheater becomes harder. We need to increase the redundancy to find a cheater. To this end, we rely on full consistency, a new technique to increase the redundancy of an n out of n-sixth sharing on demand. Recall that a t-sharing can always be reconstructed even if some t-shares are incorrect. In other words, t-sharing have enough redundancy. The basic idea of full consistency is using additional three t-sharing to commit the shares of an n out of n-sixth sharing. So we first partition our shares into three parts and then we expand each part to be evaluated t-sharing. In this way, every share can be recovered. We will include more details later. So first off, when we use n out of n-sixth sharing, referred as n-sharing, to avoid the check every layer. We include two additional n-sharing in a bureau triple, an n-sharing of the value a and an n-sharing of the value b. When evaluating one multiplication gates, instead of reconstructing two t-sharing, x plus a and y plus b, all parties reconstruct two n-sharing, the t-sharing x plus the n-sharing a and the t-sharing y plus the n-sharing b. Note that the shares sent by honest parties are just several independent and uniformly random elements. Therefore, all parties can securely evaluate multiple layers of multiplication gates, even if picking is corrupted. As before, further check is still necessary. We first check whether picking sends the same values to all other parties. If this check passes, then all the other shareings of multiplication gates are valid t-sharing. Then we need to check the correctness of all reconstructions. To do this, all parties simply recompute all reconstructions by using t-sharing x plus a and y plus b. We can simply use the protocol in the work of Truby Nio and Hertz. Note that the difference is that we have already computed a valid t-sharing for each wire. It means that we can do all reconstructions in parallel and the layer restriction in the work of Truby Nio and Hertz disappears. So if the check fails, then all parties automatically reach a consensus on the first incorrect reconstruction, say it is x star plus a star. There are two possibilities. A malicious picking may distribute an incorrect value or some corrupted party may send an incorrect share when picking reconstructed the t-sharing x star plus the n-sharing a star. Since it is an unautomated sharing, any party can send a wrong share without being caught. In other words, the redundancy of an unautomated sharing is not enough to find a cheater. Therefore, we need to go back to see how these unautomated sharing are generated. We use square bracket a star with subscript t and n to represent two shareings of the same value a star. One is a t-sharing and the other one is an n-sharing. We refer these two shareings as double shareings. In the beginning, each party generates and distributes double shareings of a random element si. Let n be a hyperinvertible matrix then the double shareings of a1, a2 to an can be computed by multiplying m and the double shareings generated by each party. Especially, the double shareings of a star can be computed by multiplying the a star's row of m and the vector of double shareings generated by each party. Recall that a t-sharing can always be reconstructed even if some t-share are incorrect. Therefore, t-sharing has enough redundancy. We only need to focus on n-sharing. Our goal is to be able to recover every share of an n-sharing si for every i. We observe that a t-sharing has enough redundancy and a t-sharing is determined by t plus one shares. By listing all shares as the matrix, each row is a valid n-sharing and each party holds shares in one column. When we partition this matrix into three parts, such that each part contains at most t plus one columns. To increase the redundancy, say for the red star matrix, we can expand each row to be a valid t-sharing. This new matrix can be seen as the robust version of the red star matrix and every share can be recovered no matter how crowded parties behave. Similarly, we may generate two other matrices as the robust versions of the yellow star matrix and the green star matrix. With these three matrices, every share of the original matrix can be recovered. Let the last matrix be all t-sharing s1, s2 to sn. For every i, we call these four t-sharing s i zero, s i one, s i two, and s i three are four consistent tuple of shareings. Formally, a tuple of shareings s zero, s one, s two, s three is four consistent with respect to a partition of all parties where the size of each site is at most t plus one. If it satisfies that the shares of s one held by parties in p one, the shares of s two held by parties in p two and the shares of s three held by parties in p three form a valid n-sharing of the value s zero. We note that four consistencies preserved under linear operations. Each party i generates and distributes three additional t-sharing s i one, s i two, and s i three such that together with the t-sharing s i, this four t-sharing is a four consistent tuple and the corresponding n-sharing is the n-sharing s i. In this way, each party uses a four consistent tuple to commit the shares of the n-sharing is generated. Since four consistencies preserved under linear operations, we can compute a four consistent tuple of a s star as the commitments of the n-sharing a s star. Finally, all parties locally compute three t-sharing s x s star plus a s star one, x s star plus a s star two, and x s star plus a s star three. Then they send their shares to p king. Note that these three t-sharing s can be seen as the robust version of the t-sharing x s star plus the n-sharing a s star. With these three t-sharing s, p king is able to recover every share of the t-sharing x s star plus the n-sharing a s star, and find the party who send the wrong share. As a summary, we first use n-out of n-seq shareings to evaluate, so securely evaluate multiple layers of multiplication gates. Then we need to check the correctness of reconstructions. In the case that some reconstruction is incorrect, we use full consistency to increase the redundancy of n-out of n-seq sharing. And finally, we can find the cheater also relying on full consistency. Thank you. Questions? Okay, we have no questions. Let's thank all speakers of the session.