 This is a joint work with Abyshek Jane, Adriana Lopez-Hart, around Thromer, if you're not by Contanata, and then in Wix. And in secure multi-party computation, we have some set of parties, such as private input, and they wish to compute some joint function of their inputs without revealing any unnecessary information. FHE provides that fully homomorphic encryption and provides us a really nice and simple template for secure two-party computation. Charlie creates the keys, sends the public key to get the encryption of its input to Sally. Sally encrypts her input and then homomorphically evaluates the function on the ciphertext. On the encrypted input, get an evaluated ciphertext Y, send it back to Charlie who has the decryption key and can decrypt and learn the result. So that's it. That's the old protocol. It's really simple and nice protocol. In addition, this protocol has several advantages of regular and classical MPC protocols. First of all, it has really low round complexity. We have only two rounds. We have one message from Charlie to Sally and one message back. And that's it. In addition, it has really low communication complexity. All the information that it sends is the public key encryption of input and encryption of output. And that's it. In particular, it's independent of the function F on the complexity of the function that the parties compute. Third, it has really low computation. Charlie is lazy. He doesn't do anything. He just creates keys, decrypts, and that's it. And it's really, really simple template. It's really easy to understand why it's secure and what is going on. And our question is, how can we take all these advantages to the multi-party case? In the multi-party case, we have one party that creates the keys. One party should do the homomorphic evaluation. The party that does the homomorphic evaluation should have all the encryptions of all the inputs. One of the two parties could load the one that does the homomorphic evaluation. The one that holds the secret key. Once they both collude, they learn anything. They learn all the inputs of all the other parties. So how can we get all these advantages in the multi-party? So the idea is to use what we call a threshold fully homomorphic encryption. Here, the key generation is now a functionality or interactive protocol and no longer an algorithm. And the parties invoke this key generation functionality, who creates the keys, sends back the parties, the joint public key, together with a share of the secret key. So no one knows the secret keys, but we have the information in the system. Later, the parties can do the homomorphic input encryption. Each party can take the input and encrypt it under the joint public key, send it to all other parties. Later, the party can do, each party, given all the encryptions of inputs, can homomorphically evaluate the function on the ciphertext and get a joint ciphertext. The comments evaluate the ciphertext. Why? We can assume that a homomorphic evaluation is a terministic function. So all the parties get the same value. We can also delegate this step to a cloud. We can send it to a server, external server that does this homomorphic evaluation. And so the parties and the server send back the parties the evaluated ciphertext. Then, given the common ciphertext y and share of the secret key, the parties come to the decryption. Again, the decryption now is a functionality and not an algorithm. The parties send to the functionality the common ciphertext y together with the shares of the secret key. The functionality reconstruct the secret key and decrypt the value and send back the parties the message m. So for conclusion, the MPC protocol is simply threshold key generation, which is now a functionality that creates joint public key share of the secret key. The parties encrypt their input and homomorphically evaluate the function. And then we have, again, the threshold decryption, which is now a functionality. So given an implementation for fully homomorphic encryption and given this template that we just show, we can implement the threshold key generation and threshold decryption using generic multiparty computation techniques like BMW and stuff like that. So this approach already give us several advantages. First of all, we have low communication complexity. Communication complexity is independent of the function F. The homomorphic evaluation, as we have seen, can be easily delegated to a cloud. We can also get a low computation. With several disadvantages, first of all, we need to use the heavy machinery of the MPC technique, of the general MPC technique. We need to use GMW with all the zero knowledge at each step. And in addition, we can also have the round complexity can be very high, which is, since we use generic MPC, we can do it in a constant round, but the constants may be not a nice constant to work with. So what we show in the paper, we show how we can implement threshold key generation, threshold decryption. We show a concrete implementation for those two functionalities, for the recent scheme of Barkev scheme and Vinod, and Barkev de Gentry and Vinod. This already give us the advantages like we had before, low communication complexity and the ability to delegate the computation to external server. But in addition, our scheme is really simple. There is no need for the generic MPC technique. And most importantly, our protocol achieves a really extremely low round complexity. Our protocol is only three broadcast rounds. The question of round complexity and what is the minimal number of rounds that we can construct protocol is a theoretically interesting question. And we show the first three rounds protocol for any function. The protocol's general can compute any function. So we show the first three rounds protocol in the CRS model and the common reference string one. In addition, our protocol is only two rounds in the public infrastructure, which is optimal. Our results holds for the semi-honest. And the malicious as well, wherein the malicious we also we get use security for any number of corrupted parties. But we need to add the assumption of using ISC, the existence of non-interactive zero knowledge. And if you want to do this delegation to a cloud, we in addition need the cloud to prove that he has computed the correct function. So we need to assume CS proofs and non-interactive arguments. But we don't have to assume it if we can do it by each party evaluate the function by himself. Some words about related work. CDN were the first to show MPC with threshold homomorphic encryption. In those days, there was no FHG yet. Gentry, in 2009, among some other things, showed how to do MPC with using threshold FHG. Bending and Damgar showed how to do threshold version for LWE, which our scheme is also realizing the same assumption. We took ideas from that paper. Katzenostrovsky showed a lower bound of five rounds for MPC in the plain model, which means that the CRS is essential in order to get three rounds. And we have a concurrent world that show another threshold version of another FHG scheme. So I'm starting with the details. I'm starting with the LWE assumption, the learning refer assumptions. Here we have two distribution. And we assume that they are indistinguishable. The first distribution, each sample of the first distribution, is simply the uniform distribution. It's simply the uniform. The second distribution, we have some secret S that we choose uniformly at random. And for each sample, we choose AI to be the uniform. We took some small error and we compute VI to be the inner product of AI with S, with the secret S. And we add this noise, EI. So the LWE assumption says that those two distributions are indistinguishable. It's hard to distinguish. Recall, observe that without the error, it's really easy to distinguish. All we need to do is just gauss elimination. So the LWE, one can show that the LWE is also hard once we take Q, Q to be odd. And we choose the error to be small and even. So given this assumption, we can build a basic encryption scheme. The symmetric key, the secret key is simply S. In order to encrypt a bit mu, what we do is just take a uniformly random A and compute the inner product of A with S. Add some even noise. Add the message mu. In order to decrypt, what we take is we need to create. Our cybertext includes A and B. We know the secret key S. And so in order to decrypt, we need to compute the inner product of A with S. Once we remove that from B, we are left with some even noise plus mu. We take everything, too, and we get only mu. For the public key, we do the generic transformation. The secret key, again, is just S. The public key is just a bunch of encryptions of 0. And so once we have a bunch of encryptions of 0, it is like we take a matrix A, multiply with S, and take an even vector of noise. This is exactly what we have over here. In order to decrypt, what we do is just we take a random subset sum of the public key and we add our B to mu. So this is the encryption scheme. And the cybertext under the symmetric key and the cybertext under the public key looks exactly the same, meaning we have some coefficient A inner product of A with S plus even noise plus mu. So this basic scheme has really nice key homomorphic properties. If you take two public keys, the one is corresponds to secret key S1. The other is corresponds to secret key S2. But those two public keys were made under some joint coefficient under some joint parameter A, the same matrix A. Once we take those two public keys and we add them, we get a new public key, the joint public key, that corresponds to the summation of the secret keys. OK, so we create a new public key from existing public key. This is really close to what we have in El Gamal, that we can take public keys and combine them into a joint public key. So given this, we can show the threshold key generation for this basic scheme quite easily. Each part just creates its own secret key. And according to some joint parameter, random matrix A that we have in the sky, in the CRS, each party can create its own public key, send it. And so at the end of this run, all the parties can do locally the summation, the sum of all those public keys, and get the joint public key, which corresponds to the summation of the secret keys. In fact, this is exactly what we wanted. We wanted to create somehow a joint public key from the public key. And to have a secret key, to have the chief party, we'll have a share of the secret key. And since we have summation of secret keys, this is exactly an out-of-end secret sharing. So in addition to the key generation, we can also have threshold decryption quite easily. What we have, we have some joint ciphertext. A and B, all the parties knows this joint ciphertext, where B is encrypted under the joint secret key under S-star, which is the summation of the secret key. Recall that in order to decrypt, what we need to do is to compute the inner product of A with S-star. So we need to somehow create this inner product, and no one knows S-star, so how can we do that? So the idea is that, given this coefficient A, each party just compute the inner product of A with its own secret key, add some even noise, send it, and at the end of this operation, we get exactly the inner product of A with the summation of the secret key with the joint secret key. And each party can compute locally B minus V, which gives it some even noise, plus mu, take everything, minus two, and we are left with mu. We need to play a little bit with the noises, because this gives some information about the original noise that we have in the ciphertext, but we can do that, we can play with the noise and do exactly this protocol for decryption. So we show how we do threshold key generation, threshold decryption, each takes only one round for the basic scheme, but the basic scheme is not fully homomorphic. What we need is fully homomorphic encryption. So let's see the scheme, the basic scheme is additively homomorphic, but when we come to multiplication, it's a little bit more complicated. We can't just take two ciphertexts and multiply them and take and get a nice ciphertext. Like we want. So here we have a recent work by BV and BJV, that shows that once we have all the multiplications, once we have all the products of the secret key, all the pearls, S-I-S-Js, all those encryptions public, we can take two ciphertexts and do some magic that gives us the cipher, which hides the multiplication of the ciphertext. This is simplified, I'm cheating, but we can't do that. And what it means for us, it means that we need to generate all those encryptions in a threshold manner. We need that the parties needs to create all the products of the joint secret key. We call that the joint secret key is simply the summation of the secret keys. We need to create all the encryptions of the product S-I-I with S-I-J. Now, if we plug in just writing instead of S-I-I, we write the summation of the secret keys. What we should make is encryptions of all of that. Since the scheme, our scheme is additively homomorphic, we can move the sigma outside. And in fact, what we get is just encryptions of all the pairs S-K-I with S-L-J, meaning that it's enough to create the encryption, the I positions of parties K secret key with the J positions of party L secret key. Once we have all this information, we can come back to S-I with S-L-J. So I'm going to show how to do that in three rounds, although in the paper we do it in two rounds. So in the first round, we call that the parties create joint public key. This is what we had before with the matrix A. In the second round, what each party does, it just takes its secret key and encrypts each element, each positions of its own secret key. All the parties do that and send it and at the end of this round, all the parties knows all the single positions of the secret key, the encryptions of all the single positions of the single keys of all parties. In the third round, what we'd like to do is to take these elements for each one of those elements S-K-I, we want to multiply in S-L-J, we want to get all the S-K-I with S-L-J. So we do that for each one of the encryption that we had before, each party just multiply in all the positions of its own secret key. Essentially, you can do that because the scheme is additively homomorphic, which means that we can add ciphertext, which also means that we can multiply with a constant. Once we know the constant and we have the encryptions, which is just, it's like, multiply with a constant, it's like we add the same number of time, the encryption. And so we get all the parties do the same. And so at the end of this round, we have all the encryptions of S-K-I with S-L-J. And as we mentioned before, this is enough to create the encryption of S-I with S-L-J. So this is the basic, this is the scheme. I'm repeating the protocol just for conclusion what we have in round one. In the first round, the parties established the joint public key. In the second round, each party creates encryptions of single positions of its own secret key. At the round three, each party multiplies in all the S-L-J. And at the end of this round, the parties can compute S-I with S-L-J. In the paper, we show how we can combine the first round and the second round and get the key generation of two rounds total. So we get only two rounds key generation, one round for decryption. And so the overall MPC protocol, we have three short key generation of two rounds where in the first round, the parties creates the public key plus some information for the evaluation key. At the end of round two, they finish the creation of the evaluation key. Now I recall that the parties need to encrypt their inputs, but the public key is already ready after the first round. And so the parties can encrypt their inputs after the second round of key generation together concurrently with the second round of key generation. Okay, so after the second round, all the parties know the public key evaluation key and the encryption of the inputs of all other parties. Moreover, the threshold decryption takes one round and we are done. Only three rounds MPC protocol. Some words about the malicious, so we showed how to do that for the semi-honest. We assume that the parties follow the protocol. For the malicious, we can just take the generic transformation which means that we need coin tossing for the random tapes of all the parties. We want uniformly coins for all the random tapes plus take zero knowledge or non-interactive zero knowledge. This will give us the problem of this approach that increases the round complexity and the generic non-interactive zero knowledge is not efficient. What we do in the paper, we show that the coin tossing is not necessary, meaning that in some critical parts in the protocol, the parties, the honest parties can smudge out bad noise of the corrupted parties by adding some bigger noise. And so if you use bad randomness, it can only hurt you because it gives some information about your secrets. And so we save the coin tossing. In addition, we show efficient Sigma protocols for all the zero knowledge relations that we have in our protocol, which means that we can get non-interactive zero knowledge efficient, non-interactive zero knowledge in the random molecule model. So for conclusion, we show a threshold fully homomorphic encryption based on LWE. In the paper, we also have a variant for the wring LWE, which is more efficient. We get three rounds multi-party protocol. It's only two rounds in a PKI and it's also reusable, meaning that we can take the same PKI and compute again and again over different functions. Our protocol has really low communication complexity, low run complexity, easy to delegate, and that's it. Thank you very much. Questions? Please use the microphone. Thank you. So you may have been getting this sum in the last slide, but I want to understand a little bit better whether you can get a true threshold K out of N system out of this. Yeah, we can do that. We also show that in the paper. And how does that affect the efficiency? Efficiency? Yeah. It's, in terms of number of rounds, you can get five rounds in total because you need to record, just in order to get T out of N, each party just need to do T out of N for its own secret key and send it to the others. We also get fairness for honest majority. So it means that when parties come to the, someone has cheated and we want to, or abort and we want to reconstruct its secret. So we need additional round of disreconstruction. So we take five rounds in total. One for the key gen, one for the decryption. Thanks. Other questions? Okay, let's thank Gerard. I know all of us keep us in this session.