 Hi, I'm Arushi. I'm going to present this joint work with Abhishek Jain, Manoj Prabhakaran and Rajiv Raghunath on communication models and best achievable security in two round MPC. Secure multi-party competition or MPC is an interactive protocol that allows a group of mutually distrusting parties to jointly compute a function on their private inputs. The security of MPC guarantees that an adversary who corrupts a subset of the parties should not learn anything beyond the output of the function. Most MPC protocols considered in literature are designed over two kinds of communication channels namely broadcast and point-to-point. A broadcast channel allows a sender to send the same message to multiple receivers while point-to-point channels enable parties to exchange private messages amongst each other. These communication models play a fundamental role in deciding what kind of security can be achieved by the MPC protocol and under what assumptions. For instance, a broadcast channel is necessary for achieving security when the number of corrupt parties are greater than one-third fraction of the total parties while point-to-point channels are necessary for achieving information-theoretic security. In this work, our goal is to examine the role of these communication models in two round MPC. Two rounds in the MPC setting are clearly minimal since one round MPC is known to be impossible. In recent years, a series of works have made significant advances in the two round MPC setting. These works have managed to establish feasibility of general computation in two round MPC relying essentially on minimal computational assumptions. In this work, we consider the honest majority setting where the adversary is allowed to corrupt a minority of the parties. There are numerous advantages of working in this setting. For instance, the honest majority setting enables protocols with stronger security guarantees. Secondly, unlike the dishonest majority setting, protocols in the honest majority setting can be designed only based on symmetry key primitives, which in general are more efficient than public key primitives. Moreover, it is possible to design protocols with fewer rounds in this setting. And finally, working in this setting is truly justified because it often holds up in practical applications where these protocols are expected to be deployed. As I mentioned earlier, in this work, we consider the two round honest majority setting and investigate in different communication models involving broadcast and point-to-point channels what levels of security are achievable and under what assumptions. We primarily focus on the plain model that is without any trusted setup assumptions, but sometimes we augment this plain model with an untrusted or bare public key infrastructure setup where the parties are allowed to choose their own public keys and post them on a public bulletin board. Let me first quickly recall all the commonly used security notions in MPC. The simplest one of course is privacy against a semi-honest or an honest but curious adversary. The case of malicious adversaries is slightly more complex and a variety of security notions have been considered in this setting. The most common one being security with a bot where the adversary can prevent the honest parties from learning the output by prematurely aborting the protocol. Three variants of security with a bot are often considered in existing literature. The first one is security with selective abort where the adversary may selectively force a subset of the honest parties to abort. The next one is security with unanimous abort where the adversary may still prevent the honest parties from learning the output, but the honest parties all agree on whether or not to abort. Finally, in the security with identifiable abort, the honest parties not only agree on whether or not to abort, but in the in case they abort, they are also able to identify at least one corrupt party that caused the abort. Finally, the strongest notion is that of guaranteed output delivery where the honest parties are guaranteed to learn the output no matter what, even if the adversary misbehaves. This notion can be considered against full on malicious adversaries or against just fail-stop adversaries who behave like semi-honest adversaries except that they may prematurely abort the protocol. Overall, we have the following hierarchy of security notions starting with security against semi-honest adversaries, then we have security with selective abort, then security with unanimous abort, then identifiable abort. And finally, the strongest one is guaranteed output delivery against malicious adversaries. And similarly, we can have another set of hierarchy starting with security against semi-honest adversaries, followed by guaranteed output delivery against fail-stop adversaries, and finally guaranteed output delivery against malicious adversaries. Let's now get an idea of what is already known in the two round NPC setting. For semi-honest security, Garg et al and Beno Moda et al designed protocols in the broadcast-only setting. But since broadcast can very easily be emulated over point-to-point channels in the semi-honest setting, this result establishes feasibility in all the models. Gordon et al showed that fail-stop guaranteed output delivery protocol is impossible in the broadcast-only setting, while Anant et al established feasibility in all other communication models. For selective abort, Anant et al established feasibility in all communication models except the broadcast-only setting. Gengan et al and Patra et al established impossibility of unanimous abort, identifiable abort, and malicious guaranteed output delivery in the following communication models. And finally, Anant et al and Applebomb et al established feasibility of unanimous abort in the broadcast plus P2P and broadcast plus PKI models. Given these results, the question about feasibility of two round NPC in the following scenarios remains unresolved. In this work, we provide answers to all of these questions, thereby completing this picture. We show that security with abort is impossible in the broadcast-only setting. Moreover, identifiable abort is also impossible in the broadcast plus P2P setting. But on the positive side, we show that malicious guaranteed output delivery and hence identifiable abort are achievable in the broadcast plus PKI setting. Overall, these results collectively establish the following hierarchy between different communication channels. Since broadcast plus PKI is the only setting where the strongest security notion of malicious guaranteed output delivery is achievable, this is clearly the strongest communication model. Then we have broadcast plus P2P, which are necessary for both unanimous and identifiable abort. Then comes point-to-point channels, which are required for selective abort. And finally, the weakest communication model is the broadcast-only setting. Let me now elaborate on some of our contributions. We first show that two round honest-majority MPC over broadcast channels implies a two-message oblivious transfer protocol. In the semi-honest setting, the two round honest-majority MPC implies a semi-honest OT, while in the malicious setting, it implies a maliciously secure OT. Moreover, this implication holds both in the playing model and in the CRS model. Also, this implication justifies the use of OT in the semi-honest protocols designed by Gargital and Venomodiatol. We further show that two-message maliciously secure OT is impossible in the playing model. These two results combined establish impossibility of security with abort in the broadcast-only setting in the honest-majority setting. This also shows that the use of point-to-point channels in the work of Anantetol and Apropometol was indeed necessary and establishes equivalence between the honest-majority and dishonest-majority in this particular scenario. In the broadcast-plus-PKI setting, we design a two-round protocol using public key encryption and multi-CRS non-interactive zero-knowledge that achieves guaranteed output delivery. This protocol also establishes feasibility of identifiable abort in this communication model. Finally, we show that identifiable abort is impossible over broadcast and P2P channels in the playing model. Additionally, we also show that a fail-stop guaranteed output delivery protocol that is secure against the corruption of more than n over 3 and fewer than n over 2 corrupt parties also implies a two-message OT protocol. This justifies the use of OT in the protocol designed by Anantetol. But for this talk, I'm only going to focus on these three results. Moving on to the main ideas that help us achieve these three results, the rest of this talk will be organized as follows. I will start by discussing our impossibility result in the broadcast-only model, then I will talk about the guaranteed output delivery protocol in the broadcast-plus-PKI model, and finally conclude with the impossibility of identifiable abort in the broadcast-plus-P2P model. Okay, so to quickly recall the oblivious transfer functionality, this is a two-party functionality where the sender provides two inputs, M0 and M1, and the receiver provides a single bit B as input. At the end of the protocol, the receiver receives MB as the output. For security, we want that the sender should not learn anything about the receiver's input. While the receiver should not learn anything about the sender's other input, that was not revealed as part of the output of the protocol. We now show that two-round maliciously secure, honest majority MPC in the broadcast-only setting implies a two-message oblivious transfer protocol. Let's consider the simplest case of three parties where one party is allowed to be corrupt. These arguments easily generalize to any number of parties. In the broadcast-only protocol, all parties broadcast a message in both rounds of the protocol. Let's assume that the function that these parties are computing is the following multi-party variant of OT, where Alice acts as the receiver, Bob acts as the sender, while Charlie does not have any input and simply acts as a helper party. At the end, only Alice gets an output. Since Alice is the only output party, it does not need to broadcast its second-round message. It can simply compute this message locally during the output computation phase. Let's now consider a modified protocol where Bob and Charlie operate as a single entity. Now, if Bob and Charlie are indeed a single entity, they can broadcast all their messages together in the second round. This gives us a two-message protocol for the OT functionality, where in the first round, only Alice, who acts as the receiver, sends a message. And in the second round, Bob and Charlie, who together act as the sender, send a message. Finally, Alice locally computes the output of the protocol in the output computation phase. But now, we need to show that this protocol does indeed implement the OT functionality in a secure manner. So Alice's view pretty much remains unaffected in this modified protocol vis-à-vis the original protocol. Security against a receiver therefore follows from the security of the original two-round NPC protocol. This means that if the original protocol was semi-honest secure, then we get security against a semi-honest receiver. And if the original protocol was maliciously secure, then we get security against a malicious receiver. To argue security against the sender, we observe that Charlie did not have any input in the original protocol. If the adversary now only corrupts Bob in the original protocol, it can obtain the same viewer as in this transformed two-party protocol by internally simulating Charlie. Therefore, we get security against a semi-honest sender. We know that in this case, even if the original protocol was maliciously secure, we only get semi-honest security against the sender. Hence, we have successfully shown that a maliciously secure broadcast-only two-round NPC implies a two-message malicious receiver OT. We additionally show in our paper that a two-message malicious receiver OT is in fact impossible, thereby establishing impossibility of a maliciously secure broadcast-only two-round NPC. Unfortunately, due to time constraints, I won't be able to discuss the impossibility of two-round malicious receiver OT in this talk. Let's now move on to the setting where the parties still operate over a broadcast channel. But in addition to that, they have access to a bare public infrastructure setup. In this setting, we show existence of a guaranteed output delivery protocol. So, all existing maliciously secure guaranteed output delivery protocols in the broadcast plus PKI setting, crucially rely on a trusted CRS setup, which means that the structure of these protocol looks like the following. There is a CRS setup and a bare PKI setup at the beginning, followed by two rounds of interaction over a broadcast channel. We observe that in these protocols, the CRS is only used for nizic proofs. In the honest majority setting, however, these nizic proofs can very easily be replaced by multi-CRS nizics. In multi-CRS nizics, the setup consists of multiple CRS strings, as opposed to a single CRS, and soundness holds as long as a majority of the CRSs were honestly generated. These CRSs generated by the individual parties can now be embedded inside the bare PKI setup. In particular, the public keys of the new bare PKI setup will include these CRSs and the public keys of the original PKI setup. And since the adversary in multi-CRS nizics is allowed to choose its CRSs adaptively, after looking at the CRSs chosen by the honest parties, this is a valid bare PKI setup. As a result, this gives us a two-round guaranteed output delivery protocol in the broadcast plus PKI setting without relying on a CRS. While this protocol also implies a protocol with identifiable abort, note that in this protocol, we rely on a special bare PKI setup. In our paper, we present a separate protocol for identifiable abort, where the PKI can be instantiated using any generic public key encryption scheme. Designing a similar guaranteed output delivery protocol where the PKI can be instantiated using any public key encryption scheme is still an interesting open question. So let's now finally look at the impossibility result for identifiable abort in the broadcast plus P2P setting. Let's assume for the sake of contradiction that such a protocol exists in the broadcast plus PKI setting and every party both broadcasts a message and sends private messages to all parties in both rounds of the protocol. The function that we consider is this OT-like functionality where Alice has a single bit B as input Bob provides two inputs M0 and M1 and Charlie does not provide any input and at the end of the protocol only Charlie receives an output. Let us now consider a scenario where the adversary corrupts Alice. The adversarial strategy that Alice adopts is to honestly behave throughout the protocol except that it does not send a private channel message to Charlie in the first round of the protocol. In this attack scenario, the honest parties should either be able to identify the bad party and output bot or obtain a non-bot output. Let's consider each of these scenarios separately. If the party is a bot, they must also identify the corrupt party. Now, while Charlie knows that Alice is corrupt, from Bob's point of view, he has no reason to believe why Alice would be corrupt. Bob in fact cannot distinguish between a scenario where Alice is indeed corrupt and does not send a private message to Charlie and a different scenario where Charlie is corrupt and falsely accuses Alice of not sending him a message in the first round. Therefore, this case clearly cannot hold. How about if the parties obtain a non-bot output in this particular attack scenario? In this case, since the honest parties compute a non-bot output, the simulator must be able to extract some input from Alice. This could either be Alice's real input bit B or 1 minus B. In case the simulator extracts Alice's real input B, we can argue that in an alternate scenario where Bob is corrupt and Alice is honest, Bob can run the same simulator algorithm to extract honest Alice's input. This is because the messages that are used by the simulator, which are encircled in green here, are all part of Bob's view. Since this would clearly violate Alice's privacy, this particular case cannot hold. Now, if the simulator extracts 1 minus B, then we can show that in an alternate scenario where Alice is honest and Charlie is corrupt, it can first participate in the protocol honestly to learn the correct output and then recompute its second round messages while completely ignoring Alice's first round private channel message. This allows a corrupt Charlie to obtain both M0 and M1, thereby violating Bob's privacy. As a result, this case cannot hold either. Overall, we have succeeded in demonstrating that in this particular attack scenario where Alice does not send a private channel message to Charlie in the first round, the parties can neither compute a non-bord output nor identify a corrupt party. Therefore, no such identifiable abort protocol exists. To conclude, we complete the feasibility landscape of two round MPC in different communication models with varying security guarantees. As a result of this, we establish the following hierarchy of communication models. Our results also explain the use of specific communication channels and computational assumptions in existing two round MPC protocols. Thank you.