 Hello and welcome to my talk on a geometric approach to homomorphic secret sharing. My name is Russell Lai. This is a joint work with Yuval Ishai and Julio Malavota. What is homomorphic secret sharing? A homomorphic secret sharing scheme, or HSS scheme, can be used to build two-round MPC protocols or multi-party computation protocols with a special network topology. In this talk we will consider the arithmetic circuit model, that means our MPC protocols will be computing polynomials F of some bounded degree, D, represented by arithmetic circuits. In more detail, an NMT HSS scheme involves N input clients, M servers, and one output client. Among the M servers, T of them can be corrupt. The goal of an HSS scheme, as opposed to general-purpose MPC protocols, is to minimize the communication complexity. That is, we aim to achieve a communication complexity that is much, much smaller than the description size of F. A two-round MPC protocol built from HSS involves the following phases. First there is the setup phase, which happens in the public key model only, in which the output client generates a public key-secret key pair. Then in the actual protocol, in round one, the input client i would secret share its input xi as Sij, for j ranging from 1 to M, for each server. It then sends the share Sij to server j. The input client could also generate some recovery information, Rij, and send them to the output client. Then in round two, each server j would evaluate the function F on its shares, and send the resulting output share, Yj, to the output client. Finally, the output client can recover the computation result, Y equals F of x1 up to xn, using the output shares Yj sent from the servers, and also optionally the recovery information Rij sent by the input clients. For security, we assume that the clients are always honest, and at most, t servers can be corrupt. Even so, any t servers should learn nothing about each input xi. In the special case where there are no public and secret keys, and we actually achieve information theoretic security, then we call the HSS scheme an IT HSS. For efficiency, we are mostly interested in the sizes of the input and output shares. Typically, an input share Sij is of constant size. On the other hand, an output share could either be of constant size, in which case we call the HSS scheme compact, or it is of size linear in the number of inputs n, in which case we call the HSS scheme balanced. Intuitively, a balanced HSS scheme would support polynomials of higher degrees. Either way, regardless of whether the HSS scheme is compact or balanced, the total communication is linear in m times n. In this sense, a compact HSS scheme is wasteful as far as asymptotic communication complexity goes. Given the background of HSS, in this work we present three results. First, we present a generic compiler, which can compile a certain class of IT HSS schemes whose recover algorithm can be expressed as a degree L polynomial in the recovery information, into PKHSS schemes using KHE, which stands for homomorphic encryption supporting degree K polynomials. Note that the HSS schemes before and after the compilation both support the same degree D, which is strictly less than L plus 1 times m over t. However, the IT HSS scheme that we start with could have much larger output share, for example of size n to the power L, compared to that of the resulting PKHSS scheme, which is only of size n to the power L minus K. As our second result, we extract a family of IT HSS schemes, which were implicit in the private information retrieval literature. These extracted IT HSS schemes are going to be compatible with our generic compiler presented in result 1. Finally, for our third result, we define the notion of pre-processing HSS and show how they are useful in building pre-processing MPC protocols. Our starting point is the work of myself, a laVota and Schroeder back in AsiaCrypt 18, which we refer to as LMS 18. The work of LMS 18 built public key HSS schemes for degree D polynomials from KHE, where D is strictly smaller than K plus 1 times m. A significant drawback of this scheme, however, is that it is only efficient when the number of servers m is logarithmic in the security parameter. In order to improve this old result, we revisited it from a new perspective. Specifically, if we view their HSS scheme as the result of compiling an IT HSS scheme with a homomorphic encryption scheme, then we can see that the underlying HSS scheme is actually the so-called CNF secret sharing scheme. If you don't know what the CNF secret sharing scheme is, what you need to know for this talk is that it collapses to the additive secret sharing scheme when the number of parties is 2, which is the setting that we are going to use in the following example. Speaking of which, we will set the number of servers m to be 2, the degree D to be 3, and consider the function x1 times x2 times x3. In the additive secret sharing scheme, the input client would secret share xi as the sum between si1 and si2, where si1 will be sent to server 1, highlighted in red, and si2 will be sent to server 2, highlighted in green. The input client would also set the recovery information, ri1 and ri2, to be nothing but si2 and si1. This looks stupid right now because given such recovery information, the output client could have just computed x1 times x2 times x3 itself. However, the reason for setting the recovery information in this way will become clear later. Now let us expand the product x1 times x2 times x3 in terms of the sij's. We see that the product can be expressed as a sum of 8 terms, as shown on the screen right now. The components of these terms that are computable by server 1 are highlighted in red, while the components computable by server 2 are highlighted in green. With this coloring, it is easy to see that this product of x1 times x2 times x3 is nothing but a linear function in the recovery information with coefficients given by the output shares y1 and y2. Therefore, a natural strategy to get rid of the recovery information is to encrypt them with a linearly homomorphic encryption scheme, or 1HE, and delegate the work to the servers. This result in a compact public key HSS scheme for degree 3 polynomials. Generalizing this idea, we obtain a generic compiler. That is, if we are given an IT HSS scheme whose recover algorithm can be expressed as a degree L polynomial of the recovery information with coefficients given by the output shares y1 up to ym, then we can perform the following to turn this IT HSS scheme into a public key HSS scheme. First we let the input clients encrypt the recovery information using a homomorphic encryption scheme supporting degree K polynomials to each server. Next, the server would compute the IT HSS output shares as before, but also greedily and homomorphically evaluate the polynomials representing the recovery algorithm up to degree K components. They then finally send up to n to the power L minus K many ciphertexts of these components to the output client. Finally, the output client could recover the computation result y by first decrypting the ciphertext sent by the server and then finishing the remaining L minus K degrees of the recovery algorithm. In conclusion, we obtain a public key HSS scheme supporting polynomials of the same degree, but with no more recovery information and with much smaller output share size of n to the power L minus K. Let's now move to the second result that is to extract an IT HSS scheme from the PIR literature. Specifically, we are going to extract the scheme which we called WY1 which was implicit in the private information retrieval scheme of Woodruff and Yakanin. We then generalize the WY1 scheme to the WYL scheme for all natural numbers L as well as L equals 0. Note that when L equals 0, we recover the Shamir secret sharing scheme. The best way to explain the WYL scheme is to just show you the algorithms. Notice the share algorithm. As in the Shamir secret sharing scheme, the input client samples a degree T polynomial phi i such that phi i evaluated at 0 is xi. Then the jth share is just phi of i evaluated at j. For L greater than 0, however, the input client is also going to compute all the derivatives of phi i up to order L and evaluate them at j for all j. These derivatives will then be used as recovery information. For the evaluation algorithm, as in Shamir secret sharing, the server would first evaluate F on the share sij. However, for L greater than 0, the server is also going to compute all the partial derivatives of F up to the lth order and evaluate all of them at sij as well. All of these evaluation results will be included in the output share. Finally, in the recovery algorithm, the output client would first recover all the derivatives of F composite phi up to the lth order evaluated at j for all j. The output client then recovers the computation result Y, which is nothing but F composite phi evaluated at 0 by interpolating the data points presented on the screen right now using emit interpolation, which is the generalization of the Lagrange interpolation. For sanity check, we note that the output client has L plus 1 times m data points. On the other hand, we know that the polynomial F has degree strictly less than L plus 1 times m over t, and the polynomial phi has degree t. Therefore, the degree of F composite phi is strictly less than L plus 1 times m, and therefore the interpolation works. More importantly, one can check that the recovery algorithm is indeed a degree L polynomial in the recovery information. Therefore, this scheme is compatible with the compiler presented in result 1. For the third and last result, we show how preprocessing HSS schemes can be used to construct preprocessing MPC schemes. But for that, I need to first define the notion of P preprocessing HSS. We say that an HSS scheme has P preprocessing if P of the M shares are totally random, which means that they are independent of the inputs x1 up to xn. In fact, they can even be generated before knowing the inputs x1 to xn. Therefore, the work of P servers can be pre-computed. For example, the Shamir secret sharing scheme, or WY0, has T preprocessing. In general, the scheme WIL has T over L plus 1 preprocessing. Since T over L plus 1 is not necessarily an integer, we are better off as far as the level of preprocessing goes when L plus 1 divides T. Next, let me recall the notion of preprocessing MPC. A preprocessing MPC protocol consists of two phases, an offline phase and an online phase. The offline phase is dependent on the function f to be computed, but not on the inputs x1 up to xn. This phase can be performed by a trusted party or by another MPC protocol. Although this phase is potentially expensive, it can be done overnight since it is not dependent on the inputs. The online phase is run when the inputs x1 to xn become available. The goal of a preprocessing MPC protocol is to minimize the communication complexity of the online phase, such that it is much smaller than the description size of f. With this background, we have the following result. Given an N input, M plus P server and T secure HSS scheme with P preprocessing for degree D polynomials, we can construct a T secure M party preprocessing MPC for the same kind of polynomials. If the HSS scheme is instantiated with the result of compiling the WYL scheme with the degree K homomorphic encryption scheme, then the resulting preprocessing MPC protocol has communication complexity linear in M times N to the power L minus K. The idea behind this result is quite straightforward. That is to push the computation of the P servers to the preprocessing phase. In more detail, in the offline phase of the preprocessing MPC protocol, we would generate the P shares, which are independent of the online inputs, and run the evaluation algorithm for the P servers. We then secret share everything to the participants of the MPC protocol. Then in the online phase, when the participants receive their online inputs X1 up to XN, they would generate the remaining M shares using a general-purpose MPC protocol. The Jave party would get the J plus P share and run the HSS evaluation algorithm to evaluate the function F on its shares locally. Finally, the participants can recover the output using yet another general-purpose MPC protocol. Although we are using general-purpose MPC protocols in our construction, we note that we are using these general-purpose MPC protocols to perform computations which are independent of the description size of F, and therefore the resulting preprocessing MPC protocol would still have communication complexity independent of the description size of F. Finally, I would like to show you some interesting numbers. First, here is a table comparing the supported degree of different schemes, assuming a communication complexity linear in M times N. We highlighted our main HSS scheme, which is the scheme obtained by compiling the WYK plus 1 scheme with a degree K homomorphic encryption scheme, supports a degree higher than that of LMS-18 by an additive factor of M over T. Furthermore, if we allow preprocessing, then an extra 1 degree can be supported. For concrete parameters, we are mostly interested in linearly homomorphic encryption scheme, or 1HE, because they are available from a lot of assumptions. Also, we will set L equals K plus 1, which is 2, so that the resulting HSS scheme is balanced. Finally, for preprocessing MPC, interesting examples can be obtained by setting T equals 3, which is equal, and hence is a multiple of L plus 1. To conclude in this work, we have presented three results. First, we have constructed a generic compiler based on homomorphic encryption, compiling IT HSS schemes to public key HSS schemes for polynomials. Second, we have extracted IT HSS schemes from existing PIRD teacher. And finally, we show how preprocessing HSS can be used to construct preprocessing MPC. An E-print version of this work can be found in the link ia.cr-2021-260.