 Yes, so thank you for the introduction. Holy shit. So, thank you for the introduction. So this is about the communication legs, your threshold private center section is with Satgadjit Ghosh from OHS University. And this kind of, this way, yeah. So this paper basically deals with the private center section problem where we have two parties, Alice and Bob. And each of those holes are set. So in this case, Alice holds like the numbers one, three, four, eight, nine, and Bob holds some other numbers. And they would like to determine which numbers they, like which elements they have in common without revealing anything about the elements that they don't have in common. So in this case, both parties should learn one, four, and eight, but Bob should not learn that Alice has three or nine or anything else about the set, okay? So this is the general PSI problem and there were a lot of papers that kind of present more efficient construction for this and like asymptotically efficient construction, practically efficient constructions in the two-party setting, multi-party setting, like passive security, active security. And this problem was very popular because there are like plenty of applications. So to just like recall some public applications that I made up are, so for instance, like if you have a fingerprint and you, a fingerprint reader, like you have a database of fingerprints and you have a fingerprint reader and it reads a fingerprint from the reader, like you would like to check whether the two fingerprints have a large intersection, okay? Another application is that like maybe you have two lovebirds and they have like some dating preferences and they would only like, they would like to know whether the intersection of their dating preferences is very large or small, okay? Or potentially even know the intersection of that. And a different application is if you have, for instance, a right sharing service and you have two people who want to go from like two different starting points to two different end points, maybe would like to share a cab, but they would only like to share a cab if they have a large intersection, okay? So kind of the point that I'm trying to highlight with these applications is that quite often we only care about the intersection if the intersection is very large. And sometimes we don't even care to compute the intersection itself, we only care to compute the bit that tells us is the intersection large or is the intersection small, okay? And kind of a natural question is if we kind of restrict the problem a little bit and say, okay, we only want to have a PSI protocol for large intersections, can we kind of maybe get more efficient protocols than the ones that we have for general PSI? So for general PSI, we know that we have to communicate something like if we do some two-PC to compute the intersection, we have to do some communication effort that is linear in the set size, okay? So the question is if the intersection is large, does this still hold? And what we show in this paper is that this is basically not true, so we can kind of design threshold PSI protocols, which have a communication complexity that is potentially smaller than the set size itself. So for PSI, we know that, as I just said, that we have to communicate something that is linear in the total set sizes. And what we show for threshold PSI is that if we, let's say, have an upper bound on how different the sets can be, then using FHE, we can compute the private set intersection where the communication complexity is linear in the upper bound on the set difference, on the symmetric set difference. If we have additively homomorphic encryption, then we can do something that is squared in the upper bound on the symmetric set difference of the set. And if we do generic two-PC, then we can do something that is cubed in this upper bound on the set difference, okay? Okay, so just to clarify what is the functionality that we would like to implement, like for what exactly are we trying to do? So we have these two parties and they both have sets of size n and then there's some ideal functionality and what they do is they send their sets to this ideal functionality. The ideal functionality checks whether their sets have a large intersection. So like just to kind of point out like saying they have a large intersection or saying they have a small set differences are kind of equivalent statements. So we want to check whether they differ by not more than two T elements. And if this is the case, they should learn the intersection. And if this is not the case, then they should not learn anything apart from the fact that their sets are not similar enough. Okay, so this is what we're trying to realize in a communication efficient way. And before we go kind of to the construction, we just do a bunch of simple observations. So the first observation is imagine LSF has some set and in the set some of those elements will end up being an intersection and some of those elements will end up being not in the intersection, okay? Now if the intersection is very large, so the number of green elements is very large, then rather than sending, rather than having a protocol that outputs all the green elements, it is enough to compute a protocol that outputs all the elements that are not in the intersection, okay? So if LS knows her full set and she knows which elements of those are not in the intersection, then she can just remove them and this way she learns the intersection, okay? And if the set difference is very small, then this quantity is way smaller than the intersection itself. So this is kind of the important observation here. So, and then we kind of need some observations about polynomials. So imagine I have a polynomial in variable x and it has roots a, b and c, okay? And now imagine I have a different polynomial which has roots b, roots b, c and e. Now if I were to divide those two polynomials, then the common roots will cancel out and what I will end up having is some rational function where the numerator and denominator contain the roots that are exclusive to p and exclusive to q. And if they have many roots in common, then the rational function will be a low-degree rational function, okay? Yeah, so these are the roots only in p, these are the roots only in q. And if the rational function has a very low degree, then we don't need too many points to interpolate it, okay? So even if p and q originally had very high degree, if the rational function in the end has low degree, we don't need a lot of points to interpolate it, okay? And the next thing is that if we would like to evaluate this rational function, it is also sufficient that we first separately evaluate p and q and then we divide the evaluation points to obtain evaluations of this low-degree rational function, okay? Okay, so given these observations, we can do like a protocol blueprint of what we can do. So imagine we have Alice and she has set elements a, b and c and we have Bob who has set elements b, c and e. And in the middle we have a magic box that just does some generic two p, c for us, okay? So what both now can do is Alice encodes her set into a polynomial p. So she will encode the set elements into the roots of the polynomial p. And Bob will encode his set elements into the roots of the polynomial q. And then both of those will evaluate their polynomials independently at a bunch of evaluation points or here like u, v and w. And they will put this into some generic secure computation. And what the generic secure computation will do is it will divide those points. So it will divide, it will take p of u and q of u divided and p of v and q of v and so on. Divide those point-wise and then try to interpolate the rational function, okay? And now if the sets have a large intersection then we can do this with a small amount of number of points. So we will interpolate some candidate rational function p star q star divided by q star. And then we will roughly speaking like have an additional evaluation point which will just check that this interpolation was correct. So we'll just do all of this inside of the secure computation how exactly we do this is for the moment like not relevant, okay? This is just the kind of the blueprint. And if we, exactly. So if we kind of computed this rational function and the check passed then we simply return p star of x to Ls or the roots of p star of x and the roots of q star of x to Bob. And from that they can learn the set intersection, okay? So this is the kind of high level idea. And now if you want to implement, if you want to realize this magic box somehow what we can do is we can throw generic, generic tools at it. So for instance, if we use FHE then we can do something that has communication complexity of t because the number of points that the rational function has to. So if we upper bound the degree of this by t and the degree of this by t then a rational function requires an amount of evaluation points that is linear in t to interpolate it, okay? So we can kind of throw all of this inside of FHE then we get a protocol that has communication complexity of t where I'm hiding polylock factors. And if we use generic 2PC like some garbled circuits or something then we would need to perform an interpolation here. So we need to do some Gaussian eliminations who would end up with a protocol which would have roughly communication complexity cubed in the number of points that both parties input, okay? So what we now end up having is kind of we have solution which kind of uses very simple tools like generic 2PC but it has a large communication complexity. On the other hand, if we use FHE then we have very good communication complexity but like we're using kind of a strong primitive. So a natural question is can we kind of do something in between? Like use a slightly weaker tool and get like some communication complexity that's in between those two. And what we basically do is we give a construction that is based on additively homomorphic encryption and the high level idea of the construction is that we take our threshold PSI problem and we split it into two sub problems, okay? So by the way I didn't mention it so all of this is like in the passively secure setting, okay? So we assume the parties honestly follow the protocol we just care about privacy. So what we will do is we'll split the full threshold PSI problem into two sub problems. So one problem will be we will design a so-called private intersection cardinality test protocol and the other one will be a PSI protocol which is specifically for sets where we know that they have a large intersection, okay? So the private intersection cardinality test it will just check do the sets have a large intersection yes or no, okay? And if this check will pass then we will run this PSI for large intersections where correctness and security only holds if the input sets do indeed have a large intersection, okay? So this is specifically tailored to this kind of problem that we tried to solve it. It's not a general PSI protocol. Cool. So let's assume for the moment that somehow we can check that two sets have a large intersection. Let's see how we can compute this intersection. So what we now just saw is that if we divide those two polynomials then the common roots will cancel out and we end up with those things that we would like to determine. And from the perspective of the person that has the polynomial like that who has the set that corresponds to the polynomial Q we would like to reveal the denominator but we would like to hide the numerator. And now we kind of run into kind of two technical challenges. So on the one hand we would like to somehow take this rational function and we would like to randomize it in some way such that the numerator will look random but the denominator will still reveal the information it would like to reveal. But the randomization process needs to satisfy two things. So first of all, after randomizing this rational function, we don't want the degree to blow up too much because otherwise we will end up needing a lot of evaluation points to compute this thing here. And the other problem that we have is our randomization procedure has to kind of hide the numerator but it should still ensure that the common roots cancel out in some way. So these are on a very high level the technical challenges that make this problem kind of tricky. And if we have something like this so if we have some way of randomizing the numerator but not randomizing the denominator then we can kind of just use secure computation to compute evaluation points of this modified rational function but then perform the whole interpolation which is kind of the computation heavy part of this computation in plane. So we kind of pull out the thing that costs a lot in terms of computation we pull it out of the secure computation part. And we only use secure computation to compute evaluation points of some rational function. Okay, so without any reason why this is how we do it. So imagine that R and S are some random polynomial which I'll explain in a bit more detail in a second but there are just some random polynomial. And now imagine that we compute this polynomial. So we have this is one of the sets this is the other set this is also the other set and we multiply each of those sets by random polynomial and add them together. So if we kind of write this out and I'm sorry for this slide. So what happens is that these and these will share some roots in common so these ones we can pull out together. So these ones we pull in the front and what we end up having is that the roots that are only in P will be here times this polynomial. The things that are only here only in Q will be times the polynomial S. This will cancel out. So what we will get is basically this rational function. Okay, and now the kind of the key observation is that if we have an upper bound. So as I said, like we assume that the intersection is large for the moment. So we know that this and this the kind of the degree of like whatever is left from P whatever is left from Q is upper bounded by some value by let's say T. So now if this is at most T and R and S are also polynomials of degree T then this whole thing looks let's say uniformly random. And because this is of degree T this is of a degree at most T this is of degree at most T and this is just a sum. We know that the numerator ends up being a polynomial of degree at most two T. So what we now manage to do is we kind of manage to hide the numerator. The denominator is still revealed to the things that are on the roots that are only in the polynomial Q and this whole thing still can be interpolated with a number of evaluation points that is linear in T. Okay, so we can basically if we can somehow compute evaluation points of this rational function then we can do the interpolation in plain so we don't need to do any two PC there. So again like the protocol luprin should be reasonably intuitive now so we have again those sets we encode them into the roots of the polynomials. We again have a magic box and now what the magic box does is it will just compute evaluation points of this polynomial where R and S are some random polynomial that are neither known to Alice nor known to Bob. Okay, so basically both will input will basically input some evaluation points of their own polynomials and the secure computation will return evaluations of Z to Alice and to Bob, sorry, to Bob. So it will return it to the person who has to learn Q. Okay, so in this case, this is wrong. It should go this way. And then Bob can interpolate this polynomial in plain and extract the roots from the denominator. And this we can basically, as I said before because the polynomial has some degree like the rational function has a degree of two T at most. We can do this with, so the number of evaluation points of Z that we have to do is also something on the order of T. Okay, so the whole computation takes on the order of T communication complexity up to polynomial factors. So the one thing that I said in the beginning is that for this to work, we assume that the sets do already have a large intersection. So now we kind of still need a protocol that just checks, gives us one bit of information that says, are the sets, do the sets have a large intersection or not? So what we do for this is we use the following. Yeah, so Bob asks this. So one thing that we know is that if we have a polynomial of a low degree, then we can interpolate it from few evaluation points. One thing that is less well known is that if you have a polynomial that is sparse, so sparse T here means like the number of how many monomials you have, if the number of monomials is small, then you can also interpolate the polynomial from few evaluation points. And this is basically the property that we'll use for our check. So the basic idea is that now rather than encoding the set elements into the roots of the polynomials, we will encode it into the roots of the polynomial, we will rather encode it into the monomials. Okay, so now the set A, B, C is encoded into X to the A, X to the B, X to the C. And now the simple observation is that if we subtract those two polynomials, then all the common monomials will cancel out and we will end up with a polynomial that is very sparse. Okay, and now I'm kind of like, don't have the time to explain how, but basically you can do a check whether a polynomial has, like you can check whether the polynomial has a certain sparsity or not with like a protocol that has a squared communication complexity, okay? So if we now combine this with our PSI protocol, then in total we get a protocol which has a squared communication complexity and only relies on additively homomorphic encryption. So yeah, so this work kind of like starts to look at whether you can do like threshold PSI with small communication complexity and like it gives some first answers, but there are like a lot of interesting questions open. So the first one is can we obviously like get rid of the T squared thing and get a protocol from simpler assumptions that is just like has communication complexity O of T. And the other question is can we do any of those in a way that is practically remotely useful because none of ours is. And kind of what we show in our paper is that if you manage to come up with a protocol that just checks whether two sets are similar or not, which has an optimal communication complexity, then using our PSI protocol, we get a full threshold PSI protocol which has an up to pulley lock factors, optimal communication complexity. Cool, I'm done. We have time for questions. If you have any questions come to the mic. So you have a protocol that only works for large intersection. Does it, does only correctness break if the intersection is too small or does privacy also break? So that's a tricky question because we're trying to do a follow. So in this case probably it that's a very complicated question that we try to answer for six months. Like the question of whether like, so what you end up having is that if, what you end up having is that these guys here will have a larger degree. These will have a degree of let's say T. And in general, this rational function like does not sufficiently hide those polynomials. But since you're only getting a certain number of evaluation points, it might still do it, which is something we have no idea how to prove. It's surprisingly tricky. So like, yeah, that's. Yeah, thanks for the talk on, I have a somewhat technical question. So on this slide, you have the numerator being randomized, but the denominator is deterministic, right? So what prevents the attack of just doing a GCD between the numerator and denominator and then you can remove that second term. Then you can get the first term. Sorry, what? So you do a GCD, like a Euclidean algorithm between the numerator and denominator if you are the Bob second party. But so, I mean, you're adding this polynomial and this polynomial, so you will not get this. I mean, you want to find out these two or like? Yeah, like the common divisor of the. Yeah, yeah, but I mean, this will not work here, right? Like, I mean, this will be, this is multiplied by R, this is by S, and then they're added together so the GCD will not reveal anything. This will look uniformly random to you. Yeah, thanks. Let's thank the speaker again.