 Okay, so let me reintroduce again the paper. So the paper is highly efficient OT based multiplication protocols. This is a paper from If-Touch-Hatner, Nicholas Macriannis, Samuel Rinalucci, and the Eliad Tsvadia. So, and Nicholas will give the talk. Hello, hello, okay, it's working. It's okay. Okay, so let's start. Hi, I'm Nicholas. I'm here to talk about the highly efficient OT based multiplication protocols. This is a joint work with If-Touch, Samuel and Eliad. So we're gonna look at the problem of two-party multiplication, which we defined as follows. So two parties, P1 and P2 holding inputs X and Y respectively, wanna calculate additive shares of the product of their inputs. So the functionality takes X and Y from each of the parties, and it returns random S1 and S2, such that S1 plus S2 is equal to X times Y. So in this talk, I'm gonna focus on the field of integers modulo some large prime Q, but our results extend to any field of odd characteristic. Okay, so why is this an interesting problem? So two-party multiplication is important both theoretically and practically. So first two-party multiplication is the fundamental building block in arithmetic 2PC. It holds a role analogous to that of OT in Boolean MPC. So right now I'm assuming some familiarity with OT, Oblivious Transfer, but I am going to define it later on. So in particular, multiplication protocols are used extensively to generate beaver triplets and authenticated triplets. That is correlated data for general purpose MPC. I will remind you that these triplets allow for fast information theoretic MPC because all of the cryptography and most of the computation has been pre-processed in the multiplication protocol. Another application, and perhaps the main motivation of this work is for realizing threshold ECDSA. So the ECDSA scheme is arguably the most popular signature scheme in the blockchain space. And there are many companies, including the one I work for that are offering MPC signing commercially. So we can use MPC to thresholdize ECDSA, sorry, that's not a word. And since ECDSA is simply a shallow circuit over ZQ, the resulting protocol can benefit from a highly efficient multiplication protocol over ZQ. Right, so finally, if you're familiar with the OLE functionality, let me mention that multiplication is almost the same functionality as Oblivious Linear Evaluation. The two are essentially equivalent with very small overhead and all of the above holds true for the OLE functionality as well. Okay, so let's dive into the fun stuff. There are several paradigms for realizing two-party multiplication, roughly falling into one of two categories. So there are protocols based on homomorphic encryption, like Palais encryption, and there are protocols based on Oblivious Transfer. This is a very rough picture. For the most part, protocols based on homomorphic encryption have good communication, but they can be quite expensive in computation, and they also require stronger assumptions that is stronger than what is implied for general secure computation. On the other hand, protocols based on Oblivious Transfer use minimal assumptions because they use an MPC Complete Primitive. And they have good computational complexity. However, they can be quite expensive in communication. So to illustrate, for multiplying two 32-bytes values, current protocols require tens to hundreds of kilobytes of communication depending on the target security. Okay, so in this protocol, we present a new OT-based multiplication protocol, and the main challenge was to improve the communication complexity. Good, so before I give more background on OT and OT-based protocols, I wanna quickly define what an OT-based protocol is. So simply put, a protocol is OT-based if the only underlying cryptographic primitive it uses is the OT. So slightly more formally, we define protocols in the OT hybrid model where the parties have access to an oracle calculating the OT, the Oblivious Transfer. So I will remind you that OT takes two inputs from the sender and one bits from the receiver and it delivers that value indexed by the bits to the receiver. Good, so it goes without saying that protocols in the OT hybrid model give rise to protocols in the sender model by simply replacing the oracle call with a secure protocol for OT. Right, so complexity costs in this model are broken down as follows. So we have the usual suspects of computation communication around complexity, but we also wanna keep track of the following. So on one hand, we have the number of oracle calls to the OT, but also the size of the input of the sender, so the size of disease. This metric, so the size of disease is important because the longer the inputs in the OT, the more data has to be communicated when compiled in the plain model, okay? So in the rest of the talk, I'm gonna refer to this cost as a communication cost even though this is a misnomer in the OT hybrid model. Good. Okay, so what do we know about OT-based multiplication? So as far as we know, I mean, as far as I know, there are two templates for OT-based multiplication, one by Gilboa and one by Ishai and others. So Gilboa's protocol achieves better performance with only log Q, OT calls and communication. Both protocols only achieve semi-honest security. Gilboa's protocol can be compiled, I mean, both protocols can be compiled, but Gilboa's protocol can be compiled for malicious security, but not cheaply. And the protocol of Ishai and others admits a malicious variant under a non-standard assumption. Good, so let me turn to our results. Okay, so we present a new protocol in the OT hybrid model. Our protocol is almost maliciously secure in that it achieves a high level of security out of the box. In the next slide, I will explain exactly what this means. Furthermore, our protocol admits a batching variant for computing many multiplications when one party is using the same input for each instance. The batching variant of our protocol is more efficient than simply repeating the base protocol beta times. For malicious security, our protocol can be compiled very cheaply, both for the single instance case and the batch variants. And our protocol offers an X2 improvement in communication compared to the state of the art. So to elaborate on the first items, the almost maliciously secure. In the paper, we show the following theorem. So let me state it informally before I startle you with the formulas. So intuitively, depending on the adversary, we show that either the protocol is fully secure or the honest party is utterly unpredictable in an interesting way. So slightly more formally, our protocol exhibits the following dichotomy. Either the protocol can be simulated in the ideal model with two to the minus cop over four statistical closeness or the honest output has entropy, mean entropy, at least cop over four, given both the adversary's view and the honest party's input. This means that the output is highly unpredictable under attack, even if the adversary knew the input. So in the batching variant of our protocol, we show that each of the honest outputs are either well formed or they are unpredictable given all of the honest party's inputs. So in the paper, we formally define this, our predictability notion via a functionality that we call weak malts. And in the next slide, I will argue that weak malts is useful in its own right. Good, so turning to applications, right away, I wanna stress that this unpredictability notion is very useful for obtaining malicious security. It suffices to perform a single check to verify for correctness and to detect malicious behavior. What's more, this check can be very simple. For instance, in a Q-order group generated by G, it suffices for P1 to check the displayed inequality. So I'm assuming here that the group elements are public and they are well formed. This assumption may seem restrictive, but this check can be generalized to arbitrary settings very cheaply. I'm not gonna elaborate on this, but feel free to ask me later on. Good, furthermore, for certain protocols, it is enough to realize the weak malt functionality because correctness checks, like the one I just described, are built into the protocols. For example, in the threshold ECDSA of Lindel and Noth, the parties are instructed, the parties are instructed, what are the parties instructed? Okay, I have a typo, nevermind. So the parties are instructed to check the output in an oblivious way. And therefore, our protocol can be used as is in the threshold ECDSA protocol of Lindel and Noth. Right, so finally, the batching variant of our protocol is useful for generating beaver triplets and authenticated triplets in the pre-processing models. Good, so I'm gonna conclude the first part of my talk with a comparison to previous works. So our protocol prescribes N calls to the OT where N is log Q plus a statistical parameter kappa. Our protocol prescribes half as many OT calls as other maliciously, not OT calls, communication compared to other maliciously secure protocols. And in the batching variant for batches of size beta, our protocol scales with log Q rather than N. And so we only pay for the security parameter once rather than for each instance. So effectively, our protocol achieves the same amortized cost as Gilboa's protocol while achieving full security instead of simply semi-honest security. Good, so right, so in the remainder of the talk, I'm gonna give you the technical overview. So first I wanna introduce the following notation. So I'm gonna denote vectors with boldface letters and the coordinates with non-bold letters. So for the inner product, I'm gonna use pointy brackets. And I will write U star V for the point-wise product of two vectors also known as the point-wise product also known as the Hadamard product. So U star V is a vector. Okay, so let's have a look at the protocol. So the protocol consists of two phases. In the first phase, the parties make N parallel calls to the OT. So N parallel calls as follows. So party P2 samples values in minus one and one and it uses those values as inputs to the OT. Let me stress that I'm switching conventions between Boolean zero one for the input bits to minus one one. Right, so party one samples Delta, samples N field elements and playing as the OT sender uses inputs plus X and minus X, which is masked by the same value Delta and a different Delta is used in each OT call. So the OT call concludes with the receiver obtaining the value Zi from the functionality. Good, so in the second phase of the protocol, P2 samples a random vector V such that the inner product of T and V is equal to its input and it sends that vector to P1. At this point, the protocol concludes and the parties output the following. So P1 outputs the inner product of Delta and V so that the randomness it sampled and the vector it received and P2 outputs the inner product of Z and V so the output from the OT and the vector it sampled locally. So the sum of the outputs gives you the desired result because of the following calculation. So Z minus Delta is equal to X times T, the X comes out of the inner product and T inner product with V is equal to the input Y. Good, so that was the protocol. What about security? So the first thing to notice is that this protocol is fully secure against the corrupted P2. Indeed, the only way P2 can deviate is by sending a different vector V. However, this behavior is equivalent to choosing a different input. And so this execution for a corrupted P2 can be simulated in the ideal model by simply extracting the right input. The interesting case is what happens when P1 is corrupted. So the problem with P1 is that it may use inconsistent inputs in the OT. Specifically, instead of using well-formed inputs, values across the different OT calls, P1 may use inconsistent values. The result is in the security analysis that there is no well-formed input for the corrupted party. And this execution cannot be simulated in the ideal world. So this is where I dichotomy theorem comes into play and now I'm gonna dive into the nitty-gritty of the analysis. So it's easy to show, easy, I mean, it's easy if you write it down, that the honest output is offset by some value V star T, inner product with D, where D is the smallest value in this set. I mean, what this set is is not very interesting, but intuitively what this means, what vector D is, is that it captures how much A deviates from the protocol because it is the smallest shift to the inputs which would yield well-formed values. So I will spare you the elementary algebra and I'm just gonna say that if D is very close to zero, then, or if D is the zero vector, then the party behaves honestly. And if D is very far from zero, then there are many inconsistencies in DOT. Good, so we show that when D is close to zero, then the offset and the inputs are two to the minus cap over four close to independent. And we leverage this fact to show that this execution can be simulated in the ideal world with two to the minus cap over four statistical closings. On the other hand, if D is far from zero, then we show that the offset has mean entropy, sorry, cap over four given both V and Y. So the reason this is true is because there is a huge number of T's, so vector T's for any fixed V and Y. And to show this result, we use a third moment concentration and equality. And the reason we go to the third moment is because we wanna match the target security from the first case. Good, so before I conclude, let me just present the batching variant of our protocol. I will describe it by comparing it to the single instance case. So here, party P2 has many inputs and the parties wanna calculate shares of each of the multiplications of X with Y, I. So the first phase of the protocol is very similar to the single instance case, except that now the parties make many more calls to the OT, how many more? So the number N depends on the batch size and the parties are required to call the OT an additional log Q times. An additional log Q times. Okay, I don't have a lot of time, but okay. So in step two, P2 samples a fresh V for each of these inputs. So a new vector and it sends those vectors to P1. The protocol terminates and the outputs are defined analogously to the single instance case. Good, that was the batching variant. So let me summarize very quickly and conclude. So we present the new OT-based protocol. It is sufficiently secure for some applications. It is almost as efficient as the best performing state-of-the-art semi-honest protocols in the batching variant. And in the fully malicious variant, it is twice as efficient in communication compared to the state-of-the-art. Some open questions to conclude. So can we push the efficiency further? Can we go beyond Gilboa's log Q, OT times log Q communication? Can we show that the IPS protocol realizes weak mulch? So that was the original question that we tried and failed to answer. And finally, what about lower bounds? Maybe OT multiplication is inherently wasteful in communication. Maybe Gilboa's barrier is unavoidable. Thank you. Thank you very much. Do we have any question? Good, thank you very much for a very nice talk. Just a small question that as you have highlighted in your construction, the corrupted P1 scenario as well, you have discussed it. Sorry? You have discussed the corrupted P1, party 1 parameters in your construction. So my question is that have you considered the applicability of the MITM in your construction? Of the MIT? Of the what? Yes, man in the middle. Ah, man in the middle. I'm, yes, I'm not exactly sure what you mean by that. I said that because you're calculating multi-party protocol. So you're, during the construction, while evaluating the vulnerabilities or its weakness, have you considered the MITM attack on this? So we have not considered that. And the other thing is your construction can be a base of a new secret sharing scheme or it can be used? If it can be based on a new secret sharing scheme, maybe, yes, maybe. Thank you. Any more question? In the meantime, I do have a question actually. So you said that when you showed the efficiency of your protocol, you said that it's in the random-oracle model, right? Yes. Right? Where do you need the random-oracle? So I need the random-oracle model because without the random-oracle, I need to pay for communication for all of these vectors I'm sending outside of the OT. But these vectors are just random. So I could just send a succint representation, like a succint seed through the random-oracle instead of sending all of those vectors, the Vs, basically. But I suppose you need to use sample also using the random-oracle, right? Those seeds. Or why can't you use, for example, a PRG and send short seeds over the channel if that's the problem? If I can say, because a PRG would like, so I can't send the, no, a PRG wouldn't be random enough, no, if I send the seed. It depends who samples the seed, I mean, like. Yeah. If it's the honest party that samples the seed, I mean, it should be fine, right? I see, okay, yes, good point. Right, maybe, maybe, yeah, maybe you can get away with it if you, right. Anyway, okay, maybe, yeah, we can discuss. Any more question? No, okay, so let's thank the speaker again. Thank you very much. Thank you. All right, so the next talk will be recorded. So are we ready for the, yeah. So the next talk will be practical non-interactive publicly verifiable secret sharing with thousands of parties.