 Hi, everyone. So this talk is about the secure computation in the correlated on-demand model. And more specifically, it deals with the long quest for secure computation with low communication. So what's secure computation? You have some number of parties. Here, I will focus on the case of two parties for simplicity, but everything I say can be extended to more parties. And they would like to jointly compute some public function F on their joint private inputs. And the protocol should be correct, meaning that all the parties should get to learn the output of the function. And it should be secure in the sense that no party should learn anything more from the protocol than the output of the function. So if you don't care about security, and if you want to compute a function, then it's easy to see that Alice and Bob only need to exchange our inputs, meaning that the communication required to insecurely compute a function is just the size of the inputs multiplied by the number of parties. And in contrast, the first protocols for secure computation, the one by Yao in 1986 and the GMW protocol in 1987, had a communication complexity which is proportional to the circuit size of the function. So a very important, a very fundamental question in secure computation has been since the introduction of the first secure computation protocol to understand whether this is inherent, whether securely computing a function does inherently require much more computation than insecurely computing a function. Now, since the breakthrough work of Gentry in 2009, we know that under some suitable computational assumptions, or some variants of the learning with our assumption, it's actually possible to securely compute any function with optimal communication, input size plus output size plus some polynomial in the security parameter. And it will also learn more recently that it's possible to securely compute a large class of function with a communication which is sublinear in the size of the circuit and there's a decisional defilement assumption. So under computational assumption that are widely believed to hold, this is more or less a solved problem. So in this talk, I'm going to revisit a bit this question. In the context of secure computation in the correlated randomness model, what is a correlated randomness model? In this model, you have a trusted dealer that before the start of the protocol will generate and distribute correlated random coins that are independent of the inputs to the protocol and give them to the parties. Then the parties can use these correlated random coins in the actual secure computation protocol. So why do we care about this model? There are two main reasons. First, as was shown by Beaver in 1991, such a allowing a trusted setup that distributes correlated random coins to the parties allows for information-certically secure computation in the online phase. And this is in stark contrast with standard secure computation without a setup, which obviously requires computational hardness assumptions. So the second reason why we care so much about the correlated randomness model is that it turns out that it leads to extremely efficient, like concretely efficient, secure computation protocols. And in fact, almost all modern secure computation protocols that aim at being concretely efficient that you can see nowadays do work in this model. Like they work in two phase. In some preprocessing phase, the parties will jointly generate some correlated random coins. And then in the online phase, the party will consume those random coins to securely evaluate the function. And this secure evaluation will not only be information-certically secure, it's also extremely fast. Yet, all known protocols that we know of in the correlated randomness model for general functions require a communication which is proportional to the circuit size of the function. So a question is to understand whether this is inherent. And actually, it was proven by Damgar Detal in 2016 that this is indeed inherent for a large class of protocols in the correlated randomness model that were called gate by gate protocols, which captured, at the time, all known protocols in the correlated randomness model. So in this work, I'm going to revisit a bit this question and show that we can somehow hope to get the best of both worlds. Meaning, simultaneously, the sublinear communication guarantees that we could only achieve as of today in the case of computationally secure computation. But at the same time, having information-certically security and good concrete efficiency with only known cryptographic operation in the online phase. More precisely, I show the following. For any layered Boolean circuit, so a Boolean circuit is layered if you can partition its nodes in layers so that any edge only goes from one layer to the next layer. For any layered Boolean circuit of size s, there is a secure computation protocol with all the properties you can want, like no hones majority, any number of parties, adaptive security, security against malicious adversaries, that can securely evaluate this circuit using total communication proportional to s over log log s. Arguably, that's only slightly sublinear. But the real takeoff of this result is that there is no circuit-sized barrier. It's possible to go below this barrier. This result can be extended to the interesting case of arithmetic circuits using kind of the same techniques, but it requires a few additional ideas, as well as the case of function-independent preprocessing. And since the constants are very small, as a constant here is one up to lower the terms, it also actually leads to concrete efficiency improvement for some existing secure computation protocols. And in this talk to simplify, I will focus on the case of two parties and semi-honest security. The extension to the marginal case is not that hard. OK, so how does that work? Our starting point is a well-known protocol for sharing true-stable correlations. These protocols allow to securely evaluate any function in the correlated run-on-ness model with information-seerotic security when the function is represented by its true-stable. So we take some function f and we represent the function f by its true-stable m, so the function evaluated at all possible points. And our trusted dealer will first pick a random shift, r, and he will shift the true-stable r by this offset, as the true-stable m, sorry, by this offset. And at the same time, our trusted dealer will share this offset r in two parts. Here the addition will denote a bitwise operation, so bitwise xr. So we have the shifted true-stable m prime, and then the trusted dealer will additionally share this shifted true-stable in two parts, m prime 0 and m prime 1. And then each of the parties will receive a share of the offset and a share of the shifted true-stable. Now, using this preprocessed correlated random coins, securely evaluating the function f turns out to be extremely easy, because the parties can simply exchange their inputs, x0 and x1, masked by their share of the offset r. So u0 and u1 form shares now of x plus r. So by simply now doing a lookup search in their share of the true-stable, they will recover what you can easily check to be additive shares of f of x. So this means that to securely evaluate the function f, the parties only have to exchange their masked input. So the protocol has optimal communication, 2m. However, the storage requirement to securely evaluate this function is proportional to the size of the trust table representing the function. So it's exponential in the input size, and that's quite bad. So the natural ID, if we want to get sublinear communication in the correlated randomness model, is to start from this protocol and ask whether it's possible to make this storage polynomial instead of exponential. Turns out that it's unlikely to be easy, because it was proven in 2013 that if we could achieve a polynomial storage for securely evaluating any function, then that would imply a breakthrough result for some long-standing open problem related to the study of information theoretic private information retrieval. So I'm not trying to do any breakthrough result here. Instead, let's try to work around this issue by doing something extremely simple. And the extremely simple thing will be just a simple modification of this true-stable correlation protocol. The core lemma that I'm going to prove, and which is a very, very simple lemma, is the following. Take any C local function. What's a C local function? It's a function such that any output bit depends on at most C input bits. So you can see that the function as being concatenation of functions f1 to fm, each of them being applied to a size C subsets of the input bits. Then there is a protocol that securely allows to evaluate to obtain shares of the function with perfect security in the correlated randomness model, whereas the communication is, again, optimal, bigger of n, the input size. But where now the storage requirement is m times 2 to the c plus n? Compared to the previous protocol, what we've done is just shifting the exponential cost of the storage requirement from the input size to the locality parameter. So how do we do it? It's pretty simple. Intuitively, since a function only operates on subsets of size C of the inputs, instead of looking at the big true-stable of the entire function, you can look at the list of true-stables for each of the output bits of the function, for each of the partial functions. Because each of these partial functions is a function on inputs of size C. So each of this true-stable only has size 2 to the c. So what we can do is just apply the previous protocol in parallel for each of the output bits. And then the trust earlier will generate those shares and those shifts. Now we get a protocol where the storage is just m times 2 to the c up to some additive thing. But now the communication has increased because for securely doing all those protocols in parallel, we need now 2c bits of communication for each of the m output bits. And this is too big, actually. That's more than the big of m communication that I claimed that we could have. So the next idea is that we can go back to this communication proportional to m by not using independent shifts for all those m true-stable. Instead, the trusted dealer will only pick a single global offset r. And those r1 to rm will not be defined as independent offset, but as appropriate subsets of the bits of this single global offset, where the subsets are the subset s1 to sm corresponding to the subset of the bits that you need to take to compute the function. If you do so, then the parties now only need to exchange x0 plus r0 and x1 plus r1. And intuitively, applying the m protocols in parallel only requires to take some appropriate subset of the bits of those masked inputs. And the security is easy to prove. So with this variant of the protocol, we obtain essentially exactly the same communication as before. But the correlated randomness now is a bit different. And we can still prove the protocol to satisfy perfect security. So this is what I call the core lemma. As you could see, a very simple lemma. You can have optimal communication and, of course, exponential in the locality parameter of the function. Let's see why this is useful for the question at hand. So as I told you, the result that we prove shows that we can securely compute with sublinear communication any layered Boolean circuit. So let's look at the layered Boolean circuit. The nodes can be partitioned into layers. The edges go from one layer to the next layer. And we will partition this function into chunks. Each chunk will contain k consecutive layers. And we will look at some selected node on the last layer of a chunk. And Cs is selected node, like the value computed on this node, as a function of the value computed on the last layer of the previous chunk, together with the input nodes of the same chunk. Let's ignore them for now. So intuitively, the obvious observation here is that since a graph representing the circuit as in degree 2, then the selected node can only have 2 to the k ancestors if you go k layers above. So afraid in terms of locality, the function that maps the values on the last layer of a chunk to the values on the last layer of the next chunk is a 2 to the k local function with w inputs, where w is the width of our Boolean circuit. So we have a local function. We go back to our call Emma. And so using the call Emma directly, since this fi is a 2 to the k local function, we know that we can securely compute shares of fi given shares of the input with communication proportional to w, this width parameter, and storage, which is only exponential in the locality parameter. So the storage will be proportional to 2 to the 2 to the k. What follows is quite easy. We will divide the input. We will let the parties share the input between them. And then they will divide the function to evaluate into d over k chunks. Each chunk, as I said, containing k consecutive layers. D is the depth of the function. And we call each of this function f1 to f d over k. For each last layer, for all the values of the last layer of the chunk, the parties will use a protocol given by the call Emma to securely compute with optimal communication shares of the value on the last layer of the next chunk. That means that we obtain now a protocol whose total communication is the width times d over k. So if you adjust things right, w times d, that will just be your circuit size. I'm assuming here, for simplicity, that the circuit will deal with is a rectangle. But you don't need any such structural requirement. You will end up for arbitrary shape of the circuit with a protocol whose total communication is s over k. And the storage requirement of the protocol now is w times 2 to the 2 to the k multiplied by d over k, which is just essentially s times 2 to the 2 to the k divided by k. And as you can guess, you obtain the claimed result by setting k to be log log s. So that shows that you can securely evaluate any layered Boolean circuit with a polynomial amount of storage and total communication proportional to s over log log s. This can be extended to malicious security. That's quite simple. You can also extend it to the arithmetic circuit. Here, you cannot use truth table correlations anymore because a truth table for an arithmetic function over an exponentially large field will be way too big. But if you represent instead the chunks of your function by multivariate polynomials, you can essentially derive the same kind of approach and obtain a similar result, communication s over log log s number of field elements. There are some open questions, of course, that comes from this work. First, now, where's the real buyer? So we've achieved s over log log s. That will be not very satisfying if s over log log s was a real communication barrier that we cannot hope to break. So where is the real barrier? Is it possible to get sublinear communication and still linear computation? Because a protocol I gave here has a computation, which is quadratic in the size of the circuit. And it can be reduced to slightly sublinear in the size of the circuit. But linear is not something we can achieve here. So can we achieve linear computation and sublinear communication? And is it possible to remove this layered circuit requirement and extend the result to all circuits? And that's all. Thank you for your attention.