 Hi everyone, thanks for tuning in. My name is Alpeta Patra and in this talk, I will present a joint work with Akshay Ram Srinivasan, entitled Three-Round Secure Multiparty Computation from Black Box Two-Round Oblivious Transfer. Interaction is a valuable and expensive resource in cryptography. Consequently, a huge amount of research has been devoted towards characterizing the amount of interaction required for various cryptographic tasks. The amount of interaction is estimated using round complexity. In this work, we focus on the round complexity of the central cryptographic task of secure multiparty computation or MPC. Let us begin with the definition of MPC. MPC permits a collection of data owners to perform a collaborative computation correctly on their inputs, on their private inputs without revealing anything beyond the computation output. The distrust is modeled by a centralized adversary that can corrupt some of the parties. MPC had been studied over various adversarial and security settings. In this work, we consider a multiparty setting with more than two parties that are connected over a broadcast or public channel. The channel can be used to send a message identically to all the parties. The adversary is computationally bounded, rushing, and static. We consider both semi-honest and active adversarial scenarios. Furthermore, we permit our adversary to corrupt majority of the parties. Consequently, the security that we aim for is cryptographic with abort guarantee. In this setting, it is known that oblivious transfer or OT is the minimal assumption needed. Oblivious transfer is a two-party primitive between a sender and a receiver. The sender has two inputs and the receiver has a choice bit, and the receiver receives the input of the sender that is indicated by the choice bit and nothing beyond. In its minimal form, OT requires two rounds. The receiver sends the fast round message as a function of its bit and randomness. The sender sends the second round message as a function of its pair of inputs and the receiver OT message. Finally, the receiver computes its output using the sender OT message, its bit, and the randomness. We denote the three functions respectively by OT1, OT2, and OT3. As mentioned earlier, it is known that the problem of securely computing a general in-party functionality reduces to securely computing the elementary two-party OT. Based on this profound result, we are interested in the round complexity of MPC relying on the minimal assumption of two-round oblivious transfer. Now I will distinguish between black box and non-black box access. A cryptographic protocol can access its underlying primitive in two different ways. The first way is called black box, where the protocol is allowed to make input and output access to the underlying building blocks. In particular, the protocol must be agnostic to how these building blocks are implemented. On the other hand, the second way is called non-black box access, where the protocol is allowed to access the code of the underlying building blocks. It is well understood that a protocol that makes black box access has huge theoretical importance as well as potential practical value, since black box access tends to lead more efficient solutions compared to non-black box access. However, non-black box access may lend more power than black box access, at least in the context of feasibility results of MPC. I will state one such result in the very next slide. Based on the importance of black box access, we are interested in the black box round complexity of MPC. Now a bit of history of round complexity relevant to our work. There is a huge body of work in terms of the round complexity of dishonest majority protocols. I will not be able to introduce everything. So let me go over the ones that are milestones and are most relevant to our work. Also, let us restrict ourselves to the most primitive setting of semi-honest adversaries. It is known that two rounds are necessary for MPC irrespective of the number of parties and number of corruptions. This is a folklore result and is formally proven in HLP 14. In a two-party setting, the seminal work of Yao 86 shows that two rounds are sufficient as well. And this protocol makes black box access to oblivious transfer. In the multi-party case, for a long time, we only knew about constant round protocols from black box access to oblivious transfer. And this result is due to BMR 19. Recently, Anand Thetal in 2017 presented a four round MPC protocol from black box access to two round oblivious transfer, improving the result of BMR 19. And after that, in a parallel attempt, Gorg et al and Ben Hamoud et al in 2018 presented a two round MPC protocol from two round oblivious transfer. These are the first round optimal multi-party protocols from the minimal assumption of two round oblivious transfer. However, both these protocols make novel non-black box access to the underlying two round oblivious transfer. It's an intrigue question whether non-black box uses is necessary. Indeed, Applegum et al in 2020 shows that two round oblivious, two round MPC from black box access to oblivious transfer is impossible. This demonstrates the power of non-black box access compared to black box access because if we have to design round optimal two round multi-party protocols relying on the minimal assumption of oblivious transfer then we have to take non-black box route. These results leave the curious case of three round MPC open. Whether one can design a three round MPC protocol from black box access to oblivious transfer or not is still an open question and this is the question that we settle in this paper. So let us now move on to our results. The spoiler is it's a positive result. We have two results, one in semi-honest and the other in malicious setting. In the semi-honest setting, we show that there is three round protocol for computing every multi-party functionality against semi-honest adversaries making black box use of a two round semi-honest secure oblivious transfer. This completely resolves the black box round complexity of designers majority MPC in the semi-honest setting from minimal assumption. In the malicious setting, we prove a similar statement albeit in the presence of a common reference string and also with a malicious secure oblivious transfer that satisfies an additional property called equivocal receiver security by which we mean that the receiver's message OT1 can be explained for both the bits zero and one in the simulation. At the heart of both our construction is our ability to compute degree three functions in two rounds via cascading OTs. So let us now move on to our technical contribution. So our primary contribution is that of identifying a degree three in-party functionality that can be bootstrapped to a pool-ledged MPC protocol in a round preserving way. We call this functionality as double selection functionality or diesel, which is described below. So we have eight parties out of which three of them are input givers, Alice, Bob and Carol with inputs alpha x0, x1 and y0, y1 respectively. The first Alice's input alpha is used to pick the alpha input of Bob that is x alpha which is further used to pick x alpha input of Carol which is y of x of alpha and this is made publicly available to all. Because the selection happens twice we call this functionality as double selection functionality. And it can be noted that computing y of x of alpha requires degree three computation. Now we observe in our work that a protocol for double selection functionality can be turned to a pool-ledged MPC protocol via the round preserving compilers of Gorg et al and Boil et al. So our task reduces to designing three round double selection protocol from two round oblivious transfer. A bit of caution is that the actual double selection functionality that we need to use is a bit more involved than the one that I present here. Now before designing a protocol for double selection functionality, let us first simplify this function further. In particular, we will move to a private output version of this functionality which we call as private double selection or DCLP. Here we have three parties. All of them provide inputs and the output is reconstructed only towards Alice. Now it is easy to note that a two round protocol for private double selection can be turned to a three round protocol for double selection by making Alice broadcast the output in the third round. Therefore, our refined goal is to construct a two round private double selection protocol from two round oblivious transfer. This task is still challenging because double selection private is a degree three function whereas oblivious transfer is a degree two function. So let us now design a protocol for private double selection relying on oblivious transfer. So we have these three parties, Alice, Bob and Carol with their respective inputs. Now the idea is to have two OTs between Bob and Carol with Bob as the receiver and Carol as the sender. In the ith OT, Bob provides XI as the input and in both the OTs, Carol provides its input pair as the inputs. Now it can be noted that the alpha ith OT can result to the output Y of X of alpha at Bob's end. We call these OTs as inner OTs. Now Alice will use two more OTs both as a receiver and with input alpha, one with Bob and another with Carol to pick one of these inner OTs. To be specific, if alpha equals to zero, then it peaks the zeroth inner OT and if alpha equals to one, then it peaks the first inner OT. In a bit detail, Alice will use the OT with Bob to obtain the receiver state for the alpha ith inner OT and she will use the OT with Carol to pick the sender's message for the alpha ith inner OT. Now using these two, it can enact a receiver for the alpha ith inner OT and it can obtain the output of that OT which is nothing but Y of X of alpha and this is the desired output. We call these OTs used by Alice as outer OTs and it can be noted how we have used the outer OTs to pick one of the inner OTs. Elaborating further, in the first round, Bob will pick two randomnesses R0 and R1 matching with X0 and X1 respectively and then it computes two receiver OT messages using the pair X0, R0 and X1 and R1 respectively for the inner OTs and these are broadcasted. In parallel, Alice will pick a randomness R for its input alpha and it will also prepare a receiver OT message for the outer OTs and these are also broadcasted. In the second round, Carol will use the receiver OT messages from Bob for the inner OTs and its input pair Y0 and Y1 to compute sender OT messages for the inner OTs. Now, these are further used to compute a sender OT message for the outer OT with Alice and this message is broadcasted. Now, it is this place where we use the idea of cascading OTs. So if you notice carefully, the OT messages for the outer OTs are OT messages themselves from the inner OTs. This is why we call this idea as cascading OTs. On the other hand, Bob will use the pair X0, R0 and X1 and R1 as the sender's input for the outer OT with Alice and the computed sender message is broadcasted. Alice now will use the OT with Bob to compute X alpha or alpha which is the receiver's state for the alpha in a OT and Alice will further use the OT with Carol to compute the sender message for the alpha in a OT. Now, using this, it can enact a receiver to compute Y of X of alpha which is nothing but the output of alpha in a OT and this is also that desired output. So this concludes our protocol for a semi-honest case. Moving on to the malicious case, we face several challenges. I will mention just a few of them here. First of all, we migrate to malicious OTs in all cases. Now, a corrupt Carol may not be using the same pair Y0 and Y1 in both the inner OTs. Furthermore, it may not be using the resultant OT sender messages for computing the outer sender OT messages. In order to maintain correctness, in this case, we use the technique of MPC in the head from ICOS 27. And as for corrupted, Bob is concerned with, it may not be using these pairs correctly for computing the sender OT message for the outer OT. And in order to maintain correctness, in this case, we'll use the idea of OT combiners along with Garg et al's round-squeezing compiler. Although all these techniques are well-known from the literature, their application in our context required considerable amount of novelty. So please look at our full paper for more details. And now I would like to conclude and mention a couple of open questions. So first, we resolved the black box round complexity of MPC in the semi-honest setting under minimal assumptions. We gave a three-round protocol in the semi-honest setting that made black boxes of a two-round maliciously secure OT that additionally satisfies a mild variant of adaptive security for the receiver. So it is an interesting open question whether in a malicious setting, we can get rid of this additional adaptive security requirement. Furthermore, designing or working out a completely efficient protocol in our context is another interesting open question. That is all I have. Thank you for listening. Bye.