 Welcome everyone to my presentation. My name is Pratik. Today I will talk about our recent work on two round Adaptively Secured MPC from Isogenes, LPN or CDH. This is a joint work with Navid from UC Berkeley and Visa Research, with Hart from Fujitsu Lab and Shikhar from ETH Zurich and Visa Research. Today we will talk about secure computation. We consider the two-party setting. There are two parties who have their private inputs X and Y. They want to jointly compute a function F on their inputs. To do so, they run a protocol Pi on their inputs and outputs the protocol output. The protocol should satisfy two properties. Mainly, it should be correct. That is, the function output should be same as protocol output. And the protocol should be secure. That is, the protocol should not leak anything about the private inputs besides the output. The works of Yao, Gold, Reich, Mikali, Wigdason, Beaver, Mikali, Raghave presented the first few protocols for secure computation. Since then, secure computation has found numerous applications in privacy-preserving machine learning, blockchains and many more. In this work, we consider the primitive of Oblivious Transfer or OT. It is a two-party protocol between a receiver and a sender. The receiver has an input choice bit B and sender has two messages M0 and M1. By performing the OT protocol, the receiver obtains the message of his choice. OT security ensures that a corrupt receiver should not know the other message M1-B and a corrupt sender should not know the choice bit B. This simple primitive suffices for general secure computation. It's complete. We also know that round-optimal OT enables round-optimal secure computation. Hence, in this work, we focus on obtaining round-optimal OT protocols. OT also has other applications like private-set intersection and zero-knowledge. And in this work, we want to achieve universal composability security based on RAND-Canadies model. So, we are going to focus on UC security. So, let me briefly recall the security properties required from our OT protocols. Firstly, the corrupt receiver should not know M1-B and the corrupt sender should not know B. To get simulation-based security, we need probabilistically polynomial-time simulator SIM such that it can extract a corrupt sender and a corrupt receiver's input given the trap-dose of the setup string or some extra power. We model the security of the protocol by considering a PPT algorithm simulator. The simulator interacts with the real-world adversary algorithm to create an ideal-world adversarial view given access to the functionality. We say that security holds if the view of the adversary in the real-world is indistinguishable from the view in the ideal world where it interacts with the simulator send. We also consider adaptive security, which is the strongest security model. In the setting, the adversary can adaptively corrupt any of the honest parties before, during or after protocol execution. The adversary obtains the internal state of the honest party upon corruption. In such a case, the simulated honest party view has to be opened consistently to the honest party's input when the party gets corrupted in the ideal world. That is non-trivial and really hard to achieve and that is the focus of our paper. And we also consider malicious corruptions where the corrupt party can arbitrarily deviate from the protocol. So let me briefly discuss the current works on Adaptively Secured MPC protocols. It is known that constant round Adaptively Secured MPC is impossible from black box simulation due to GERG and Sahai. So the works of GERG et al. and the recent work by Chakrabati et al. construct constant round Adaptively Secured MPC protocols from non-black box techniques. In the setup model, the works of Kaneti et al. and subsequently Chua et al. and Garai et al. constructed linear round protocols using the GMW paradigm. The work of Hazai et al. showed that public key encryption with oblivious ciphertext generation is the minimal assumption required for Adaptively Secured MPC. However, these protocols are not round optimal. So the focus in this work is to obtain two round MPC which is Adaptively Secured in the setup string model. In the setting, there are a few works which used IO and finally there are only two works which construct two round Adaptively Secured MPC from standard assumptions. The work by Ben Mouda et al. constructed it from DDH LWE and quadratic recidivosity in the common reference ring model. The recent work by Kaneti et al. constructed achieved the same result from DDH in the common random string model. But these are like only three assumptions that we know from. So we asked the question whether can we construct it from more assumptions. So we focus on constructing the MPC protocol from other assumptions. So we demonstrate that a two round OT with indistinguishability based security and something called oblivious receiver message sampleability implies two round Adaptively Secured MPC. So we call this OT primitive as RIOT. And this is a very weaker OT primitive compared to Adaptively Secured OT. And then we build RIOT from CDH, LPN and Isogenes. So this yields the first two round Adaptively Secured MPC protocol from CDH, LPN and Isogenes in the malicious setting. And in the semi-honest setting, we construct the first two round Adaptively Secured MPC protocol from LPN and Isogenes. Ben Mouda et al. constructed it from CDH in the semi-honest setting. And to be more specific, for Isogenes we constructed from group actions which can be instantiated using the seaside and the sea fish assumption. As a side result, we also construct the first non-committing encryption from LPN in the setup string model. So let me briefly go through the techniques. Let me briefly recall the security properties of indistinguishability based OT. Firstly, the receiver, corrupt receiver should not know M1-B and the corrupt sender should not know B. So this can be modeled as we can see here that suppose the receiver's choice bit is 0 then it should not distinguish between a sender's message when M1 is 0 from a case where M1 is 1. And for the sender, for a corrupt sender it should not be able to distinguish when the receiver's choice bit is 0 from the case where the receiver's choice bit is 1. So this is IoT or indistinguishability based OT. Next, we will add sampleability properties for the sender and the receiver message. So we will consider the OT protocol in the CRS model where the setup string consists of the CRS and it is generated along with the trapdoor. So the trapdoor will be used by the simulator which we will see later. So firstly, let me describe receiver sampleability property. We require that there exists a probabilistically polynomial time algorithm OB1 which obliviously samples a receiver message PR. So now a simulator can honestly construct a receiver message using the OT1 algorithm and the simulator can claim that this PR on the right hand side is obliviously sampled. In order to do that, it needs to give a randomness for the randomness which is consistent with the oblivious generation of PR. So we require another algorithm, INV invert1 which inverts the randomness of the simulator which was used to generate the actual OT message and it gives out randomness which is consistent with the oblivious sampling of the receiver message. And the two distributions of the receiver message and the sampling randomness should be computationally indistinguishable and that is the receiver sampleability property. Next we need sender sampleability property. We require that there exists probabilistically polynomial time algorithm OB2 which allows obliviously sampling a sender message PS corresponding to bit 1 minus W. The adversary provides M0 and M1 as input messages and the algorithm is parameterized by the adversary's chosen branch 1 minus B. Now a simulator can honestly construct a sender message using the OT2 algorithm. The simulator can claim that it was obliviously sampled. And in order to do so, the simulator is required to provide the sampling randomness which he obtains by using the INV2 algorithm so that inverts the sender's honestly generated sender's message randomness into a sampling randomness. And the two distributions of the sender message, receiver message and the sampling randomness should be computationally indistinguishable by the sender sampleability property. So these are the two properties that we need and we denote an indistinguishability-based OT with receiver sampleability as RIOT and we denote an indistinguishability-based OT with both sender and receiver sampleability as RSIOT. Now we will discuss our techniques in the CRS model. We start off with RIOT. We show that RIOT with a few other primitives imply RSIOT. These primitives are equivocal and obliviously sampleable garbling and obliviously sampleable commitment scheme. These are all instantiable from one-way functions in the CRS model. Our work also shows that RSIOT suffices for Trapdoor Simulatable PKE in CRS model. Next we construct semi-adaptive OT from RSIOT, equivocal commitment scheme and obliviously sampleable garbling and Trapdoor Simulatable PKE. Combined with the result of CDMW we also get non-committing encryption from Trapdoor Simulatable PKE which can be obtained from RIOT. Finally we apply the result of BLPV to get an adaptably secured MPC protocol from RIOT. Finally we show that RIOT can be constructed from CDH, LPN and group actions in the CRS model. So let me briefly go through the building blocks. We require garbling schemes. A garbling scheme consists of free algorithms. It takes in input a circuit C and randomness R. It outputs a garbled circuit GC and the encoding table EN. The encoding algorithm takes in input the encoding information and input X and it outputs encoded input capital X. The evaluation algorithm takes the garbled circuit and the encoded input and it computes the output Y. Correctness of garbling ensures that Y is same as C of X. Privacy of the garbling scheme ensures that the encoded input does not leak anything about the in private input X. This is captured using a PPT simulator which outputs a garbled circuit and the encoded input given the output Y without knowing what is X. An adversary cannot distinguish a simulated garbled circuit and a simulated encoded input from an honestly generated one. We also require equivocal garbling property where the simulator generates the simulated garbled circuit and the encoded input. Then later on it gets the input X and it has to produce the encoding information and the garbling state. So given these information an adversary cannot distinguish these from an honestly generated one. Such garbling schemes are instrumental for adaptive security and they can be constructed from one-way functions as shown by Kennedy et al. Finally we need oblivious garbling schemes Here an obliviously generated garbled circuit always outputs Y and can be sampled using an algorithm called OGB algorithm with randomness R. And there exists a randomness inversion algorithm which outputs randomness R prime such that an honestly generated garbled circuit with randomness R can be shown to be obliviously garbled using randomness R prime. The difference from equivocal garbling is that the adversary does not get the entire encoding information since the garbled circuit is supposed to be obliviously garbled and there is no encoding information when the garbled circuit is obliviously garbled. And the work by Lyndel et al obtained oblivious garbling schemes from one-way functions. Next I will talk about commitment schemes in the CRS model. There are three algorithms. The setup algorithm generates the CRS and the Trapdo TD. The commitment algorithm generates the commitment C to message M using randomness R. The verify algorithm decomputes the commitment to check it. The commitment should satisfy binding and hiding properties. Finally we also need oblivious sampleability property where an honestly generated commitment can be claimed to be generated obliviously by inverting the randomness. So oblivious and we know that oblivious is sampled commitments can be obtained from one-way functions due to Naur et al. Now I will go through our RSIOT construction from RIOT. We will try to construct our RSIOT using an obliviously sampleable garbling scheme, obliviously sampleable commitment scheme and RIOT. The receiver commits to its choice bit B using randomness R to form a commitment C. It computes RIOT receiver algorithm using the bits of R as choice bits. The sender garbles the circuit CIR so the circuit has hard coded inside it the commitment C, a bit E and a message M. It takes in randomness R and outputs M is C is a commitment to bit E using randomness R. Now the sender will garble this circuit CIR with E, C and M, E as hard coded inputs and he runs this for both E is equal to 0 and 1. This way the sender computes two garbled circuits GC0 and GC1 which encrypts M0 and M1 within it. The receiver should be able to evaluate GCB correctly and obtain MB if C is a correct commitment to B using randomness R. The sender also computes OT sender message using the encoding information of the garbled circuits so the receiver gets the wire labels corresponding to the bits of RI. The sender sends the garbled circuits and the RIOT sender messages. Now the receiver decrypts the wire labels for GCB corresponding to randomness R it evaluates GCB to obtain MB. Indistinguishability based security for a receiver RIOT receiver security and hiding of commitment scheme and the sender security follows from binding of the commitment scheme RIOT sender security and privacy of the garbling scheme. Also we can see that this protocol satisfies receiver oblivious sampleability because it follows from oblivious sampling of commitment scheme and receiver oblivious sampleability of the RIOT messages. However, we cannot argue sender oblivious sampleability since the sender is committed to the RIOT sender messages even if we use the oblivious garbling scheme instead of a regular garbling scheme here the adversary can distinguish since the encoding information is committed inside the RIOT sender messages. If we use equivocal garbled circuit then the output of the garbled circuit to be set at the time of the garbling it cannot be changed when inverting the randomness and hence the RIOT sender messages will again help in distinguishing an oblivious sample sender message from an actual one. So we have to modify the previous construction so in the new construction or our final construction the receiver algorithm remains the same the sender algorithm now consists of two levels of garbling the sender garbles the circuit CIR the circuit CIR has hard-coded inside it the commitment C and a bit E it takes in randomness R and some message T as input and outputs T if C is a commitment to bit E using randomness R. So this is the outer garbled circuit there is an inner garbled circuit GC prime that is going to encrypt the sender's message M so it takes an input a commitment C prime randomness S and a message M and GC E prime outputs M if C prime is a commitment to 0 using randomness using some randomness S so this is the circuit CIR prime now the sender computes a commitment to 0 using randomness S and it computes the encoded input for C E prime in GC E prime S T E the sender computes the outer encoding of T E and sends it to the receiver it also sends the inner encoding of S E and M E to the receiver the sender also computes R I O T sender messages on the R I bits R I bits of receiver the two inner garbled circuits and the two outer garbled circuits are also sent to the receiver now the receiver decrypts the O T messages to obtain wire labels for R I in GC B it has obtained the wire labels for TB already from the sender's message it computes GC B like the outer garbled circuit corresponding to bit B to obtain TB which is the inner encoding of C prime B right and it evaluates the inner GC B prime on TB and the inner encodings of S B and M B to obtain capital M B so we can again claim that receiver oblivious sample ability follows from oblivious sampling of commitment scheme and also from the receiver sample ability of the R I O T protocol this is similar to our previous construction sender oblivious sample ability follows from oblivious sampling of C prime equivocal garbling and oblivious sample ability of the inner garbled circuit so here we require equivocal garbling property from the outer garbled circuit and oblivious sample ability from the inner garbled circuit suppose the receiver's choice bit is B which can be obtained from distinguish a dependent simulation to oblivious sample the sender message corresponding to bit 1 minus B the sender oblivious garbles the inner GC prime 1 minus B and provides oblivious generated encoded inputs instead of correct inner encodings for branch 1 minus B or the garbles inner garbled circuit 1 minus B if we use the linear pincast construction then these are random values instead of oblivious generated encoded inputs so now an adversary cannot distinguish between an honestly sampled sender message from an oblivious sampled once since in both the real and idle worlds the outer garbled circuit for 1 minus B branch always outputs a bot or a junk value this holds true even if the adversary obtains the outer garbling randomness due to the equivocal property of the outer garbled circuit so the simulator can claim that the branch was oblivious sampled and this trick of 2 layering of garbling allows us to obtain rsiot from riot for more details I would suggest you to check our paper so let me summarize what we discussed so in this talk we just saw this construction that is highlighted for the rest of the protocols I would refer to the paper in this work we constructed 2 round adaptively malicious secure mpc from riot an instantiated riot from cdh lpn and isogenes to end with an open with 2 open questions what is the minimal assumption for 2 round malicious secure riot or more general what is the minimal assumption for 2 round adaptively malicious secure mpc protocol thank you