 Hello everyone, my name is Ariyanov and I will present a paper generalized pseudo-random secret sharing and efficient Strangler-Resilient Secure Computation. This is a joint work with Fabrice Milamouda, Edette Boyle, Nibgilboa, Shia Levy and Ivali Shai. So in this work we consider the popular setting of multi-party computation with their own majority. In this setting we have n-parties who wish to compute jointly some functionality over their private inputs without revealing anything about the output. In the presence of t-forrupted parties, where n is larger than 2t. So the reason this setting is so popular is because in this setting we are able to achieve highly efficient protocols that are information-theoretic or only make a black box use of cheap symmetric drift. Now within this setting we can distinguish between two sub-settings. The weak honest majority setting, where n is exactly 2t plus 1, which is the minimum number of parties required to maintain honest majority, and the strong honest majority setting, where n is strictly larger than 2t plus 1. The main question that we ask in this work is what can we gain in terms of concrete efficiency from allowing strong honest majority. Now this question may seem a bit odd at first glance because we are used to think that in cryptographic protocols there is a trade-off between security and efficiency. So if we reduce the security threshold then we will be able to improve efficiency. However, this is not true for the honest majority setting. To see this, consider the task of evaluating an arithmetic circuit over secret shared inputs. If the secret chain is linear then the parties need only to interact to compute multiplication gates. The best semi-honest multiplication protocol to this date is the Darmgren-Nielsen protocol, which has two rounds. In the first round the parties send 2t messages to party p1 or any other designated party, and then party p1 sends back n minus t minus 1 measures s to the other parties. So the communication cost is n plus t minus 1 sends elements and multiplication gates. The recent works have also closed the gap between semi-honest and malicious security in the honest majority setting. This means that we have the same communication cost also with malicious security, both for the strongly and the weak honest majority setting. Now assume that we want to work in the strong honest majority setting. So now we have two options. First to run a protocol in the strong honest majority setting. But the second option is to let the parties share their inputs to a subset of 2t plus 1 parties who will run the protocol for them in the weak honest majority setting. It is straightforward to see that the second option will result with less communication. And so it is not clear what can be gained from working in the strong honest majority setting. A different direction that has been considered in the strong honest majority setting to improve efficiency is to evaluate multiple gates together at the same cost of a single gate. This can be done using actual mere secret sharing where we store l secret in the same polynomial. So now the degree of the polynomials that are used during the computation is t plus l, which we denote by t, and the number of parties must be larger than 2t. Now when evaluating SMD circuits, where you have many copies of the same circuit in parallel, this gives an immediate improvement by a factor of l for both communication and computation, which is of course significant. However, when working over general circuits, previous works could only achieve a synthetic efficiency, but with high concrete cost for routing secrets between blocks when moving from one layer of the circuit to the next layer of the circuit. So the question that we started with remains open. What can we gain in terms of concrete efficiency from working in the strong honest majority setting when evaluating the general circuits? This work will present new techniques for the strong honest majority setting improving communication and computational cost, storage and latency. All of our techniques are based on pseudo-random secret sharing, PRSS, which allows secure and non-interactive generation of pseudo-random Shamir secret shareings from a set of replicated seeds that is distributed across the parties. Now while this method does not require any communication, the computational cost grows very fast with the number of parties and therefore it is only practical for small values of D. Nevertheless, it has many applications beyond the context of MPC and therefore some of our techniques are of interest even beyond the context of secure multi-party computation. Our first contribution is a way to construct useful linear correlations using PRSS to support computation of non-SAMD circuits over packed secret sharing, which avoid the routing mechanism overhead from previous works completely. Our second technical contribution is a new general PRSS construction with reduced number of seeds and reduced computational cost when the polynomial degree T is higher than what is required by the corruption threshold T and the packing parameter L. By achieving this, we are able to extend the range for which the PRSS technique is applicable. Our third and last contribution is cheap stragglers resilience. In particular, we show that if the number of parties N is larger than what is required by the polynomial degree T, namely that N is larger than 2D plus 1, then we can allow the protocol to proceed even if not all messages have arrived in each round. While this is straightforward to achieve with Samarana security, this is much more challenging to achieve with Melissa security because it requires dealing with a subtle attack due to Goyalatal, which we call the double dipping attack, which breaks the privacy of the computation. We present a solution for this attack that requires no additional cost while achieving stragglers resilience. Using our three technical contributions, we obtain the following two results. The first result is a PRSS scheme for sharing the degree D polynomials between N parties with security threshold T, where we make a reduction from the covering design problem and show that given a solution to that problem of size K, our PRSS scheme requires K times D plus 1 times A minus D divided by N, PRF seeds per party, which improves upon the classical result of Goyalatal when D is larger than T. And in the following table, we can see the number of seeds per party in this work and in the work of Goyalatal for two special cases when T equals 1 and any number of parties and when T equals 2 and any number of parties such that N is smaller than 3 times D plus 1. As said before, this result has many applications even beyond the context of general NPC. For example, for threshold cryptography as shown by Goyalatal or for the task of secure aggregation, which is important for secure federated learning, or even for the simple task of secure distributed storage where a dealer wants to store a secret across multiple servers. And with PRSS, the dealer only needs to broadcast the offset between the actual secret and the secret that was generated using PRSS. Our second result is an NPC protocol with malicious security and stragglers resilience. In particular, we show that given a security threshold T, packing parameter L and the number of parties N, which is equal or larger than 2T plus 2L minus 1, then there exists a protocol to compute any arithmetic circuit C over a finite field F with S multiplication gates, which has the following properties. First, the protocol makes only black box use of any pseudo-random function. The protocol achieves malicious security against T corrupted parties, even if tau messages are lost in each epoch, where tau is N minus 2T plus 2L minus 1, and an epoch is defined as the two rounds where P1 sends a message to all the other parties and receives back a message from them. And the third property is that if the parties follow the protocol, then it terminates successfully even if tau messages chosen adductively by the adversary are dropped in each epoch. And finally, the communication cost of the protocol is given in this equation. As can be seen, the communication cost decreases as we increase the packing parameter L, and as we will see, we are able to beat the best previous protocols in this setting while achieving stragglers resilience. So let's go into our first contribution or generalized PRSS to support computation of non-SMD circuits over packed secret sharing. So let's first recall how the dumb garnish in multiplication protocol works. So we use the bucket notation to denote a secret sharing of x via a polynomial of degree T. Now at the beginning of the protocol, the parties hold shares of the two inputs and also shares of a random R using a polynomial of degree D and also using a polynomial of degree 2D. First, the parties locally compute shares of x times y minus R using a polynomial of degree 2D by multiplying the shares of the inputs and subtracting from it the shares of R using a polynomial of degree 2D. And then they send their shares to party P1 who can reconstruct x times y minus R and then share it back to the parties using a polynomial of degree D. Finally, the parties can locally compute their shares of the output by adding their shares of R using a polynomial of degree D. To generate the collet randomness, we can use PRSS without any interaction. So how can we compute non-SMD circuits using packed secret sharing? So to illustrate our method, let's consider the following example. So let's assume that in each block, we encode two secrets and the parties need to multiply a block with x1 and x2 with the block that holds y1 and y2. So the output block should store in the first position x1 times y1 and in the second position x2 times y2. Now let's assume that after this multiplication operation, there are many addition gates and then when the parties reach the next layer of multiplication gates, there is a block which in the first position should store a linear combination of z1 and z2. So our protocol will work as follows. If we give the parties shares of a random block that store random R1 and R2, then the parties can perform the first step of the damgarnese protocol, which will result with party p1 holding z1 plus R1 and z2 plus R2. Now instead of proceeding to the second step of the damgarnese protocol, we will first ask p1 to locally compute all addition gates over the mass values and only when it reaches the next layer of multiplication gates to secret share the masked blocks according to the structure of the circuit. This means that p1 will secret share a block where in the first position there is a linear combination of z1 plus R1 and z2 plus R2. Now if you further give the parties also shares of a random block where in the first position there is a linear combination, the same linear combination of R1 and R2, then the parties will be able to unmask the block that they received from party p1 and obtain the correct blocks that will enable them to proceed with the computation. So if we generalize our example, what we obtain is the following. So the parties first locally multiply blocks of shared values, mask the result and send it to p1 who can reconstruct the masked outputs and then locally compute addition gates over the masked values. Then when party p1 reaches the next layers of multiplication gates, it can secret share a block of masked inputs which will be unmasked by the parties. And what we need to support this process is correlated randomness of the following form. Shares of a random block of L secrets using a polynomial of degree 2d and shares of a random block using a polynomial of degree d for each secret satisfies linear constraints that are induced by the structure of the circuit. And what we show in the paper that we can produce these correlations using PRSS therefore enabling computation over pack secret sharing without any extra overhead. So now let's move to our second contribution which is new designs for reducing storage and computational costs of PRSS. So first let's recall the classical PRSS construction of CDI. So first for each subset of size t we give the complement subset a seed and then to generate the next pseudo random shamir secret sharing for each subset of size t we define the next polynomial where we give all the parties in the subset t the evaluation point zero and an additional point is computed using the seed that is not known to the parties in t. So what we get here is a polynomial of degree t because it is defined by t plus one points and also a polynomial where each party can compute its evaluation point on this on the polynomial. And the final the output share of each party pi is the sum of all these evaluation points iterating over all the subsets of size t. And what we get is a shamir secret sharing of the sum of the secrets that are stored at the point zero in all the polynomials that we defined. So using the CDI construction for generating a degree d polynomial requires storage of n choose t seeds and approximately n choose t times d minus t plus one prf invocations where t is the number of corrupted parties and d is equal or larger than t. This of course limits the practicality of the construction for only small number of parties. What we show it is that if d is strictly larger than t then we can use this gap to achieve drastic improvements both for the storage and the amount of prf invocations. The main technical tool for our construction is covering designs. This problem is defined as follows. So given integers n, m, and t we say that a collection of sets s1 to sk is a n, m, t cover if it satisfies the following properties. So each sj must be of size m and must be a subset of the set one to n and each set of one each subset of one to n of size t must be covered by at least one sj. So in the right side we see an example of six to one cover because we have six items and the size of each set in the cover is two and each single item is covered by at least one set. Now it's almost straightforward to see that covering designs are necessary to achieve general prss. In particular if we have a t secure prss solution for generating the greedy polynomials then we can obtain an ndt cover. To see this consider a solution for t secure prss which consists of k subsets. Each set sj includes parties who receive seed rj. Now each set must be of size n-t in order to generate a polynomial of degree t and the t security property guarantees that each set of t parties must miss at least one seed which means that there exists a set sj such that the intersection between hj and that subset is empty. Now in order to obtain an ndt cover it suffices to simply take the complement subsets of s1 to sk. Now the size of each complement set is t and we are guaranteed that each set of t parties is covered by at least one complement subset so what we get is an ndt cover. However the opposite direction is natural and if we take an ndt cover this does not imply a t secure prss solution for generating the greedy polynomials. To see this consider the following example here we have a four to one cover that consists of two sets s1 and s2. So in order to construct a prss solution we would like to define two polynomials that corresponds to the sets s1 and s2. The first polynomial corresponds to the set s1 and here we will give the parties in the set s1 the evaluation point zero and an additional point will be computed using a seed that will be given to the parties that are not in s1. Similarly the polynomial f s2 will be defined using the set s2 namely the parties in the set s2 will be given the evaluation point zero and the an additional point will be computed using a seed that will be given to the parties that are not in s2. Then the final polynomial will be f1 plus f2 which is indeed a two degree polynomial because it is defined by three points. Now to see that this is not a t secure solution assume that p1 is the corrupted party. Now to learn the polynomial f p1 only misses one piece of information only k1. However if f was a truly random two degree polynomial p1 should have missed two points of the polynomials or in other words it should have missed two pieces of information. This means that f is not pseudo-random therefore the construction is not t secure. What we can prove and we indeed prove in the paper is that given an n d plus 1 t cover of size k we can construct a t secure prss solution for generating the gritty polynomials where the total number of seeds is k times d plus 1 and the total number of prf calls is k times d plus 1 times n minus d. The main idea behind our construction is that we take each set sj in the cover and generate d plus 1 sets of size t from it but each by each time we're moving one party from the set sj and then we use all the sets that we obtain k times d plus 1 sets to generate the prss solution and the security argument says that given a set of corrupted parties of size t there must be a set sj that covers it but from this set sj we generated d plus 1 sets from which d plus 1 minus minus t sets does include t which means that there will be d plus 1 minus t seeds that are unknown to the parties in t which is exactly what we need in order to prove security. In this table we present a comparison between our construction and the cd i construction for multiple data points so here for different n d and t parameters we have obtained the best n d plus 1 t cover size and using it we computed the number of seeds per party in our construction while the number of seeds per party in the cd i construction is simply n minus 1 to sd. As can be seen from this table we get a dramatic improvement over cd i as the gap between d and t grows. In the paper we further extend this result and show that given an n d plus 1 t cover we can use it to construct a prss solution for generating double shamir packed sharrings which means that we can generate block or l random secrets that are shared using a polynomial of degree d and a polynomial of degree 2d which is exactly what we need in order to evaluate s i m d circuits. In addition given an n d plus 1 minus l t covers we can use it to generate a prss solution for shamir packed sharrings with linear constraints meaning that we can generate an uninterrupted block of random secrets l random secrets that are shared using a polynomial of degree 2d and block of l secrets that are shared using a polynomial of degree d and each secret is a fixed linear combination of the secrets that were shared using a polynomial of degree 2d which as we have seen earlier in the talk is exactly what we need in order to support evaluation of non-samd circuits. So now let's move to our third and last contribution which is cheap straggler resilience. So consider an epoch which includes two rounds. First p1 sends his second round messages in the dumb donation protocol for the current layer of multiplication gates and then p1 receives the first round messages in the dumb donation protocol for the next layer of multiplication gates. Since x times y minus r is shared using a polynomial of degree 2d this means that p1 only needs 2d messages to arrive in order to reconstruct x times y minus r and therefore even if n minus 2d messages are dropped the protocol can still proceed. In this case we say that a protocol has n minus 2d straggler resilience. In the paper we give also a formal definition for straggler resilience where we allow the adversary to choose adaptably the messages to drop in each epoch and also stress that security should hold not only the presence of an adversary controlling the parties but also if some messages are dropped in each epoch. Finally it is worth noting that feasibility of straggler resilience follows from standard robust npc protocols but there it comes with an extra significant overhead. Here we are interested in straggler resilience npc and not for robustness without any additional overhead. While straggler resilience is straightforward to achieve with semi-mono security it is much more challenging to achieve with malicious security that particular if we allow p1 to use only the first 2d messages that he receives this will completely break the privacy of the protocol. This is due to an attack by Goyalital which we call the double dipping attack and is carried out over two layers of the circuit. So assume we want to multiply x and y and then multiply the result with z. So malicious p1 can work as follows. So when multiplying x times y party p1 will send the correct second round message to all the parties except for one on this parties say pn. Then when multiplying x times y with z party p1 can compute the message that pn shoots up sending using the 2d messages that he first receives from the other parties. This is due to the fact that all the messages are point on a polynomial of degree 2d and so p1 can compute all the other points on the polynomial using the points the first 2d points receives and its own point. Then p1 can use the difference between the message that pn should have sent and the message that pn actually send in order to compute pn share of z which of course is completely forbidden and breaks the privacy of the protocol. The attack is caused by the fact that all the masks lie on a polynomial of degree 2d and therefore once p1 receives 2d shares you can compute the n-2d shares of the remaining parties. Failure solutions to this attack include using a masking polynomial of degree n-1 or adding a consistent check between each two layers of the circuit. While there the first solution leaves no room for starters while the second solution results in increasing the latency. We present a solution where we still can use only 2d messages and therefore strongly resiliency is maintained and also without increasing the latency of the execution. In our solution each party chooses its mask independently and then the masking polynomial is determined by the first 2d messages p1 receives. This means in particular that all the messages sent by the other parties are now independent and cannot be predicted which is what we need in order to prevent the WDPing attack. Now this raises several challenges when we want to unmask the shares in the next multiplication layer. And for this to succeed we need two additional things. First we need p1 to send the set of 2d parties that were used to interpolate meaning the set of 2d parties for which the messages arrived first. And second we need to tweak a little bit the correlation randomness and in the paper we show that we can use our PRSS techniques in a black box way to support this without of course any additional communication. However this requires increasing the amount of correlation randomness by a factor of n. So with our solution we are able to compute the circuit with n-2d resilience and with privacy. However this is not enough and in order to achieve malicious security we also need to show how we can achieve correctness. In our protocol we use distributed zero-knowledge proofs due to bonnetile to verify the correctness of all multiplications with sublinear communication in the size of the computed circuit and constant number of words. Now using this tool in our setting raises several challenges. For example since we use PAC-secret chain now all the secrets are stored in different positions of the blocks and we need to show how we can perform in the verification protocol slot friendly operations meaning operations that are over secrets that are stored in the same position of the block. Another challenge is that the state may be partial for some parties who struggle in the circuit evaluation. To solve this we will need to run the verification protocol several times number of times that is bounded by the circuit's depth. Nevertheless we show that the overall cost remains sublinear for all natural circuits. So finally we examined the communication cost of our protocol for various parameters. So on this table we can see for different number of corrupted parties for different number of struggles and for different packing parameters we present the number of parties computed as 2t plus 2l minus 1 plus tau. The total number of feed elements sent per multiplication gate in our protocol and the ratio between the communication cost of our protocol and the communication cost of the best protocol where we leave no room for struggles and where we don't use packed secret sharing which means that the number of parties is much smaller. As can be seen from the table when we increase the packing parameter and the number of corruptions we are able to beat the previous best protocol while still leaving room for struggles. So to summarize our contribution our first contribution is peer access for packed secret sharing which allows us to reduce communication and computation when computing non-SMB circuits. Our second contribution is new design for peer access which allows us to reduce computation and storage and the final contribution is struggling resilience which allows us to reduce the latency of the protocol. So with this I will end my talk. Thank you very much for listening.