 Okay, and the next speaker of the session is Ariel No, who's going to talk about security party computation with something a preprocessing joint work with let's Boil, Nifgilboa, and Iwali Shai. So thank you for the introduction, right? So in this work, we consider, oh, wait a minute, no, it's not working. Okay, okay, good. So in this work, we consider the standard setting of multi-party computation, where we have N parties wish to jointly compute an arithmetic circuit, which is defined over a field or a ring with addition and multiplication gates, and the security model that we consider is malicious security and dishonest majority. Now we know that in the dishonest majority setting, a very popular model is the preprocessing model where the computation is divided into two phases, an offline phase and an online phase. In the offline or the preprocessing phase, the parties generate correlated randomness, which is later consumed by them in the online execution where they compute the desired functionality. Another way to look at this model is to view the execution as an execution with a trusted dealer that gives the parties correlated randomness, and then later design a secure protocol to securely distribute the dealer. The advantage of working in this model is that we can move all the expensive public key crypto machinery, which is unavoidable in this setting to the offline and obtain an online execution which is very fast, cheap, and basically information theoretic. So the two main metrics that are typically considered for this model, maybe the three main metrics, and we will also look at these metrics are the communication cost of the online and offline separately, and the size of the correlated randomness which the parties need to store for the online execution. So the most popular example for working in this model is to use Biver triples, and here the dealer gives the parties shares of random multiplication triples, which are used by them to multiply shared inputs with very low communication as can be seen in this table. What's important from this table is that the communication cost per multiplication gate, per party is constant, and therefore the overall communication grows linearly with the size of the circuit. So this, so for some security, what we need is plain Biver triples to achieve malicious security. So the leading approach in the last decade or so is the speed approach where the dealer gives the parties shares of authenticated Biver triples, which means that each triple is now multiplied with a random global authenticator, which is kept secret, and this is what allows the parties to detect cheating. The advantage of this approach is that the online communication cost remain the same as the cost with semi-owner security. However, clearly the correlated randomness, the amount of correlated randomness grows by a factor of two for large fields and by a factor that depends on the statistical security parameter for small fields or rings because the authenticated triples must be generated over a larger field. And offline cost is the expensive part of the protocol and is the main bottleneck and there is a long line of walks aiming to improve the efficiency of the offline phase, but still the cost of the offline is orders of magnitude higher than the cost of the online. I should mention that there are also other approaches which give different trade-offs between the online and offline. So how can we solve this bottleneck, the bottleneck of the offline cost? So that's the new direction in MPC, which kind of set a dream goal for MPCs to have a silent pre-processing using PCGs, which stands for pseudo-random correlation generators. So the idea here is that the dealer will give each party a short correlated seed and then each party can locally expand its seed to receive shares of authenticated triples. If we would have had such an amazing tool, then this means that the online cost remains the same as before, but now we can compress the correlated randomness to be sublinear in the size of the circuit because each party needs to store only the correlated seed and also the offline communication cost will be sublinear because now the parties need to interact only to generate these short seeds. So this would be amazing. However, currently we have only concretely efficient PCGs for unauthenticated triples, which means that for some online security, we can use this tool. But for malicious security, where we need authenticated triples, we have currently only solutions, concretely efficient PCGs, only for two-party computation over large fields. So in this work, we use a different approach that achieves the desired efficiency, namely that we achieve both sublinear correlated randomness and sublinear communication cost for the offline, but in a different way. So in our approach, the parties first run the semi-honest computation where they consume only unauthenticated triples. And then they run a short lightweight verification step which requires some extra amount of correlated randomness. However, this amount of correlated randomness is sublinear in the size of the circuit. So this means that the dealer, for example, can give the parties seeds for generating unauthenticated triples. And as we saw, we know how to do it in an efficient way. And for the second part, the dealer needs to give some more sublinear amount of correlated randomness. So now when we want to distribute the dealer, this means that the parties need some sublinear protocol for generating unauthenticated triples, which we know how to do. And for the second part, because the correlated randomness is of sublinear size, this means that we can use standard MPC tools to generate the extra amount of correlated randomness. So our result, if we summarize it, is a protocol in the process of modeling to compute any arithmetic circuit with sublinear offline communication costs, sublinear correlated randomness, an online phase, which is non-cryptographic, and the security of the protocol is based on any sublinear communication protocol for generating unauthenticated multiplication triples. And for the second part, what we need is only additive or morphic encryption schemes. So this is our result. Yeah, so how do we compare the previous work? So we already talked about the SPIS approach. So in the second column, this is a work from last year with the same set of authors, the BGI N21 paper, where we showed how to compress the correlated randomness to be logarithmic in the size of the circuit, but the offline communication was still linear in the size of the circuit. Here in this work, we increased slightly the amount of correlated randomness to be a square root, but this allowed us also to compress the offline communication cost to be a square root of the side of the circuit. Okay, so how does our verification protocol works? So the main building block that we use in our protocol is zero-knowledge, fully linear proof systems due to Bonetal from Crypto-19. And the idea is that, so we have a prover who wish to prove some statement over an input X. So the idea here is that the prover will output some proof pi. And then there will be some public randomness that will be chosen. And based on this public randomness, the verifier will make some queries on the input and the proof. And then Ben, based on the answer, he will need to decide whether to accept or reject. And now this proof systems are called fully linear because the verifier is only allowed to make linear queries to the proof and the input. Which means that there is some query vector and you can only compute an inner product between this vector and the proof and the input. And based on the answer to decide whether to accept or reject. And we can define complete soundness and zero-knowledge for this proof system in the standard way. So from this somewhat somehow abstract tool, we can derive a very practical primitive which is called distributed zero-knowledge proofs. And here we realize this idea of making only linear queries by having multiple verifiers. So each verifier now will hold a piece of the input X or in our context, the input X will be secret shared across the verifiers. And now what we will tell the prover is to also secret share the proof between the verifiers. And then each verifier will locally will query its shares of the proof and the input. And if X and Pi are secret shared using a linear secret sharing scheme, this means that the parties will also obtain a secret sharing of the answers to the queries. So they can simply exchange their answers and reconstruct exchange their shares and reconstruct the answers to the queries. So this is how we realize this idea of making only linear queries. And what Bonnet showed is that if X, the input X is robustly shared across the parties, meaning that the shares held by the honest parties are enough for reconstructing the secret and the statement to be proven is a degree to polynomial over the input X, then there exists a distributed zero-knowledge proof protocol with sublinear communication in the size of the input. And with soundness that holds even if there is a collusion between the prover and the set of the verifiers. And this tool is very useful to achieve malicious security in MPC because to achieve malicious security, what we need is a way to verify that multiplications were computed correctly. And it's easy to see that the statement that we want to prove is basically a degree to polynomial over inputs that are shared across the parties because the parties hold shares of all the inputs and outputs of multiplication gates. And indeed this tool was used in the honest majority setting to achieve malicious security with sublinear additive overhead, relying on the fact that in the honest majority setting, the secret sharing is inherently robust. But when we move to this honest majority setting, it's much more challenging because how can we achieve robustness without increasing the amount of collusion rather than this? So the idea that we used in BGIN21 was to use the dealer as one of the parties and to use him in order to achieve robustness. So first we defined a robust secret sharing scheme using the dealer, which we called the star secret sharing scheme. And then we showed how to, and we use the same idea here in this work, how to maintain this robustness in the verification protocol. And here the way to do it is to use the dealer as a verifier in the disability or knowledge proof. So how does it work? So first, what is this star secret sharing scheme? So the idea is very simple and it is basically used everywhere. So the idea is that for each wire, for example, for inputs and outputs of multiplication gates, what we want is that each party will hold the masked secret and a share of the mask while the dealer knows all the masks and all the shares. And this gives us the robustness that we need because now it's secret can be reconstructed by each party plus the dealer, right? So each honest party needs only to, and the dealer can reconstruct the secret. And this is suffices of what we need. And this scheme is basically simplicity or sometimes even explicitly used in many semi-honest protocols. So what remains to show is how to use it, how to maintain this robustness also in the verification protocol given that the parties hold these masked values on the wires of the circuit. So how do we verify multiplications? So what the party wants to verify is that the output of each multiplication is consistent with the inputs. So we can replace each value here with the masked value plus the mask, right? So, and the parties, of course, want to verify all multiplications together so they can take random linear combination of all these equations and eventually obtain one equation that they want to check. So now, so this is the equation they want to check. If we look at this equation, so we can easily see that these values are known by all parties. These are the random coefficients that the parties choose jointly choose at the beginning of the verification protocol and these values become public. And the other values are the masked values that the parties sowed during the semi-honest computation. The other values, these are the masks are known to the dealer and share to the parties. If we open this equation and do all the math, what we will obtain is that we can express this equation as an inner product between two vectors. One vector contain the values that are known by all parties and the second vector contains values that are known by the dealer and share to the parties. So this is what the parties wish to verify. So what we get here is, first of all, an expression which is a degree two polynomial. And second, that the input is shared in a robust way in the robust way because each input is known by either an honest party or by the dealer. And therefore, we know that we can prove this statement using disability knowledge proofs with sub-linear communication in the size of the input. So we know there exists such a protocol with sub-linear communication. It only remains to show how to emulate this protocol in our setting. So the idea is that so we will use the dealer as a verifier as well. So we have the parties who know their inputs and we have the dealer who know the remaining parts of the inputs. Now we will ask the prover to also secret share the proof in the same way, meaning that the parties will see the masked proof and the dealer will hold the mask. So this means now that each piece of information, the input and the input and the proof are additively shared between each party and the dealer. So now each party and the dealer can simply run the linear queries over their shares of the input and the proof and obtain a star sharing of the answer, meaning that the answers of the queries are shared between each party and the dealer. So this robustness of the secret sharing that we maintain is eventually what gives us the soundness of the proof, meaning that a corrupt party cannot cheat. So it only remains to show how to emulate the prover. Because who is the prover here? No one knows the input, right? So the idea is that we will also let the parties emulate together the prover. And here we rely on the fact that each value here is either known, the vector A is known by all parties and the vector B is shared to the parties because each party holds a share of all the masks. So what we can do, so we can show that each party can locally compute its additive share of the proof, Pi i. And once each party locally compute its additive share, it can simply star share its additive share, meaning that each party will broadcast to the other parties his masked share of the proof. And then the parties can locally add all these masked shares and obtain the masked proof while the dealer knows the mask. So this is how we can emulate the prover by all parties. So this is the main idea. So what do we get from this process? What do we get from using the dealer as one of the verifiers? So as we saw, each piece of information is known by all parties, and this is what gives us the robustness that we need, which leads to soundness. The fact that the statement is a two degree polynomial, as we said before, this is what gives us the sublinear communication. Now, because communication is sublinear and because the dealer acts as a verifier, this means that the communication from the side of the dealer is also sublinear in the size of the circuit and the communication, the messages from the side of the dealer will be given as correlated randomness to the parties. So, and finally, because the dealer performs all its computations over random data, over then the dealer can basically pre-process its computation and hence the result as correlated randomness to the parties. So this is what we achieved by using the dealer as a verifier. Okay, so we have some concrete costs in the paper, but because time is running out, let me jump into how to distribute the dealer. So what are the dealers, what does the dealer compute? So it didn't show you exactly how, exactly the distributed knowledge proof protocol works, but believe me that what the dealer does is the following. So the dealer needs to choose a random point tower and then evaluate square root polynomials where the degree of each polynomial is square root in the size of the circuit on this random point tower and the result, the evaluation of all these polynomials is the, it's correlated, is the correlated randomness that is given to the parties. So this is what the dealer does and these polynomials are defined by the beaver triples. Okay, so the dealers need to give the parties shells of beaver triples and these evaluation points of square root polynomials. So in order to distribute the dealer, what we suggest is to do the following. So we now let the parties generate encryptions of the power of tower and we will use an additively amorphous encryption and now each party who holds shells of the beaver triples can simply evaluate homomorphically his shell of the polynomial on the encrypted values and obtain an encryption of a shell of the evaluation of each polynomial and then the parties can simply exchange the encryption and then decrypt the answers. So what if we look at the communication of this protocol, so the parties need to interact in order to generate square root ciphertext, but this can be done in a generic way with sublinear cost for generating the beaver triples we can use, as we said, PCGs for example, or any sublinear protocol for generating shells of unauthenticated beaver triples. And finally, the parties need to communicate in order to decrypt square root ciphertext. So overall, the amount of communication is square root in the side of the circuit. So this is the high level ID, but of course there is some more work to do. What I described is basically the basic framework with, and this gives us an offline with semi-owned security for online with malicious security. It's easy to see also how to using the generic tool how to achieve covert security with sublinear communication cost and to achieve malicious security. So feasibility-wise we can use any generic communication preserving compiler if we want a completely efficient solution then there are some challenges here. In particular, what happens if a private party does not use the shell that he received from the PCGs? Then this is a problem and we need to deal it with some by adding some more tools. And in particular, this requires the added to the homomorphic inclusion scheme to be also to satisfy also some assumption that is called the linear only assumption. But this I will leave you to read in the full version of the paper. And yeah, thank you very much. Thanks, Ariel. Are there questions? Good. If not, then I have one. Is there a way of turning your construction into something that has identifiable abort for a maliciously secure protocol? That's a good question. We didn't think about it too much. I don't know. If you have malicious security in the online phase and maybe a NPC protocol for the pre-processing that is also having identifiable abort then maybe it could work. Might be, yeah. But we didn't think about it, yeah. Okay, cool. That's a good question. Thank you very much, Ariel. Thank you.