 So I'm going to talk about efficient, concentrate on multi-party computation protocol that combines the BMR protocol and speech protocol. And I'm a Vishay and I, and this is joint work with Yehuda Lindel, Benny Pinkas, and Nigel Smart. So in multi-party computation protocol problem, we have a set of parties with private inputs. And the parties want to compute some joint function on their inputs while preserving some security properties like privacy and correctness. So security must be guaranteed even in the presence of an adversary that corrupts some of the parties. So in this work, we are focusing on malicious and static adversary, and we're working on the settings of dishonest majority. So in efficient, secure computation, we have two main approaches, two main approaches. One of them is the GMW approach and the second is, yeah. So in the GMW approach, basically the players have an interaction for every gate in the circuit. So usually the players push the heaviest part of the computation to the off-link phase, and which leads to a very fast and thin online phase. This also leads to a very low bandwidth utilization of the network. Protocol following this approach also have disadvantage in that the number of round communication rounds depends on how complex is the function that they want to compute. So the more the complex is the function, it means that they need more communication rounds to compute this function. In the YAH approach, the parties first computing the garbled circuit, which means that they need to compute heavy operation, heavy cryptographic primitives in order to compute the garbled circuit, and the computation of these cryptographic primitives is also existing in the on-link phase, which means they have heavy operations in the on-link phase. And since the garbled circuit has to be delivered somehow to all the players, they also utilize a significant bandwidth of the network. A big advantage of protocols that follow the YAH approach is that they use a small constant number of rounds of communication, which means that no matter how complex is the function that they want to compute, they will only make only constant number of communication rounds. So in the two-party case, we have a lot of protocols for both approaches. In the GMW, we have the tiny OT and speeds from 2012. And for the YAH approach, we have a lot of protocols under the fast cut and choose class of protocols. And basically, if we are working over a slow network like the internet, we clearly choose to work with protocols that follow the YAH approach. In the multi-party case, the situation is different. So in the GMW approach, we have the extension of the tiny OT and the speeds protocols. Those protocols make a large amount of rounds to compute the circuit. And we will use those protocols only when we are working on settings of fast network like a local area network. And what protocols do we have that follow the YAH approach in multi-party case? Basically, we have no such protocol. And in fact, we have the BMR protocol that is a multi-party version of the YAH protocol. This protocol is very efficient for the semi-honest case, but is extremely inefficient when working in the malicious case. Because the protocol for the malicious case require generic use of zero knowledge. And this is very inefficient. So let me compare the state-of-the-art protocol, tiny OT and speeds with BMR protocol for the multi-party case. So BMR has a constant round, has a constant round number of communication rounds while the other node. And what is it? Sorry. All the protocols has working in the dishonest majority. And only tiny OT and speeds have a concrete efficiency and fast online phase. So the problem is that we don't know of any protocol for the multi-party case that achieves both concrete efficiency. It is secure for the dishonest majority. It has a constant number of communication rounds and as a fast online phase. And while we have a lot of protocols for the two-party case, in the multi-party case is way behind and we are missing this class of protocols. So our goal in this work is to construct such protocol that achieve those properties. So in order to describe our protocol, it is worth to know the basics of the BMR protocol. So in this example, we have a gate G which is part of the circuit that the player want to compute. And it has two input wires, A and B, and an output wire C. So for this example, we have three parties, P1, P2 and P3. And the first step is to compute two random keys for every wire in the circuit. Those two random keys represent, one of them represent the signal zero and the other represent the signal one. The second thing that they do is to compute a PRG on their keys. So the compute the PRG on their keys and they also generate one bit for every wire in the circuit. So here we have three bits, lambda A, lambda B and lambda C for wire A, B and C. And the purpose of those bits is to hide the interpretation of the keys. So if some party hold one key for some wire, it's not necessarily knows what is the interpretation of the key, what signal is passing through that key. So all these masking bits remain secret during the execution of the protocol. So after they get all this data, they input it into another multi-party computation protocol. So in particular, in BMI paper, they used the GMW protocol. And the GMW produced the garbled gate, the garbled table for this gate. The garbled table is for entries A, B, C and D. So for example, if we look at the entry A, this is the result of an X or of three super keys. You can see the super key K A zero, K B zero and either K C zero or K C one. And each super key is a concatenation of the three keys for every wire of the circuit. And which one of the keys for wire C depends on the masking bits. Now, although GMW is not a constant round protocol, all this computation is done in a fixed and constant round of constant communication rounds because the amount of computation here is already constant. So this computation of one gate of a single gate requires a constant number of communication rounds. Now, because the computation of all the garbled gates are independent of each other, then the computation of all the circuit is done also in a constant number of communication rounds. So after they achieved the garbled gates for all the gates in the circuit, the parties move to the only phase in which they only need to exchange keys for the circuit input wires, for the circuit input wires. And once the parties have one key, one super key, which is a concatenation, once they have one super key for each circuit input wires, they can evaluate the circuit using the garbled gate that they computed in the off-lane phase. And this way, they obtain the output of the circuit. So the first thing we do in order to achieve an efficient protocol is to switch the invocation of GMW, since GMW is not an efficient protocol, so we switch it with one of the state-of-the-art protocol that we know, so we switch it with speed. So the parties input the keys, the PRG values and the masking bits into an invocation of speeds, and speeds produce this table for entries for every gate. Now, this is not enough because in the BMR construction for malicious case, the parties, the computation of this garbled gate includes, inside its circuit representation, it includes a representation of a circuit that computes the PRG. And this makes the circuit representation very large and makes the whole protocol very inefficient. So basically, we want to reduce the size of the circuit that garbled the gate. So a very important thing that we observed is that the circuit representation of the PRG inside the garbling circuit is unnecessary, we don't need it there. This way, the parties only compute the PRG locally on their own and just input the result to the speeds invocation for every gate. Sorry. And if a player cheated in one of the PGA, the PRG that it input to the speeds invocation, then the parties will detect it in the only phase because they will encounter a garbled circuit, a garbled gate, they will encounter an invalid garbled gate and then they will abort. And we already know that early abortion is unavoidable in the dishonest majority settings. So this way, we solve the problem of the size of the circuit that compute the garbled gate. The second problem is a potential of inconsistency of the masking bits. So for example, if we have a one gate, for example, with input wire C, this is the red wire, and so it means that the players provide their masking bit for wire C, for the computation of this garbled gate. Now, assume we have another gate, the first one was G tag and this is G. So the output wire of gate G is the same wire, is the same wire C that is input to gate G tag. Now, the parties also need to provide the masking bit for this invocation of speeds. So it means that the cheater has the potential of providing two different values for the masking bit for each invocation of speeds for every gate. So we want to remove this potential. So what we actually do is invoking one, we do only one invocation of speeds computation for the entire circuit. We garbled all the gates together. That means that the parties don't, this removes the potential of inconsistency because the parties input only one time the masking bit for every wire in the circuit. And because we can do all the gates together, in parallel, this remains the depth of the circuit of speeds, shallow. And in particular, we have 13 multiplication operation for AND gate and seven multiplication operation for XOR gate. And we further optimize this solution by using some special feature that speeds provide us. This special feature is that we can ask speeds to generate a lot of random bits and store them in its memory. So what we do is asking speeds to generate a lot of masking bits for us and store them in its memory. And when we want to compute the garbled gates, we ask speeds to use the random bits that it generated before. So this removes completely the potential of inconsistency because the parties now don't even need to input those masking bits. Another important optimization is regard to the representation of the keys in our protocol. So in PMR, they use the keys as a bit strings. So in our protocol, we use keys as finite field elements. And this is first used in the multi-party fair play implementation of Benayim and Hisan and Pinkas in 2008. And but they assume a semi-honest and honest majority settings, which is not the case in our protocol. So as I remember, the parties in the PMR circuit, garbled circuit construction needed to use a concatenation of the keys that they obtained, the random keys. So if one key is an element from a field of size two to the k, then a concatenation of n keys would result an element of a field of size two to the n k. So this may result a huge field size. For example, if we use a security parameter of 128 and we have eight participants in our protocol, this would result a field of size two to 1024, which is really huge. So in our protocol, we represent a concatenation of n keys as a vector of n elements from a field of size two to the k. That means that the field size is independent of the number of participants that participate in the protocol. This is a very good improvement. And also this allows us to make operation over the super keys much more efficient than they were before. So this is a protocol overview of the new protocol. We have two phases as before offline and online. And our offline phase contains two stages. In the first stage, the parties don't necessarily know the function that they are willing to compute. And they only run the offline phase of the speech protocol. And in the second stage of the offline, the parties do know the function, but not necessarily knows the inputs to the functionality. And they compute the online phase of speech in order to generate the garbled circuit of our function. And in the online, as before, the parties only have to exchange the keys for the circuit input wires. And then they can evaluate the circuit on their own without further interaction. And these are some estimated running time. When we use key size of 128 bits and the machine were over a local area network and the parties computed the AES encryption such that some of the parties hold part of the key and some of them hold part of the data that the AES is going to encrypt. So if we look on the four-party entry, we can see that the offline phase takes around 15 minutes, but the online phase is really, really fast. There is no such protocol today that achieved this time of 15 milliseconds for the online phase. So to conclude, we managed to construct a protocol with an offline phase that comparable to the most efficient protocol that we know today, like speech, and it achieved a very fast online. In particular, it has a constant number of communication rounds and allows the parties to locally evaluate the circuit without any further interaction. To conclude, this is the first concretely efficient constant round protocol for the multi-party case and the dishonest majority settings. And this is the first efficient protocol that follows the yaw approach that I've talked about before. And that's all. Thank you.