 The first one is titled, Perfectly Secure Multiplication for any T, Descent and Third. It is by Gilad Asyarov, Yehuda Lindel and Tel Aviv. And the Gilad will be giving the talk, and he has 19 minutes from now. Don't go. Good morning, everyone, and thank you for coming. What is Secure Multi-Party Computation? Well, we have some set of parties, each has some private input, and we wish to compute some joint function of their inputs. The parties wish to preserve some security properties such as privacy and correctness. For example, we can look about secure voting. This case, my private input is my vote. I don't want that it will be revealed, and correctness means that the party with the maximum number of votes will actually win. And security must be preserved even in the face of an adversarial behavior where parties may collude, may try to gain some more information, may deviate from the protocol specification, and so on. One of the most important protocols in Secure Multi-Party Computation is the BGW protocol, which was given by Mikhail Beno, Shafi Goldwasser, and Avi Wigdozon in 1988. This protocol is a protocol for general multi-party computation, meaning that it can compute any function, and it achieves almost everything we can ask for. It is perfectly secure, adaptively secure, and concurrently secure. This construction, the construction of the protocol is very beautiful, very elegant, has a huge impact on our field. Although this protocol is very important, a full specification and full proof of the protocol were never given. In our paper, we remedied this situation. We provide a full specification of the BGW multiplication protocol. This also includes a new step that was not specified in the original construction. And we also provide a full full of security. In addition, we came up with a new multiplication protocol, which is more efficient and simpler. And it also achieves constant round per multiplication as the original BGW protocol. Some related work, there is a work of Kramer-Dumgaard and Maurer for perfect multiplication. There is some abstraction of the BGW, it works with any secret sharing, homomorphic secret sharing scheme. And it also achieves constant round per multiplication. There is also a line of works that for efficiency of perfectly multiplication, that use a player elimination technique, and those protocols are very efficient, but the round complexity per multiplication depends on the number of parties and it's not constant like our protocol. So on one hand, those protocols are more efficient because in terms of communication complexity, on the other hand, the round complexity of our protocol is better. So how does BGW works? Each party has its input, it has an input, and it wish to learn an output, and we look about the arithmetic circuit that implements the function that the parties wish to compute. At the input stage, each party distributes its input using secret sharing, meaning that it sends a share of its input to any other party. The parties compute the arithmetic circuit gate by gate while saving when they are preserving the environment when at each wire the value is hidden by secret sharing, meaning that no one knows this value, but we have some disinformation existing in the system. The parties compute the circuit gate by gate, where at each gate the parties compute the shares of the output wire using the shares of the input wires. They do that by a specific multi-party computation protocol for this task. When the parties reach the output wire, they just send to the relevant party, each party holds a share of each one of the output wires, and they just send all the shares to the relevant party, which can reconstruct the value of the output wire and learn its output. Now what is left is to show how to do exactly the computation stage, how we can compute from the shares of the input wires, shares of the output wires. So if we have an addition gate, each party by our environment, each party holds shares of A and B, the values on this wire, and we want to compute shares of the output wires, in this case A plus B. So from a morphic properties of secret sharing, each party can just add its two shares, and this share is a value, it's a valid share for the output wire. When we reach a multiplication gate, each party locally multiplies its two shares. Now we get a polynomial of degree 2T that hides the correct output, the correct value of the output wire, but this is a polynomial of degree 2T, it's not like our invariant, and so we need to run an interactive protocol to reduce the degree. So invariant requires that the value will be hidden with a degree 2T polynomial and we have here degree 2T polynomial. So out of the multiplication protocol works, each party multiplies two shares, this defined a degree 2T polynomial that hides A and B, each party subshared its share, it sends to any other party, a value on a polynomial degree T that hides its share, giving all the shares, all the shares, each party do that, each party subshared its share, and using all those shared shares, the parties can do some linear combination and get shares of degree T polynomial that hides A and B. I don't get into details, but this is possible whenever at least 2T plus 1 parties shared, at least 2T plus 1 shares were subshared correctly. When we move to the malicious case, we can have two problems, first of all a party can subshare its share with a polynomial with degree higher than T. However we can solve that using very fablesy co-chairing which guarantees that when I distribute the shares, they all lie on the degree T polynomial. The second problem is that a party will actually subshare an incorrect share, in that case the parties will do the linear combination and we get wrong shares, we'll get a degree T polynomial that doesn't hide A and B. So all that we need to have is that the honest parties need to identify which shares were subshared correctly. Once we have 2T plus 1 shares that were distributed correctly, we can do the linear combination and get a degree T polynomial that hides A and B. So BGW presents two tools, the first tool is robust sub-sharing, the parties each party subshared its input and using all those sub-shares, the parties can do some computation and learn whether a party distributes a wrong share and they can do that on a degree T polynomial when the original shares lie on a degree T polynomial. And once they identify incorrect shares, they can just ignore them. The second tool is the following, suppose that we have A, I, and B, I that were distributed with sub-shared correctly, the parties can run a protocol that, and we have a dealer that knows A, I, and B, I, the parties can run a protocol such that the parties will get a sub-share of the product of A, I, and B, I, and nothing else, okay? If it tries to do something else, the parties identify it and reject the shares. Now the multiplication works, we have a wire, an input wire that hides A, each party holds a share of A, the parties sub-share using the robust sub-share and the first tool, they do the same for B. Then each party acts as a dealer and using the second tool, it can distribute the product of its shares. Now we know that all of the shares are correct and we have at least two T plus one correct shares of the multiplier of the products and we can do the linear combination and come up with a degree T polynomial that hides A, B. I'm now getting into the details of the second tool, how we can prove that there is two shares that were distributed and we have a dealer of P, I distributed secret using two polynomials A, I, and B, I, each party holds sub-share of A, I, and B, I and we want to, the dealer wants to distribute the product of A, I, and B, I, the parties want to verify that indeed the product were sub-share. So the dealer distributes T polynomials of degree T using VSS, D1 to DT such that this polynomial, this equation is of degree T. If you look closely, we see that this is a degree two T polynomial. The protocol shows how we can choose D1 to DT such that the leading coefficients of this two degree polynomial can cancel and we stay only with a degree T polynomial. So the dealer distributes D1 to DT, each party computes its share of CI and what we have here is that the free coefficient of CI is always A, I, B, I, as we want it. However, by choosing D1 to DT inappropriately, we can end up with a polynomial of degree I, I, and T. This is because if it doesn't choose them according to the protocol, then the leading coefficients of A, I, B, I are not canceled. So BG Damel write explicitly that the parties need to verify that CIX is of degree T. However, they didn't mention how to do that and they didn't specify how to do that. So let's see verification of the degree. Suppose the dealer have shares of CI and they want to check that this is a polynomial of degree T. PI now, the dealer distributes CI prime using VSS and claims that CI prime equals CI. By distributing it by, with VSS, we have the guarantee that it distributed a polynomial with degree T. We know for the polynomial CI that its free coefficient is correct. This is the polynomial that the parties compute that. And for CI prime, we know that it's degree T, but we don't know anything about its free coefficient. Now, if CI prime equals CI, then we are done. We have a polynomial of degree T that hides A, B. So each party checked that CI prime equals CI. That is, it checks that the shares that he received from the VSS equals to the share that he has received, that he has computed by itself. And if they are not equal, then it broadcasts a complaint. Now recall that we have, even if the dealer is honest, still, we may have the situation where T corrupted parties complain in on an honest dealer and so we can have T complaints. So we reject the dealer only if the number of complaints is greater, is strictly greater than T. However, this solution doesn't work. The dealer can create D1 to DT, not according to the protocol, and so CI will be of degree higher than T. Then it chooses CI prime that agrees with T plus one points of honest parties and distributes this polynomial using the secret sharing. We have that T plus one honest parties do not complain. T corrupted parties do not complain. And T honest parties do complain. However, this polynomial is accepted, although it's pre-coefficient, is incorrect. So in order to solve that, we introduce another building block, which we call FVAL. By, in FVAL, we take a degree T polynomial. Each party has share of a degree T polynomial. And the parties can evaluate this polynomial on a specific value, on a specific point, FK. Using this building block, we can now verify whether a complaint is a false complaint or a true complaint. For each complaining party, the parties check if the complaint is fake or not. They just evaluate the polynomials, all the polynomials. And then they learn all the values, AIK, BIK, D1 to DT and CI prime K. Using all those values, they can compute CIK and can check whether CI prime K equal to CI. If they are equal, then the complaint is fake. The dealer is actually, there is no reason for complaining, but if they are not equal, then the complaint is a true complaint. Once we have one true complaint, we reject the shares of the dealer. I'm now moving to a new constant-round multiplication protocol, whoever, if anyone lost me, can come back. This is true, new thing. In the verifiable secret sharing of VGW, the dealer distributes by varied polynomial of degree T instead of just a univariate polynomial of degree T. The actual shares of each party, each party gets in the verifiable secret sharing two polynomials of degree T, F and G. And the actual share of each party is just the free coefficient of the polynomial F. The parties do some computation and verify that indeed all the shares lie on a degree T polynomial, and afterward, after the verification, they just forget everything they saw and continue the protocol when they know that this is all the points, all those shares lie on a degree T polynomial. However, if we look more closely, let's take a look about the share of P1. This is a polynomial of degree T. Each one of the parties holds exactly, this is a polynomial of degree T, its free coefficient is the share of P1, and each one of the parties holds exactly one point on this polynomial. In other words, what we have here is exactly sub-sharing of the share of P1. And so we have that for any party, and in fact we have sub-sharing completely for free. We have it in the VSS, we have sub-sharing of the shares of the parties, and BGW just throw it away while we can use it. So in our simple construction, we change the invariant instead that every wire is, the value of each wire is hidden by a degree T polynomial, the degree T univariate polynomial. In our construction, it's hidden by a very polynomial of degree T. We get sub-sharing completely for free. There is no need to rebut sub-sharing. There's no need to the first tool of BGW that I showed. FFVAL and other tools are much more efficient and simpler. All the construction become more simpler, and also the proof of security become much more simpler. Maintaining the invariant requires some more. Maintaining the invariant that the value is distributed by a degree, by a variate polynomial instead of univariate. And this also, this construction also reduces the communication complexity of BGW by quadratic factor. It's because we have a better, we do have less communication complexity. Currently, this is the best constant round multiplication protocol. It's incomparable to the player elimination technique because they have a lower, a higher round complexity, but lower communication complexity. So this is incomparable. I'm running out of time, so just say thank you. Yeah, he was running out of time, so no time for questions.