 This is circuit memorization-friendly encodings and their application to statistically secure multi-party computation. The setting in this talk is that we want to support computation over arithmetic and Boolean circuits, so we want parties to be able to efficiently convert between the two. And we allow parties access to a pre-processing phase in which they can pre-compute some correlated randomness independent of their inputs, which they can then use in the online phase for more efficient computation. And the adversary that we consider is an active adversary which may deviate arbitrarily from the protocol. And we assume this adversary corrupts less than a third of the parties, t is going to be the corruption threshold, and n is the total number of parties. And we also allow the adversary to abort at any point in the protocol. This is security with abort. And there are standard techniques that there are standard techniques for getting guaranteed output delivery, but that's not going to be a focus of this work for the sake of simplicity and efficiency. So much of what we're going to talk about is going to be based on sheer secret sharing. So let's do a quick recap. To share a secret, we sample a random polynomial where the y intercept is going to be the secret value that we want to share. And each party is going to have a distinct xi that is associated with them, and their share is going to be the valuation of the polynomial at their xi. And to reconstruct the secret, parties announce their shares, and then with all of the points, they can do the grand interpolation to get the polynomial that goes through these points. Parties just need to check that the polynomial that they reconstruct is of the correct degree. And if you look at this equation, the only real thing that might cause issue is that they do have to be able to compute this inverse of between every xj and xi the difference. But since we're working over a field, that basic sheer secret sharing is over a field, this inverse is always going to exist. And so this all works out. If we have sheer secret sharing, we can actually, we can do a general on PC with it. And so we're going to use this notation to denote a sharing of value a with polynomial of this particular degree. And so some properties of sheer secret sharing is that if you add together shares, you get a share of the sum. And if you locally multiply shares, you get shares of the product. The thing to notice, though, about doing this local multiplication is that the degree of the resulting share is the sum of the original degrees of the things that were multiplied together. And so in order to reconstruct this resulting share, you need the degree plus one distinct points to interpolate it, which means that we would need 2d plus one parties to reconstruct. And so even if we have these very small, eventually, if we do enough multiplications, we run out of parties to to reconstruct. And so typically to get more general computation, you have to reduce this degree in some way. And because we allow a pre process, if we we can make use of the pre processing phase to create what we call double shares, which are degree t and degree two t sharing of a random value r. And for each pair of these double shares, we can reduce the degree as follows, which first parties locally compute this larger degree product. Then what they do is they can take this product, use the degree two t double share r to product to their product, and then we can publicly reconstruct the the difference between the two. And so they they only need to two t plus one parties to reconstruct the points to reconstruct this. And once they have this public this value z publicly known, they can use the other degree t sharing to to unmask it and get shares of this product. Cool. So that was Shamir for fields. But what if we want to do a Shamir over a ring? A ring might be something more natural to consider. But the the issue arises with this inverse that we have to compute. It's so computing, because remember, we have to compute the inverse of the difference between every single xi xj. And this doesn't work for an arbitrary number of parties. And what do we mean? Well, it turns out that a ring like z2k doesn't have any subset s x1 through xn, where when we take the difference between every single every single element in the set, that these differences are going to be infertible. It doesn't hold when n is greater than two. And as a side note, we're going to call a set where all of these, the difference of each pair is infertible. We're going to call this an exceptional set. And basically, if you have a larger enough exceptional set, then you can interpolate. And there's a quick proof for why this doesn't hold. But how would we overcome this if we do want to do Shamir over a ring? And similar to how you may use an extension field, in the field case, if your original field isn't large enough, we can do a similar idea for z2k. Specifically, we can do a degree d Gaoua extension of z2k, which is a Gaoua ring. So what are Gaoua rings? So Gaoua ring gRp to the kd is basically going to be the ring of polynomials with coefficients in zp to the k modulo, some irreducible polynomial h. And p is going to be prime and then k is greater than equal to one. And Gaoua rings have, there's some basic properties. Gaoua rings, one of them being if you set k equal to one, then gRp to the d is gfp to the d. Another property is that all zero divisors of this ring gRp to the kd constitute the ring's only maximal ideal. And the last property that we're going to mention is the one that enables us to do Shamir's secret sharing. It's that when you have a Gaoua ring, p to the kd has an exceptional set of size p to the d. And so we rarely have a large enough exceptional set, we can interpolate. And so this just turns into we can set d large enough to give us a large enough set. And this is the, this is sort of the basic idea behind a recent work of ACDEUI, which adapted the multi-party, multi-party protocol of Birlio van Herd, which is a Shamir's secret sharing-based protocol that uses the double-share, double-share is from before to do their degree reduction. The ACDEUI adopts the protocol of this paper to work over the work over rings like z2k using Gaoua rings. What they do is remember if you, since they're working over, they want to work over 2 to the k, you can set your ring to be gr2 to the kd. And so the exceptional set for this is going to be of size 2 to the d. And so they can set their, set this parameter d to be log n plus 1 and have a large enough set to interpolate. And z2k has a natural embedding in R. Basically, if you, if you want basically any, any element like an input in z2k, you just look at it as an element of R. And so all this you have Shamir's secret sharing works over this ring. And ACDEUI is able to, was able to perfectly translate this protocol to the ring setting to work over Gaoua rings. However, remember that this ring is an extension ring of z2k. And so you are working over a larger ring and working over this larger ring, you do have some overhead. And in particular, this overhead does mean that your communication complexity is going to be a factor d larger. Every time that you would normally send an element, when you're communicating an element instead of just sending a z2k element, you are sending a Gaoua ring element, which is going to be a factor d larger. And your computational complexity, when you're, when you're multiplying two ring elements, is going to be quadratic in d. So every time you want to multiply these two z2k elements, they're represented as ring elements. So now you have to multiply these two ring elements together. And I say essentially quadratic because in practice, it's going to basically be quadratic. You could, you could use things like fast Fourier transform to try to do a little better. But the range of parameters is not going to really, you're not going to see a big difference using that. So the main contribution of this work is that we give better encodings from z2k into Gaoua rings. So first, let's look at how the multiplication and ACDEY works. This is going to follow some like similar structure to the multiplication that we saw before, because it's just an adaptation of the yearly over your heart paper. And so first, when you, if you have some elements that you want to multiply, they're encoded into the ring, just using the natural inclusion. And, and from there, and so this iota is just going to be that is just going to be taking your z2k elements into our, this is the exact same protocol as protocols before. But now all of our all of these elements are mapped to our these Gaoua ring elements. And yeah, and so this is how they do multiplication. And you can think of this as basically, you know, this is the the sub protocol for evaluating the multiplication gate, specifically a single multiplication in single multiplication of z2k elements. But if you look at the operations that you have to perform, you are, you are working over this extension ring. And so you're doing, you're doing this, this Gaoua ring multiplication, and you're getting one z2k multiplication. And basically, you have this larger ring that you're working over. And it's sort of wasteful that you're not taking advantage of the fact that you're working over this larger ring. Because even though you want to do this small multiplication, you are paying this overhead for working in this larger ring. And so a question sort of is, can you, can you use the fact that you are working over this larger ring to do more than just a multiplication? Can you compute something more expressive? Can you replace the fact that you're computing a multiplication gate with maybe some sort of circuit? And that's something that we, and we do that in this paper. In particular, instead of having, we take this iota, and instead of mapping just a single z2k element into r, we now encode multiple into r. We, we can encode some parameter delta of them. And so let's talk about this. If we, basically what we want to do is we want to, we want to take this protocol from before, and we can, we can generalize it. So instead of just a multiplication gate, maybe it's just some subcircuit that we want to compute. And the subcircuit could be, you know, could be a simple multiplication, but we want to say it could be something else. And what we want are two encodings to replace our iota, which we're going to call an end encoding and out encoding. And we want that the encodings have this particular relationship. And I'll explain soon how this relationship ties in. But essentially, if we, if we have these encodings, and we plug them, and we replace iota and plug, plug these encodings into the protocol that we saw before, notice that if we have, if we have end encodings of an input x, possibly a vector, and end encodings of an input y, and encoded double shares, then we can compute an encoding of the circuit applied to these inputs. If this, if this relationship holds. And so, and so this turns this protocol from before that we were computing into for the same cost of what you would do before plus the cost of these encodings, then you can compute possibly a more general subcircuit. You can compute, you can compute some subcircuit c. And so the the task then just becomes coming up with these end encodings and out encodings. Coming up with how to encode these values and how to generate double, like encoded double shares of this form. And if you're able to do so, then following this outline, you can compute an encoding of the circuit applied to these inputs. And in this paper, we give three. So in this paper, we give three specific encodings that we come up with. These encodings are actually, I'm not going to go into the specifics of what they look like, but they're actually very, very simple to construct. So the three encodings are inner product, SIMD, and flex. And compared to ACD UI, so when, so for, consider, there's ACD UI, when it takes in two inputs, it can compute one multiplication, one output. And that's, and the two encodings, so two of the encodings that we give also take in two inputs. And they're able to compute the inner product and compute inner products of length, roughly D over two. And SIMD can compute roughly D to the 0.6 parallel circuits with one multiplication and one output each. And these are going to, and so this is assuming a single opening in R. When we say single opening, it's publicly revealing at Z. So it's essentially the protocol, just running one instance of that protocol from before. And for, and if you have M inputs, using the protocol of ACD UI, you can compute a depth one circuit with M multiplications and a single output. And we give an encoding, a flex encoding, which can do the same except it can now output D, it can now have D outputs instead. Cool. So, so we give explicit encodings, these three codeings. And we also give protocols for generating double shares in, for these particular encodings. We also give a way of converting between our different encodings. So there's, there's many, you know, so the, these dotted lines represent encodings that, sorry, represent conversions and protocols that we don't explicitly give, but we give an outline for how to do this. We also note that this framework, you can, you can create your own encodings to that fit into this as long as they, as long as they have the particular relationship from before. And as long as you can, as long as you have some way of encoding and some way of generating double shares, this plugs right in. So you can possibly compute, you can possibly do use this for other sub circuits. This work, we also switch between, give away a switching between encodings. So before we're talking about these ring elements, we give away a switch between an encoded value in a ring and encoded value in GF2D. Specifically, we do this using DAW bits, which are doubly authenticated bits. And here is some formalism, if you want it, but at a high level, parties are able to perform local operation on shares within the ring to, if you have shares of random bits in this ring, you can perform local operation to get shares of the same bit in GF2D. And having, having shares of these bits in both representation allows the parties to, parties are able to switch between in a particular coding in R and the same encoding in GF2D. And protocols, we, we do give protocols for generating these random bits in the paper. Another contribution of this work is that we do give away of improved double share production. So the, the basic way of producing double shares is to apply a hyperverbal matrix to a vector of double shared values S. And then to check that the resulting vector of outputs are, to check that these are also valid double shares. And so typically, the way that the, the check in these prior works is done is that so many of these out, these are double shares are opened up and checked to be consistent with each other. And so you had to do this for every time you want to, for every time you generate this vector of, vector of Rs, you have to open up so many of them. And so you, each time you produce T, T double shares. And in this work, we, a contribution of the paper is that rather than having to do individual checks every time you generate these Rs, we give a batch check that can be applied over, that can be used to check many, that can be checked, that can be used to check over many of these. So instead of having to check this R each time you, instead of having to check each time you produce this vector R, we give a check that can be done over many batches. And so you can produce all of these factors R. And at the end, we basically do a random, we do a random linear combination to check that the Rs were produced properly. And so the check is going to be independent of the number of actual shares generated. And so it basically amortizes. And so each time you apply a type of our matrix, you're able to generate two T encodings, and then at the very end, throw away some constant number of them. And the challenges of such a, of this batch check is that we are working over encodings. And so our hypervario matrix needs to preserve these encodings. And because we're doing random linear combination, we need to be careful of zero divisors. We implemented these, some of the protocols in our paper, specifically the double share generation check. And here are some of the running times. There's a small overhead in generating double shares in this encoded double shares. But it's very clear that this batch check does yield a noticeable improvement. And so when you, so looking at the total runtime, you do start to, you do start to see that we do have a overall better, overall better running time for generating these double shares. And so the recap of our contributions is that we give encodings for gaolring elements, sorry, encodings for, for these gaolring to the KD by exploiting the degree of this ring to encode these subcircuits of Z2K. And if you set K equals one, remember we mentioned this as a property of gaolring, then we can get F to the D and encode circuits over F2. Our encodings, if you think of this as, this is a framework for constructing other encodings and translating between them. We also give batch checks for encoded double shares, which give faster preprocessing for these style protocols that use these hyperverbal matrices. And a small thing to note though is that our batch check does only have a statistical security. And we also give ways of producing random bits in GR, which can be used to create doubly authenticated bits from in this ring and this field.