 Hello everyone. My name is Yifan Zhang. Today I'm happy to give a talk about our results, constant overhead and conditionally secure multi-party computation over binary fields, co-authored with Andy Goni polychroneado. Multi-party computation allows several mutually destructed parties to jointly evaluate a common function on their private inputs. The whole protocol is an interactive procedure among all parties. At the end of the protocol, each party will receive its output of the common function. The security of a multi-party computation protocol guarantees that the protocol execution does not leak any information about the individual input beyond what can be inferred from the function output. In other words, each party can only learn its own input and output during this process. Usually, the functionality is represented as a circuit, and in particular, here we choose to use an arithmetic circuit over a finite field. The circuit supports addition and multiplication operations. In this work, we focus on small finite fields, such as the binary field. We consider the information theoretic setting with I's majority and assume a P2P channel between every pair of parties. We are interested in the malicious security with the bot. In the following, we use N for the number of parties and a T for the number of private parties. Before we move on, I would like to motivate my talk by answering the following two questions. First, why do we care about N conditional MPC? A key feature of the N conditional MPC is that we do not need any extensive cryptographic primitive, such as public encryption or other transfer, and the protocol is secure and conditionally. When comparing with protocols in the computational setting, one major benefit is that protocols usually do not require complicated and time consuming local computations. As a result, the most efficient MPC protocols are in the N conditional MPC paradigm. Second, why do we focus on the communication complexity? The local computations are technically simple, often just a series of linear operations. The efficiency of a protocol in the real world is dominated by its communication complexity. No solutions to the information theoretic MPC all have a log N multiplicative overhead in the communication complexity. Concretely, the communication cost per gate is the order of N times log N bits for small fields. This is because most of communication efficient MPC protocols are based on the Shamir secret sharing scheme. A Shamir secret sharing naturally requires a finite field of size at least N, which leads to the log N multiplicative overhead. In the design majority setting, it is known that information theoretic protocols are possible in the preprocessing model or correlated to random model. Even known speech-like protocols can achieve order of N bits per gate, but they require to prepare order of N times kappa bits of preprocessing data, where kappa is the security parameter. Preparing such amount of preprocessing data in the highest majority setting requires order of N times kappa bits of communication. When targeting for CMD circuits, that is evaluating multiple copies of the same circuit, the recent work CCX by 18 shows that one can evaluate log and copies of the same circuits such that the cost per gate is order of N bits. Similarly, in the design majority setting, the work DC-13 and CG-20 shows that it is possible to evaluate kappa copies of the same circuits such that the amount of preprocessing data is also order of N bits per gate. Unfortunately, their solutions do not work for single circuits. The recent works also consider the suboptimal threshold, where the number of crowded parties is bounded by one-half minus epsilon times N, where epsilon is the constant. The work HVW-20 achieves order of N bits relying on the idea of NPC in the head. The work CRX-21 achieves the same results relying on a new design arithmetic secret sharing. However, we would like to point out that their solutions do not extend to the standard highest majority setting. Also, a recent crypto work GPS-21 shows that one can even achieve order of log N bits per gate in the suboptimal threshold, which is sublinear in the number of parties. In this work, we consider the following question. Is it possible to construct information theoretic NPC protocols in the standard highest majority setting for computing a single boolean circuit with amortized communication complexity order of N bits per gate? Our work answers this question affirmatively. It shows that there is an information theoretic NPC for N parties against T smaller than N by two proportions in the presence of a malicious adversary evaluating a single boolean circuit with amortized communication complexity of order of N bits per gate. Our result can be naturally extended to any finite field with communication complexity order of N elements per gate. To make use of the standard Shamir secret sharing, informally, a Shamir secret sharing uses a random polynomial to have a single secret as the evaluation point zero. Because that T is the number of public parties, in our construction we use the Shamir secret sharing with degree T. It satisfies that the secret can be reconstructed with any T plus one shares, and any T shares are independent of the secret. We use the square brackets of X with subscript T to represent a degree T Shamir sharing of the value X. The Shamir secret sharing scheme is linearly homomorphic. Finally, adding two degree T share rings X and Y yields a degree T sharing of the secret X plus one. Our starting point is the speech like protocol. We note that a speech like protocol can achieve all of N bits of communication per gate in the online phase. However, it requires to prepare all of N times kappa piece of preprocessing data in the offline phase. We notice that the amount of preprocessing data can be improved to all of N times log N bits per gate. We will discuss this improvement later, but note that it still does not solve the problem. On the other hand, the protocol in CCXY18 only needs to pay all of N bits of communication per gate when evaluating a CMD circuit. The drawback is that it does not work for a single circuit. The main idea is to make use of the protocol in CCXY18 to prepare the preprocessing data, which is used in an efficient speech like online protocol. Our reason of doing so is that, purely, the preprocessing data is much easier to be prepared in a batch way, since we do not need to consider the circuit structure. The drawback is that the preprocessing data prepared by the protocol in CCXY18 should be used to evaluate a batch of gates each time. However, if we want to use the speech like online protocol, we need to unpack the preprocessing data so that it can be used gate by gate. To achieve that, we introduce what we refer to as hidden additive secret sharing. There are also other issues. For example, we need to design an efficient verification protocol to achieve malicious security, which we refer to our paper for more details. Here is an outline of this talk. We first review the speech like online protocols, which we abstract as a prototype protocol. Then we discuss the techniques in CCXY18. Finally, we introduce hidden additive secret sharing, which allow us to unpack the preprocessing data prepared by the protocol in CCXY18 and use them in the prototype protocol. At the high level, the idea of a prototype protocol is to compute an additive sharing for each way. The benefit is that additive sharing are well defined in the binary field, each share is just a single bit. However, the drawback is that we cannot verify the correctness of the secret. To solve it, we use a linearly homomorphic MAC. An authenticated additive sharing contains two parts. The first part is an additive sharing of the secret X, and the second part is an abstract MAC of the secret X. It satisfies that the abstract MAC can be used to verify the secret X. With input sharing X and Y, we can locally compute the output sharing Z to be X plus Y. For a modification gate with input sharing X and Y, we use the standard technique of viewer triples, which requires to prepare a tuple of sharing A, B and C, where A, B are random bits, and C is equal to A times B. The cost per gate is stressed out of n bits, details are omitted for simplicity. Therefore, the main task of the offline phase is to prepare viewer triples. Because that authenticated sharing of X consists of an additive sharing of X and an abstract MAC of X. In speeds, the MAC is instantiated by an additive sharing of alpha times X, where alpha is a random element in a large enough finite field. It ensures that with overwhelming probability, our adversary cannot change the secret X without being detected. However, it also leads to a copper multiplicative overhead in the size of the pre-processing data. In the ARNIS majority setting, we can alternatively use a degree T share share ring for the abstract MAC. This is because the secret is determined by the shares of ARNIS parties, so our adversary cannot change the secret without being detected. However, the use of a degree T share ring leads to a lot of multiplicative overhead. Now we discuss the techniques in CCX by 18. The CCX by 18 introduces the notion of reverse multiplication friendly embeddings, or RMFB for short. The RMFB is a pair of linear maps, phi and the cosine, which allows to perform coordinate by multiplication or small fields by operating over extension fields. The secret is that now we can use Jamia share rings in the extension field without having log n term, because each time we will compute log n multiplications as a cost of one multiplication in the extension field. For example, suppose we want to compute the multiplications of two vectors A and B. We first encode these two vectors separately and denote the results to be phi A and phi B. And then phi A and phi B are elements in the extension field. Instead of doing the coordinate by the modification over small fields, we multiply the two encodings phi A and phi B. Then a RMFB allows us to decode the coordinate by the modification results by applying the linear map side on phi A times phi B. The first linear map phi encodes a vector of KBs to a field element in an extension field of size 2 to the M. We will discuss the relation of K and M later. If we have two vectors A and B, and then you encode them to be phi A and phi B. The property of RMFB allows us to multiply these two encodings such that we can decode the results to be the coordinate by the modification between A and B. Concretely, say Y is equal to phi A times phi B, then we can view Y as a psi encoding. After applying the second linear map psi on Y, we obtain the vector of A1 times B1 to AK times BK. Of course, to obtain a phi encoding of the modification result, we just need to apply again the linear map phi on the result. The idea in CCXY18 is to encode a batch of K-vars into a field element and then only operate on the extension field. For example, to compute a coordinate by the modification in a secure way, our parties first transform the vectors A and B to Shamir shear rings of phi A and phi B. Then our parties run a modification protocol to compute the Shamir shear ring of Y. Finally, some interactive step is done to transform the Shamir shear ring of Y to the Shamir shear ring of the phi encoding of the modification result. Both of these two steps can be done efficiently. The work of CCXY18 shows that there is a RMFB such that K over M is the constant. Then a batch beaver triple can be prepared with communication complexity out of M times N bits since each element is in the extension field of size 2 to the M. On the other hand, each batch beaver triple is used for K gates. The amortized cost per gate is just out of N bits. Now we are ready to introduce our main technique, hidden additive secret shear rings. Recall that relying on techniques in CCXY18, we can efficiently prepare batch beaver triples where each triple is used for K modification gates. A set notice that CCXY18 is in the setting of one third preference threshold. Our work extends their results to the highest majority setting. Also recall that relying on the prototype protocol inspired by NNOB12 and DPSD12. We can efficiently evaluate the circuits with the help of authenticated beaver triples. The missing piece is that batch beaver triples cannot be directly used in the prototype protocol. We need to unpack each batch beaver triple into K individual authenticated beaver triples so that they can be used one by one as required in the prototype protocol. The problem boils down to the following. For Vector A of K bits, all parties initially hold a semi-assuring of the encoding of the Vector A. We want to transform the semi-assuring to K authenticated shear rings, one for each bit AI. Recall that an authenticated shear ring consists of two parts. One is an additive shear ring of the secret and the other one is an abstract MAC of the secret. We first focus on the additive shear rings. By log rendering interpolation, all parties can transform the semi-assuring of Phi A to an additive shear ring of Phi A by locally multiplying suitable constants on their shares. Note that each shear is still an element in the extension field. In the second step, each party applies the inverse of Phi on its own shear. Then each shear becomes a vector of K bits. In particular, since the inverse of Phi is also linear, the summation of all vectors is equal to the vector A1, A2, and AK. Therefore, all parties obtain additive shear rings for each bit AI. For abstract MACs, we need to use a linearly homomorphic MAC in the prototype protocol. Recall that MAC is used to verify the secret of the additive shear ring. We note that the semi-assuring of Phi A is already verifiable. To see it, the secret Phi A is determined by the shares of all parties, so those three cannot change the secret without being detected. Furthermore, each bit AI can be recovered from the secret Phi A. Therefore, our first attempt is to directly use the semi-assuring of Phi A as the MAC. We may define the MAC of AI to be a degree T semi-assuring of a Phi encoding of a vector that contains the secret AI. Now we check whether the MAC we define is linearly homomorphic. Consider the authenticated shear rings of A1 and A2. Note that we use the same semi-assuring as the MACs. After we add these two associated shear rings, the MAC is the semi-assuring of Phi 2 times A. However, the vector 2 times A does not contain A1 plus A2. We cannot use this kind of MACs in the prototype protocol. Our idea is to first purify the MAC. We note that the semi-assuring of Phi A contains not only the secret we want, but also other secrets in the vector A. We want to remove the dependency on unrelated secrets. Let's focus on the first secret A1. One way to do that is to multiply all other secrets with zero, but the first secret with one. Consider the vector E1 where all other entries are zero, except the first entry is one. Then the coordinate by the notation between A and E1 is the vector which only contains A1 and zero. Here we rely on the RMFE again by locally multiplying Phi E1 and the semi-assuring of Phi A. All parties obtain a semi-assuring of Y, which is an encoding of the vector A1 and KMAS1 zeros. In general, for each additive sharing of AI, we can purify the MAC by multiplying Phi EI and the semi-assuring of Phi A. Here, EI is a vector where all other entries are zero, except the S entry is one. Now consider two additive sharing A1 and A2. After we add these two sharing, the MAC part is the semi-assuring of Y1 plus Y2, which is an encoding of the vector A1, A2, and the KMAS2 zeros. We observe that the summation of all entries is A1 plus A2, which is just a secret. In general, the vector encoded by Y1 plus Y2 can be viewed as an additive sharing of the secret A1 plus A2. In other words, the secret is hidden as an additive sharing under the encoding. Therefore, we define the MAC as follows. For an authenticated sharing of the secret X, the MAC should satisfy that. First, the MAC of X is a degree T semi-assuring of Y. The vector encoded by Y satisfies that the summation of all entries is X. We can verify that MAC X is linearly homomorphic. Now given a semi-assuring of Phi A to transform it to K authenticated sharing, all parties use log-brand interpolation to locally transform the semi-assuring of Phi A to K additive sharing. Then, for each additive sharing AI, all parties locally set mic AI to be Phi EI times the semi-assuring of Phi A. In summary, we first review the prototype protocol in NNLB12 and DPSD12. It allows an efficient online phase with the help of authenticated viewer triples. Then we review the techniques in CCX by 18, which allows to efficiently prepare the batch viewer triples. To connect these two parts, we use semi-assurance to properly define the MAC part in the authenticated sharing. Then we show that all parties can locally unpack each batch viewer triple to K authenticated viewer triples. Thus, our construction works as follows. In the preparation phase, all parties prepare batch viewer triples using techniques in CCX by 18. Then all parties use our technique of hidden additive secret sharing to locally transform each batch viewer triple to K authenticated viewer triples. Here, authenticated sharing of X consists of an additive sharing of X and a semi-assuring, which serves as the MAC. Finally, in the online phase, all parties locally evaluate addition gates, interactively evaluate multiplication gates with the help of authenticated viewer triples. At the end of the evaluation, all parties use semi-assurance in the authenticated sharing to check the crackiness of the computation. More details about verification protocol and the whole protocol can be found in our paper. As a result, we achieve the communication complexity of all the n bits per gate for a single boolean circuit in the standardized majority setting. Thank you.