 Today, I will talk about our new result on multi-party PSM. This is joint work with Luna from ENS. He will give the in-person talk. I am Tian Ren. I was supposed to talk in UW until last month and will join Peking University next year. So, what is PSM? It means private cementing messages. There are K parties. Each has an input. Set the input space as of size n. There is a referee. The goal is to let the referee learn the output of a public function evaluating on all the inputs after receiving a message from each party. For crackiness, the referee learns the function output. For security, the referee should learn nothing else even if he is computationally unbounded. To make this possible, randomness are shared among parties. Of course, the randomness is hidden from the referee. For PSM, we care about communication complexity. PSM is a very minimal model of secure computation. Things are extremely simplified. It's a good place to understand fundamental problems such as what is the cost of secure computation. It's also widely connected to many important crypto primitives. For example, you are familiar with Gobble Circuit. If you think of it, Gobble Circuit is essentially PSM where each party only has one-bit input. In the literature of Gobble Circuit and randomness encoding, the function to compute is typically a circuit, a formula, a branch programming theory, and we started how communication depends on computation size. Well, for the rest of the problem in the page, the central problem is on the complexity of the worst function. So for the worst case function, we knew its computation size is about n2k. Actually, let's write down the function takes n2k bits. The question is, may the communication complexity of the function be much smaller? So in a very similar model of CDS, such chip communication was recently achieved. And how about the communication of PSM? In the paper that introduced PSM, Fitchkilling now achieves communication complexity n2k-1, which can be interpreted as all but one party's input space size. Recently, Bimmer-Kuschelack with Nissan improved it to the square root of total input space size. In the literature, we also have more efficient PSM when the number of parties is small. How should we interpret these results? Is the case of small number of parties special? Or can they be generalized to larger k as well? Our result partially answers the question. We improved communication complexity to square root all but one-party input space size. When k equals two or three, we matched previous upper bounds. Actually, we reproduced the Bikk and Bk constructions. For larger k, we improved communication complexity by square root n. Unfortunately, and interestingly, we only proved our construction for infinitely many k's including all k no larger than 20, and we conjectured it works for any k. To show this in picture, previously, the set of art for general k is Bkn, and for smaller k, we have some more efficient ones. Our PSM matched previous works when k is small and he improved the set of art for larger k. For the case of two-party PSM, as we just mentioned, the set of art is square root n by B. Marichai. The earlier Fkn achieves all n communication. Which is worth but has a very nice feature. Only one party needs to send on bits. The other party sends only a few bits. So compared to Bikk, Fkn treats the communication capacity of one party for the other. In this work, we show an almost smooth trade-off. One party sends n to the other bits, while the other party sends n to the one-minute bits. As long as the product is no less than n. We see the trade-off is almost smooth because we only prove that trade-off for rational eta whose denominator is no more than 20. After seeing our result, you probably already have some questions to ask. Our work generates more questions than answers, and I will discuss some of them in the last slides. From these slides, I will give a brief overview of our construction. The first idea in the construction is that the function we want to compute can be rewritten as a multilinear function. This is obvious if you are familiar with notation. So this bracket means inner product. Capital F is the truth table of F. Xi can be converted into a vector. It's zero everywhere except for the number x of i coordinate. Finally, tensor product. The tensor product of two vectors is a matrix, and the tensor product of a matrix and a vector is a cube, and so on. Once we have these notations, let's see how to construct three-party PSL. The input has been replaced by vectors. Every party sends the one-time pad of its input vector. The masked vector is sampled from shared randomness. What the referee can compute? The referee can compute this inner product. So let's expand it. It equals the sum of eight terms. The first is the target. It's what we want to compute. The rest seven terms are what we call easy terms. Look at the first term in the last row. Party p1 knows x1, knows r2, r3 from shared randomness, and f is public. So party p1 knows this term. Similarly for every term in the last row. Then look at this term. The only thing p1 doesn't know is x2. So this term equals the inner product of something p1 knows and x2. Similarly for the other two terms. So the sum of these terms is a polynomial with om monomials. As shown by Chakrush-Levis, to compute a polynomial in PSM model, the communication is no more than the number of monomials. That is, the sum of all green terms can be computed with communication on. This explains why we call them easy. Once the referee learns the sum of the easy terms, he can compute a target by subtracting the easy terms from the term on the left. And it's easy to show that the referee learns no other information. Now let's try third-party PSM. Again, every party sends one time pad of its input vector. The referee compute this inner product, which is the sum of 32 terms. Again, the first term is the target we want to compute. So now look at this term. p1 knows everything about this term except for x2 and x3. So this term equals the inner product of something p1 knows and x2 tensor product x3. Similarly for all the following terms, there's some it's a polynomial with n square monomials. What about the other few terms? I have no idea how to compute them. I call them hot term and just leave them as they are. So we are stuck here. And where can we make some progress? The answer is in the first line. Sending one time pad of xi only costs n bits, but our budget is n square bits. As a general rule, it's always better to use up the budget. Given the n square budget, what can we send? We can send the one time pad of xi tensor product xj. Why is this? We've seen the budget. So it's also due to the work of Ichad Kushelevis. The complexity is no more than the number of monomials, which is n square. So given this new one time pad, there are many more terms the referee can compute now. And each of them equals the target plus some hot terms plus some easy terms. Now the most natural thought, maybe the referee can combine them in a clever way so that all the hot terms are cancelled out. And this is indeed possible. The linear combination of these referee computable terms equals the target plus some easy terms. So this tells us how to construct a five-party PSM with n square communication. Note that the target is multiplied by two, so we have to use a finite field where two not equal to zero. For general k-party PSM, the ideals are the same. First, send one time pad of every tensor product of some input vectors as long as the budget allows. Then there are many terms that the referee can compute. Each of them equals the target plus some hot terms plus some easy terms. Then do linear algebra to cancel out the hot terms, which tells us how to construct k-party PSM within the communication budget. When k is even, the budget is not an integer power of n, so some extra work is needed. We let the computer do the linear algebra for k up to 20 and we did the linear algebra for k equals prime power minus 1. We conjecture that our method should work for any k. As we mentioned, some extra work is needed when k is even. In previous slides, the input is converted into a length n vector. Now we need to convert it into two length square root n vectors and we do it in the most natural way, splitting the input into two numbers and convert the two number into two length square root n vectors. The tensor product of these two length square root n vectors equals the original length n vector and the rest of the construction is mostly the same. Now we quickly go through the two-party PSM. The ideas are almost the same. Say we allow one party to send n to the b over k bits and the other party to send n to the k minus b over k bits. First we divide each input into k pieces and transfer each piece into a vector. Then the same observation, the tensor product of all these vectors in the product with the truth table equals the target we want to compute. Then what we can send within the budget now, the left party can send one time pad of the tensor product of at most b vectors, similarly for the right party. Given this one-time pads, there are many terms that the referee can compute and each of these terms equals the target plus some hard term plus some easy terms. Do the linear algebra, if the hard terms can be cancelled out, there is such a two-party PSM. We let the computer to do the linear algebra for k up to 20. So far we have sketched our results for k-party PSM and for two-party PSM with unbalanced communication. The results generate more questions than answers. The most immediate question, do our frameworks work for any k? V-contractor, yes. I would be very surprised if the answer is no. The next question. I didn't wrote it down explicitly, but the complexity actually grows exponentially on k. Why? Because our construction is symmetric. For example, the referee receives many one-time pads. How many? Exponentially on k, because we consider all symmetric one-time pads. Similarly in the paper, we consider symmetric sums of referee-computable terms and symmetric sum of hard terms and easy terms. Consider symmetric sum is extremely simplified analysis so that we can go up to k equals 20. But can this exponential dependence on k be removed? Maybe, yeah. As our example, five-party shows unsymmetric construction might work as well. The next? Why it works? Right now the answer is okay, the framework gives me some system of linear equations. I did some linear algebra and find the system is subtle. But such an answer is very unsatisfying and we are looking for a more intuitive answer. Or a better question to ask, why it doesn't work in some cases? There's no clear reason why our frameworks will not yield more efficient PSM. For example, you might ask our two-party PSM framework to find the two-party PSM with communication complexity into the 10 over 21, which is slightly smaller than square root 10. Okay, given this budget, the framework would find over 600 referee-computable terms and only over 100 hard terms. So it looks very promising. It's probably easy to cancel out 100 hard terms from the 600 referee-computable terms, but it doesn't work. Once the hard terms are cancelled out, so is the target. So what's wrong here? What is the reason behind? Finally, we are now satisfied with this upper bound. This work is a not fully successful attempt towards sub-exponential communication capacity. And the sub-communication capacity is probably the moonshoot open problem in the PSM literature. That is, that is. Thank you for listening.