 So the next talk is titled the IPS compiler optimizations, variants, and concrete efficiency. It is by Yehuda Lindel, Eli Oxman, and Benny Pincus. And Yehuda will be giving the talk. Good morning, everyone. I'm going to talk about the IPS compiler. IPS is Ishai, propaganda, and Sahai. Optimizations, variants, and concrete efficiency. And this joint work with Benny Pincus and Eli Oxman. In the setting of securitization, there are two main classes of protocols. Information theory can computational. In the information theoretic setting, as we've seen in the previous talk, we use very aesthetic mathematical tools that are typically very efficient. We obtain security even for an adversary who's computationally unbounded. So that's another advantage. However, we require an honest majority, in fact, even two-thirds majority that are broadcasts. And it's impossible to achieve this for a dishonest majority. In contrast, in the computational setting, we use computational hardness and heavy tools for obtaining oblivious transfer, zero knowledge proofs, commitments, and so on. The adversary is limited to polynomial time. We only achieve that level of security, which is fine in practice. The advantage is that by using this, we can actually obtain security for any number of corrupted parties, at least if you're willing to forgo on the requirement of fairness. So these really two different settings with different trade-offs of what we gain and lose. Another class or another category that we have to look at when we talk about security computation is what is the power of the adversary, not in terms of its running time, but in terms of the other things that it can do. The most basic model is semi-honest, and here the adversary follows the protocol specification but tries to learn more information than it's allowed to by looking at the transcript and looking at what it receives. In the militia setting, the adversary and the corrupted parties can basically do anything that they want. So this is, of course, much stronger security guarantee, and that's what we really would much prefer in practice. A more recent model is called covert adversaries, and here the corrupted parties can again follow any strategy that they wish, but unlike militia setting, we don't guarantee that cheating will never succeed. Rather, what we say is that if the adversary tries to cheat, then it's guaranteed to be caught with some probability, maybe a half or nine tenths or nine nine over 100, whatever, that's a parameter that can be determined. So this models cases where the adversary, in the real world, would be some deterrent of punishment if somebody cheated, maybe they'd lose reputation, they'd be thrown out of the consortium who's carrying out the computations, and so this may be sufficient. In 1987, when GMW presented their construction of circumputation, they actually presented a paradigm or a general way of working. The first step in constructing secure protocols is to construct a protocol that's secure in the presence of semi-honest adversaries. This is somewhat easier because you know what the adversary is going to do in terms of the messages it sends, but you need to check that no information, more information than is allowed is revealed. This is non-trivial, but an easier first step. In the second step, you construct a compiler that takes any protocol that's secure in the presence of semi-honest adversaries and you translate it or transform it into a protocol that's secure in the presence of malicious adversaries. And they do this by using zero-knowledge proofs and commitments and coin tossing essentially to have each party prove that it's behaving correctly and doing what it should do. And then once we get that, then essentially each party is semi-honest and the first step security kicks in. So this is the way the GMW compiler worked. In 2008, Ishai Pabagalan Sahai at Crypto presented a completely different type of compiler for obtaining security in the presence of malicious adversaries and for any number of corrupted parties. And it really works in a completely different way. The building blocks are an information theoretic protocol that's secure in the presence of an honest majority. It doesn't have to be a plain answer between two thirds or even greater, similar to what we saw in the previous talk. And also semi-honest protocols for computing small, simple functions like the product, the shares of the product of shares. Again, similar things to what we saw a few minutes ago. The advantages of IPS and I'll describe how it works in a few minutes is firstly that it has excellent asymptotic efficiency and this was discussed in the original paper but also a year later at TCC in follow-up work by the same authors. It's a completely different way of working that's always good for the field when we somehow have a construction which works in a completely different way. We can learn a lot from that and enrich the field. It's also a black box in the semi-honest protocols. I won't go into why that's so important but you can look at their papers for that. The basic idea behind the protocol is to simulate this information-theoretic protocol that we start with that requires an honest majority but we simulate it without actually having an honest majority and how do we do that? The M parties, real parties who need to run the protocol and any number may be corrupted, run small sub-protocols that simulate this large information-theoretic protocol. So this information-theoretic protocol has servers S1 through SN and the parties, real parties run distributed protocols for each of the instructions of each of the servers and we denote by Pi 1 through Pi N the small protocols that they run. So Pi I will be a protocol that simulates the instructions of the I-th server in the information-theoretic large protocol. These servers are virtual, they don't actually exist. They're all in our mind that are simulated and this large pi is called the outer protocol and the small protocols that the parties run are called inner protocols and we call them clients. So this is how it looks graphically. We have the servers that exist in a cloud. Clouds seem to be popular in slides these days. But these are actually not cloud computing but just in your mind, they're virtual, they're not really there and these two clients down here are running two-party protocols. So each time they'll run the instructions of this but in a distributed way so in a secure way so they don't learn anything more than they should and everything's correct and so on and so forth as we'd like. The main question is what security level is required from these small protocols that the real parties are actually running? If they're secure against malicious parties and everything's fine obviously because that means that nobody can cheat and that means that the simulation of all the servers is correct and private and that means that it's actually as if all of the servers are behaving correctly so of course the protocol is secure. In fact, it's as if there are zero corruptions in that protocol. However, the aim of IPS is to actually start with protocols that are secure against the weaker type of adversary. If we're starting with something that's malicious then sort of defeats the purpose. We wanna start with something weaker, say semi-honest. But this doesn't make any sense if the protocols you're running are secure against semi-honest adversaries but you have real malicious adversaries then no security is actually guaranteed and they can be completely broken so it doesn't seem to work at all. So let's start by considering a variant of IPS that actually appears in our paper where these small protocols are actually secure against covert adversaries and remember that's what we said that you can cheat, there's no guarantee that you won't be able to cheat but if you do try to cheat, it's guaranteed that you'll be caught with some probability. Let's say for here that it's probability one half and these can actually can be made very efficient. Then in order to cheat in the outer protocol and this is really the main observation of IPS, you have to cheat in many of these servers because this outer protocol is resilient for an honest majority. So if only you cheat in only a few, nothing will happen. You have to cheat in for at least half of the parties and cheating because cheating in this inner protocol is the only way to make the server deviate. That's the only way to cheat in the outer protocol. But the covert protocols guarantee that any time you try to cheat, you'll be caught with probability one half. So if you have to cheat n over two times and you'll be caught with probability one half each time, then the only chance you haven't been going undetected is just with probability two to the minus n over two which is very, very negligible. It's a very small exponential function and so therefore you're going to be caught as soon as you try to cheat too much. So you can either cheat a little bit but then the outer protocol, this information theory protocol is secure because as long as only a minority of the parties are corrupted, everything's fine. Or you can try to cheat in many protocols but then you'll be killed by the covert protocol, the covert guarantees which will ensure that you'll be detected and then we'll just stop and you haven't learned anything yet. And therefore the protocol that we get is secure against malicious adversaries. IPS wanted something more, they wanted to actually start from semi-honest adversaries. So how can they do that because then there's no guarantee in a semi-honest protocol, you can actually cheat if your malicious really easily learn absolutely everything, bias the protocol output, do whatever you want and no one will ever know. And that you can actually see by just looking at protocols like yeah. So they introduced this notion of watching and watch lists and the observation is that if you know the randomness and the inputs that a party is supposed to be using in a given protocol execution, then you can actually check that they do what they're supposed to do because you know the exact messages they're supposed to send, you know everything that they know. So you can just check, are they doing what they're supposed to be doing? So what IPS does is they set up this watch list mechanism where each party watches every other party in K out of the N of these executions. So you have N servers and N protocols simulating these N servers and in K of them you can actually know the randomness and inputs of the other parties and check that they're behaving correctly. These causes are the issues relating to corruptions whatever but if you choose the parameters correctly everything is fine. And the main point is that no party knows where it's being watched. So if you don't know where you're being watched then you have to be careful because if you try to cheat too much there's a chance you'll cheat where you're being watched then you'll be caught and then it'll be back exactly like we talked about with the covert case. The covert case if every time we cheated there's a certain probability of being caught and the same thing here you can either cheat a little bit and there's a reasonable chance you won't be caught but then the other protocol is resilient to that small amount of cheating or you can cheat a lot but then there's a very good chance you'll be caught on the watch list and you're dead and then we're happy, we're secure again against the presence of malicious adversaries. Finally our results. So we study this compiler, this new approach from a number of different angles in order to try and deepen our understanding of it. We present optimizations for the protocol for the original IPS constructions to improve its efficiency. We also consider variants of the protocol as I mentioned relating to covert adversaries and the connection between covert and semi honest and malicious. And finally we also study the concrete efficiency of IPS. I mentioned that it has excellent asymptotic efficiency but what about something concrete? Not when we have three and a half million parties running a circuit of size 10 billion will it be actually efficient for reasonable things that we actually want to run? Starting with the optimizations and I'm gonna go very, very briefly through the results because there are many but it's in the paper and also we just recently put the full version on E-print so you can see the details there. The first thing we do is we construct a more efficient watch list setup protocol for IPS and they wanted to go for general assumptions and general results so they used any OT and we use something which relies specifically on DDH assumption. We get something which is much more efficient but just in addition to the actual construction which is more efficient we obtain a more tight and exact security guarantee regarding what the adversary can do to cheat. This enables us to give us a tighter analysis to actually improve the efficiency of everything else in the protocol as well because when you reduce the possible attack vectors then you can actually simplify the outer protocol or not simplify the outer protocol where you can actually use less servers. Details are in the paper. Our setup is so much more efficient that you can actually also have more flexibility in parameters. You can deal with more servers, thousands or even tens of thousands of servers something that in the initial IPS protocol this would very quickly become the actual bottleneck and you wouldn't be able to deal with that which will then harm your overall efficiency. There are other optimizations in the paper as well. Regarding variance, IPS constructs protocols that are secure in the presence of malicious adversaries from semi-honest adversaries and as I already mentioned we use the IPS paradigm to also consider the setting of covert adversaries and understand that in more depth. So the first thing we do is we construct protocols that are secure in the presence of covert adversaries from those that are insecure and semi-honest. This is just like IPS but we now use very, very few watch lists and we get a more efficient protocol because there are few watch lists and fewer servers in the outer protocol. We then go on and this is exactly what I described earlier on. We show how to construct protocols that are secure in the presence of malicious adversaries from covert adversaries that actually explain to you in depth. And the significance of these results are firstly to deepen our understanding of this covert adversarial model which at least I believe is a very realistic one and useful one in practice. And there was an open question from TCC 2010 who showed how to go from semi-honest to covert but only for the case of an honest majority type protocols and here we do it for all types of protocols and also we go from covert to malicious. So we understand much more how these things fit in. We also obtain a really conceptual and technically simple construction. The transformation from covert to malicious is actually really simple, really intuitive and very easy for example to teach in class and explain to people which is a big advantage. At least if anyone's tried to explain cryptography to anyone it's not simple. And we also get better asymptotic efficiency for at least some, for some specific problems and again I'll leave that for you to look in the paper. Finally I get to concrete efficiency. One of the things that actually when we started looking at IPS we really wanted to understand is this protocol really efficient or is it just when the asymptotics kick in the way out there in 2050. And the reason, but the problem is no one really knows and the reason why no one knows how concrete efficient is is because it has a really, really high level of abstraction. You take some information theoretic out of protocol. Which one? You use inner protocols for simulating those steps. Which inner protocols? You can choose almost anything. The number of servers and watch lists trade off in terms of efficiency and error probability. What's the best to choose? All of these things when you wanna analyze asymptotically it's quite easy but when you want to really understand concretely what's the actual cost this becomes very, very difficult. Just to give an example of why things are different in the IPS setting and we actually, for the choices of the outer inner protocols we started the concrete efficiency of actually those suggested by IPS themselves. But in order to understand why things are different in the IPS protocols when you wanna multiply do multiplication gates like what Gilard talked about in the previous talk. These were every multiplication carried out by parties required by servers requires actually an inner protocol. And this therefore becomes the most expensive thing. When any protocol says just a server should locally multiply two values which in the real honest majority setting is a very, very trivial operation here becomes expensive. And everything else that's done becomes cheap because that these we can do without distributed protocols. So what that means is that you get best efficiency by taking an outer protocol or by taking outer protocol to minimize the number of multiplications that parties have to do. We can do this using the packed secret sharing methodology but it just shows you that the most information theoretic protocol may not be the best protocol to take in the IPS setting. You have to take something which is actually very well fits in to IPS. Another issue that comes up is how many servers should you actually take? And my in the very beginning I said well you always wanna have the smallest number of servers because you have to simulate all of these servers the more that you are the more simulation the more inner protocols the more work obviously you wanna limit this that seems to be trivial. However when you start doing the actual concrete analysis you find out that less servers means that the adversary has to cheat in less protocols in order to get its dishonest majority. And that means that you need more watch lists in order to catch the less cheating. And once you have more watch lists to catch the less cheating to catch this cheating then that in turn actually requires you to take more service in order that you don't have to you can't have too many watch lists versus servers. And so instantiating IPS correctly and efficiently means finding the right balance between these different parameters. And we carried out both an analytic and numeric analysis. So we have some part which is analytical and some part we actually just ran scripts on huge amounts of different parameters to see what the actual costs would be. And we have some rather surprising results. So for the case of two parties and you have an out of protocol with a plain honest majority 4K servers is optimal. K is the number of watch lists. Now 3K is asymptotically the same. It looks exactly the same in terms of the security guarantees that you're getting. But actually what will happen is that if you take 3K you'll end up needing more watch lists and more servers than if you took 4K for a given error probability. So things really are different and surprising and also very interesting. Other difficulties that arise that for every function or circuit you wanna compute you actually need to take different parameters and you need to analyze and find doctor parameters for those. I'm gonna go through it very briefly. Also when you change the number of clients these parameters change and again you have to come up with optimal parameters and these are difficulties when you actually wanna instantiate these things. Just to give you a feeling of what the actual concrete cost is. So if you take an AES type circuit you wanna do oblivious pseudo random function evaluation then we get that for this circuit size a minimal number of oblivious transfers and multiplications because this is the main bottlenecks is achieved by taking a block size of NOV73. This block size is the packed secret sharing I talked about and then for an error of 2 to the minus 40 we came up with these magic numbers 1,752 servers and 207 watch lists and the actual cost is this for two different multiplication protocols you got 13.8 million semi honest OTs you can use OT extension it's not as bad as it looks and 4.5 billion field multiplications or 5.5 million OTs and 5.5 billion and then again so what's better well it probably depends on the machine you're using and how you trade off and is it better at doing hash functions or doing field multiplications and we carried out actually experimental results on a partial implementations and estimates to see how much this would actually cost and the big surprise at least for me when I thought that this would not be efficient for something like this is that if you're using software based multiplication field multiplication it is quite expensive 950 seconds but if you use the new Intel AES chip which gives you carry less multiplication so very very efficient field multiplications this can get down below 100 seconds which is really competitive in comparison to other protocols out there and this is without going all the way of really trying to fully optimize everything we may be a little bit overly optimistic here but this seems to be the ballpark and this tells us that there's real potential for efficiency here in conclusion from our concrete analysis we believe that IPS may be actually really competitive in practice as well in comparison to the other tools we have out there and I believe there's even more potential for multi-party where efficient alternatives are much less common we don't have many efficient alternatives there are serious obstacles and difficulties in implementing IPS there's no general protocol that takes any circuit of work so it's not efficiently because the parameters have to be set and these are difficult but the payoff may be worth it and more research may yield a way of doing this automatically and tightly and there's really a lot to be done here so in summary we have a deeper understanding of the IPS compiler we studied it within itself in terms of its parameters and its efficiency we also studied its relation to covert adversaries and use that as a means to understand other adversary models we have also optimizations in the watchlist set up and other things in terms of efficiency and practicality it is very difficult to specify and implement you have to go far, far down in this tree of abstractions but it's worth it and it seems that we can really get competitive protocols for it more understanding is necessary and more work is needed but we have a whole community here who I'm sure will take up the challenge and new optimizations may even further improve the situation and so it seems that this has real potential for the future thank you and again we have to go directly to the next talk