 Hi, I'm Arushi. I'm going to talk about order C secure multi-party computation for highly repetitive circuits This is joint work with Gabrielle Beck, Abhishek Jain and Gabriel Kapchak To begin with MPC is an interactive protocol that allows a group of mutually distrusting parties to compute on their private inputs The security guaranteed by any MPC protocol is that an adversary Corrupting a subset of the parties should not be able to learn anything beyond the function that the parties are computing Since its inception Extensive research has been dedicated towards trying to bring MPC closer to practice and As the efficiency of MPC increases the hope is that it can be used to compute large complex Functionalities such as training machine learning algorithms or simulating large RAM programs on massive distributed data sets Let us now look at what we know about the complexity of existing protocols as it turns out most Concretely efficient and implemented protocols have a total complexity of order NC Where N is the number of parties and C is the size of the circuit Clearly the work done by each party in such protocols is proportional to the size of the entire circuit And if the circuit is large then no matter how efficient our protocol is We are expecting the parties to do a lot of work As a result the only parties who are in some sense capable of participating are ones that have massive computing resources One obvious way to avoid this limitation is to design protocols with a better efficiency than order NC In fact, we already have protocols with a better asymptotic complexity of O tilde C But these protocols are not concretely efficient In fact, the O tilde notation hides Polylogarithmic factors in the size of the circuit and polynomial factors in the security parameter We also know of order C MPC protocols, but only for a special restricted class of circuits called SIMD circuits I will explain what these circuits are a little later in my slides But the problem with these order C protocols is also that there are no known implementations of these protocols So the main question that we consider in this work is whether we can design order C MPC for a larger class of circuits But before talking about how or whether this question can be solved, let's first discuss some advantages of an order C MPC protocol First of all, since there is no linear dependence on the number of players In the total complexity of this protocol, it can be run with many many parties Moreover, when the number of participating players is large, the honest majority assumption becomes significantly easier to justify Also, the work required from each party in such a protocol is proportional to the order of the circuit divided by the number of parties Which in some sense means that more the number of players the better it is In such cases, parties with low computing resources can also potentially participate Finally, such protocols can also be used with large scale volunteer networks that have recently emerged such as Bitcoin and Tor These networks are already used to performing incredibly large distributed computations And it would be interesting to use them for MPC computations as well This would enable a crowd-sourced application like MPC as a service that still respects privacy Such services can be used by clients to delegate large computations Moving on to our contributions We design order C MPC protocols for a larger class of circuits that we refer to as highly repetitive circuits We design both semi honest and maliciously secure protocols that are secure against static corruptions of a little less than half fraction of the parties Our protocols are information theoretically secure and our maliciously secure protocol achieves security with the bot Finally as far as I know we provide the first implementation of MPC that uses bad secret sharing Now let me explain what SIMD and highly repetitive circuits are and what's the difference between the two So SIMD stands for single instruction multiple data These circuits comprise of multiple copies of the same sub-circuit For instance in this example the circuit contains four copies of the same sub-circuit Highly repetitive circuits are a subclass. I'm sorry a superclass of SIMD circuits But before I talk about highly repetitive circuits, let me define a class of circuits that we refer to as AB repetitive We say that a circuit is AB repetitive If it has arbitrary number of blocks of width at least A that repeat at least B times Here we refer to blocks as a group of gates that are on the same multiplicative depth in the circuit For example in this figure this orange block repeats multiple times and so does the green one and so does the gray one This is an example of a 3 comma 3 repetitive circuit We define highly repetitive circuits as AB repetitive Where both A and B are in omega of n Where n again is the number of parties Now this might appear like just another definition of a subclass of polynomially sized circuits But as it turns out this is actually a very interesting class of circuits and many known applications belong in this class For instance for loops and while loops in programming languages are highly repetitive computations machine learning algorithms are also highly repetitive Similarly block ciphers such as AES and hash functions such as SHA-256 are also iterative in nature and are highly repetitive Let me now elaborate on how we design order C protocols for highly repetitive circuits The rest of this presentation will be organized as follows I will start by recalling some standard techniques used to design efficient NPC protocols And then proceed to discuss our main ideas Starting with a very high level overview Of the approach used in most existing order NC protocols These protocols work with a circuit representation of the function that the parties wish to compute And the circuit is evaluated in a gate by gate fashion These protocols start with a threshold secret sharing of the inputs and maintain an invariant that the parties Will hold a sharing of all the values induced on the intermediate wires in the circuit throughout the computation For addition gates the parties simply add their shells Since this is a non-interactive Computation it does not incur any communication For multiplication gates We assume that the parties have access to a double sharing of a random value r One with respect to threshold t and the other one with respect to threshold 2 t The parties start by locally multiplying their shares of the input values And then mask it with a 2t out of n secret sharing of the random value r They then exchange these shares and reconstruct the masked value Finally the parties subtract a t out of n sharing of the same value r From this reconstructed masked value to obtain a sharing of the outgoing wire of the of this multiplication gate Assuming that the parties already have access to this double sharing of r It is easy to see that the communication complexity incurred while evaluating a multiplication gate is order n But how do the parties obtain this double sharing of r in the first place? So these shares are obtained using a batched randomness generation process Where each party starts by sampling a random value The parties then compute Two kinds of sharings of these random values one is a t out of n sharing and the other is a 2t out of n sharing Since each party sends these shares to every other party the communication complexity of this particular step is order n square Upon receiving these shares from all of the parties Each party locally multiplies its received shares with a hyperinvertible matrix or a random odd matrix These are publicly known matrices That are decided in advance Since the dimension of this matrix is n cross n minus t the parties end up with double sharings of n minus t values From the properties of these matrices It is guaranteed that if the parties follow the protocol honestly Then the resulting double sharings are of random values that are unknown to any individual party or the adversary As a result we get n minus t double sharings with order n square communication Which means that the amortized cost of generating a single double sharing is order n Therefore the total cost of evaluating a multiplication gate is also order n Now we move on to recall a tool that is used in the design of existing order c and o tilde c protocols called packed secret sharing We know that using a regular secret sharing scheme we can transform a secret into n shares Such that no subset of t shares is sufficient to reconstruct the secret Packed secret sharing is an optimized variant of regular secret sharing that allows transforming a vector of order n values into n shares However, this efficient representation comes with a slight loss in the corruption threshold The maximum corruption threshold that a packed secret sharing scheme can tolerate depends on a parameter epsilon Which in turn depends on the size of the vector that is being shared Similar to regular secret sharing packed secret sharing also has some nice homomorphic properties In particular given shares of two vectors u and v if the parties locally add their shares They end up with a packed sharing a t out of n packed sharing of the following vector Similarly for multiplication if the parties locally multiply their shares end up with a 2t out of n packed sharing of this vector Similar to regular secret shares the threshold or the degree increases when we multiply the shares All existing order c and o tilde c protocols Rely on these homomorphic properties of packed secret sharing and the batch randomness generation process that is used in order nc protocols In particular, let's consider the following simd circuit that has order n copies of a sub-circuit of size c Which each takes a different set of inputs To compute the simd circuit It suffices for the parties to start with a packed secret sharing of the following vectors Where each vector contains at least one input to each of the order n copies of the sub-circuit Using this packed secret sharing The parties evaluate a single instance of the sub-circuit exactly as in an order nc protocol Except that now the parties work on packed shares instead of regular shares As before the communication complexity Incured is order nc However, since we are working with packed shares This protocol allows us to compute order n copies of a sub-circuit of size c As a result the amortized cost of evaluating a single instance of the sub-circuit is order c While the previous ideas only work for simd circuits Damgard et al and kenkin et al show that any given circuit can be transformed into a circuit That is compatible with packed secret sharing By embedding routing networks However, this circuit transformation significantly increases the size of the circuit to order c As a result the complexity of the resulting protocol that uses these circuits Is also order c To summarize all existing order c and order c protocols Use a combination of packed secret sharing and the batch randomness generation idea However, as discussed earlier these ideas limit the scope of order c protocols to just simd circuits Or incur order c communication instead of just order c which is clearly not ideal We now discuss our main ideas behind Moving beyond simd circuits without requiring any expensive circuit transformations I will start by highlighting some main challenges in extending existing ideas And then proceed to discuss How we leverage the structure of highly repetitive circuits to overcome these challenges And finally, I will also briefly mention how we achieve malicious security From the previous discussion it is clear that in order to Get in again to get From the previous discussion it is clear that packed secret sharing is crucial for getting savings in the order c setting Let's assume that the parties start with packed secret sharing of the following input vectors And now they want to evaluate this particular circuit Which is clearly not a simd circuit In order to evaluate the first layer of the gates First layer of the gates itself The parties need to be able to perform different operations on the individual elements of a packed secret shared vector However, as discussed earlier Computation with packed secret sharing only allows us to perform the same operation on all the elements of the vector Moreover, in order to compute the next layer We need to be able to realign vector elements across different packed secret sharing vectors This again is traditionally not supported by packed secret sharing Overall to summarize in order to go beyond simd circuits without making use of expensive circuit transformation techniques We need to build support for different operations to be applied to different vector elements That are packed secret shared and for the realignment of vectors across packed secret shared vectors I will now elaborate on how we overcome these challenges and enable such computations Starting with how to enable different operations on different elements of the vector Let's assume that the parties have access to packed secret sharing of some Appropriately correlated masking vectors Given packed secret sharing of vectors u and v The parties can start by both adding and multiplying their shares locally and masking it with the masking vectors These resulting shares are then sent to the parties This party can now reconstruct the two vectors And create a new vector with appropriately chosen masked values from the two reconstructed vectors This party can now also compute a packed secret sharing of this new vector and distribute the shares amongst the parties Finally, the parties can compute a sharing of the unmasked vector by subtracting the shares of the appropriate masking vector Clearly, this computation relies on the parties having access to these appropriately correlated masking vectors One masking vector is used for masking the addition operation The other one is used for masking the multiplication operation And the last one is used for unmasking the final vector This unmasking vector contains elements from the previous two masking vectors We can use similar ideas for realignment of vector elements across packed secret shared vectors The correlated masking vectors for this computation can also be chosen in a similar way These two techniques are now sufficient to compute shares of these vectors in our original example Since both differing operation and realignment use similar ideas We can further optimize this computation by combining the two techniques to compute the C and D vectors directly in a single step For this computation, we will need the following correlated masking vectors We need these initial masking vectors to mask the addition and multiplication operations And then we need these correlated vectors for unmasking the final vectors Notice that the vectors used for unmasking the final vectors include elements from all of the initial masking vectors While it's clear that given these masking vectors the previous computation can be done The question that we haven't addressed so far is how do we generate these correlated vectors Note that the correlation between these masking vectors depends on the topology of the individual layers of the circuit That is how one layer connects to the other and what gates are included in this layer For generating these masking vectors with a particular correlation We can use the same batched randomness generation idea as before Where the parties start by sampling random vectors and compute a secret sharing of these vectors as well as appropriately correlated vectors The parties then multiply their shares of these correlated vectors with either a hyper invertible or a random on matrix And as a result the parties obtain n minus t sets of correlated random vectors However, the important thing to note here is that all of these resulting n minus t sets have the same correlation These sets are generated using order n square communication But since we get order n resulting sets of vectors when each vector is of length order n And each of these sets allow us to evaluate order n gates the amortized communication for generating these masking vectors per gate is order one But the amortized cost is order one only if you are able to use all of the order n resulting correlated sets generated by the previous procedure This is where we leverage the structure of highly repetitive circuits In particular as mentioned earlier a highly repetitive circuit Consists of blocks of gates with multiple occurrences throughout the protocol Since these repeated blocks have the same configuration They will require masking vectors with the same correlation If each such block is repeated order n times, then we can use all the correlated masking vectors Generated by the batching procedure Moreover in order to get savings from patch secret sharing, we need the length of each block to be at least order n As discussed before both of these properties are satisfied by highly repetitive circuits As a result, we get an order c mpc protocol for such circuits To summarize The parties start by generating packed shares of correlated masking vectors for each unique block configuration in the Highly repetitive circuit using the batched generate randomness generation process These correlated masking vectors are then used to evaluate blocks of gates in a layer-by-layer manner Using different I'm sorry differing operations pss and the realignment process or packed secret shared vectors Let me now briefly mention how we achieve malicious security Genkil et al in 2015 Genkil et al in 2015 showed that most packed secret sharing based semi honest protocols are secure against malicious adversaries up to linear attacks Which basically means that the attack strategy of an adversary A malicious adversary in such protocols is limited to injecting errors that are arbitrary linear functions of the packed secret sharing vectors This observation has been used in existing works to design simple maliciously secure Compilers that transform such semi honest protocols into maliciously secure ones by running multiple instances of the semi honest protocol And performing some validation or comparison checks at the end Similar to the compiler used in tree diet oil We show that we can also achieve malicious security by running two copies of our semi honest protocols To conclude we designed the first order c mpc protocols for a class of circuits that bigger than just sim D circuits We present constructions of both semi honest and maliciously secure protocols in the honest majority setting Our protocols are information theoretically secure We also provide implementations of our protocols and to the best of our knowledge. These are the first implementations of npc That make use of packed secret sharing Finally, we also introduce a new non interactive share conversion technique that allows parties To go from regular shares of individual values to packed shares of a vector of those values Unfortunately due to time constraints, I won't be able to go over this idea But I invite you to take a look at our paper on eprint for more details Thank you