 Welcome. I'm going to talk about efficient perfectly secure computation with optimal resilience. I'm Gilad Asharon from Baryland University and this is a joint work with Itaia Braham and Avishaya Nai. So in the setting of secure multi-party computation we have some set of mutually distrustful parties each has some private input and the parties wish to compute some joint function of their inputs are preserving some security properties such as privacy correctness and so on. One of the seminal results in secure computation is that of Beno Goldwasser and Wittgerstern in 1988. It says that secure computation is possible in the semi-honest settings with perfect security assuming that the adversary corrupted most one half of the parties. In the malicious settings the adversely incorrupted most one-third of the parties. Both results are tagged. Perfect security means that the adversary can be computationally unbounded and protocols in these settings are usually also adaptively secure and secure under concoct composition once they satisfy some natural requirements. What is the communication complexity of the protocol? For computing a function f we first represent it as an arithmetic circuit c. Then the communication complexity of the protocol is n square times the sides of the circuit in the semi-honest setting and in the malicious settings we have that the adversary can slow down the protocol but it cannot break security. Those we have both optimistic case and pessimistic case where the adversary in the optimistic case where the adversary does not slow down the protocol the communication complexity is n to the four times the size of the circuit and a pessimistic case what the adversary does successfully slow down the protocol we have n to the six times the size of the circuit. Our result we're going to show a protocol where we improve both the optimistic and pessimistic cases and we show a protocol where the optimistic case is n cubed times the size of the circuit and in the pessimistic case it's n to the four times the size of the circuit. Another way to view our improvement is as follows so in BGW and the semi-honest settings the total communication complexity per each multiplication in the circuit is the communication complexity of secret sharing times the number of parties n. In a malicious case we have to use verifiable secret sharing instead of just secret sharing but now we need much more secrets to share. In the BGW protocol this requires sharing of n squared elements per multiplication. Our result we show how to match the same amount of secrets as in the semi-honest case and have only linear number of V assesses. In addition we have some bones consider a circuit G that has L inputs and M outputs of multiplication depth 1. In other words this is a polynomial of degree 2. Think that G is large while L and M are relatively small. To compute such a circuit BGW requires the amount of V assesses that are proportional to the size of the inputs and outputs of G plus also something that depends on the size of the circuit. In our protocol we can securely compute such a circuit with the number of V assesses that is proportional only to the input and output size of the circuit and it is completely independent of the number of multiplications in G. This can also be generalized to multiplication to circuits with multiplication depth greater than 1 while we only need to pay the amount of wires that exist between the layers and we are independent of the number of multiplications in each one of the layers. Note that this means that the communication complexity is sublinear in the circuit size. This is similar to R1 CS in zero knowledge and for the best of our knowledge this is the first time that this appears in the perfect setting. As an example consider the task of matrix multiplication. This is a circuit in which the number of inputs and outputs is relatively small. Something like M squared while the number of multiplications at least when we implement this circuit naively is M cubed. This means that BGW will require this amount of V assesses. It's N squared times M cubed. Well our protocol we improve first of all N squared to N for any circuit and for this particular circuit we can also compute it from in M squared instead of M cubed. Some related works. So our setting is the case of constant around permultiplication with perfect security, malicious security and optimal resilience. This means that at most one third of the parties are corrupted. In that case we achieve the following communication complexity. We have N to the cube in the optimistic case, N to the four in the pessimistic and the round complexity is proportional to the depth to the multiplicative depth of C. There are more efficient protocols in terms of communication complexity in the perfect setting that are based on player elimination technique, which the best protocol here even achieves linear dependency on N, the number of parties. In that technique, players that are detected cheating during the protocol are removed from the protocol and then we need to repeat some part of the computation. This increases the round complexity of the protocol for shallow circuits. Moreover, for circuits with multiplication depth one, our protocol can also obtain communication complexity that depends only on the input and output size of the circuit and is independent of the size of the circuit. And it is unclear if a similar technique can be implement in the other line of works that are based on player elimination. As such, those kinds of protocols are formally incomparable where it seems that for shallow, wide circuits, our protocol is more preferable, while for large depth circuits it is kind of clear that this approach is better. Before proceeding to the technical part of the talk, I am going to assume some familiarity with the semi-honest version of BGW with simplification of Gerana or Rabin and Rabin. I will also assume some familiarity with the verifiable secret sharing or protocol of BGW or that of Feldman. Those who want to review these protocols are welcome to follow those two links that appear now on the screen. So, our starting point is the protocol for computing multiplication gates in BGW. Just take a step back. The BGW protocol follows the paradigm of secure computation based on secret sharing, in which the parties evaluate or emulate the execution of a circuit that implements the functions that they wish to compute while hiding each value, the value on each wire in the circuit using a secret sharing scheme. The parties emulate the computation of the protocol gate by gate, while the parties run a secure protocol for computing value of an output wire of each one of the gates using their shares on the input wires. So, now we are looking at the protocol for multiplication gate. The parties hold shares on the two input wires. So, this is what we have over here. Each party PI holds A alpha I, B alpha I for some degree T polynomial, AX and BX, respectively. And the goal is that each party needs to hold a share on the output wire, some C alpha I, for some degree T polynomial, satisfying that the constant term is the multiplication of the two constant terms over here. The BGW protocol shows how to do it, or essentially shows how to do it, and how to reduce this multiplication with no dealer, where no party knows A, B and C, to end executions and building blocks of execution of the same building block of multiplication with a dealer, where there is a party that knows A, B and C. So, multiplication with a dealer is the following functionality. Each party PI holds some share on some polynomial where there is a dealer, PK, that also knows the two polynomials, AKX and BKX. And the goal is that PI will hold a share, CK on alpha I, for some degree T polynomial in which the constant term is the multiplication of those two polynomials. And again, there is a dealer that knows now CK of X. If the dealer fails, then the party simply recovers the constant term of the two polynomials that were shared. Now, let's remove... I'm removing the subscript AK for gravity. And let's take a look how BGW implemented this functionality. So, the protocol, in that protocol, the dealer holds two polynomials, A and B. And the goal is to actually share a polynomial, C, satisfying that the constant term is the multiplication of those two polynomials, of the constant term of those two polynomials. Now, what is going to do is going to choose such polynomial, C of X, and share it using a verifiable secret sharing. So now at this point, each other party, which is not a dealer, holds one share on the polynomial A, one share on the polynomial B, and one share on the polynomial C. The dealer wants to prove that this relationship holds. And to do that, it's going to define the additional polynomials, D1 to DT, such that this equation holds. Okay? Now, let's take a look what we have over here. So, we have A times B. This is going to bring... to give us a polynomial of degree 2T. And then we're going to have D... T polynomials where our goal is essentially to reduce or to remove all the T-leading coefficients of the polynomial A times B. This requires NVSSs in total to prove this. Now, the way the protocols work is that each party gets all the shares, so after the dealer shares those polynomials, each party holds A alpha I, B alpha I, and also has D1 alpha I to do T... to DT alpha I. And it can verify that this relationship actually works. Now, if this works for all the oldest parties where we have 2T plus 1 oldest parties, this is going to define a unique polynomial. And this guarantees that actually C on 0 actually is A times 0, B times 0 minus something that all of those, because we multiply by X to L, does do not affect the constant term. So, this guarantees that actually C on 0 equals A on 0, B on 0. Now, the dealer shares those polynomials, each party verifies that this relationship holds, and if not, it's going to broadcast a complaint, and then the parties can reconstruct its share, because all the polynomials out of degree T, we can reconstruct and check publicly that this relationship's hold. Now, this requires a linear amount of VSSs in the number of parties, and this seems even essential, because to remove one... once we share a polynomial of degree T, because the adversary controls T corrupted parties, this doesn't give us a lot of degree of freedom. So, we only write one coefficient in that polynomial. In secret sharing, usually we put the secret as a constant term, here we're going to put the secret in the leading coefficient, and essentially, we only hide one coefficient. Now, to remove T coefficients, it seems necessary to share T polynomials. What we're going to do in this work, we're going to show how to do this exact functionality, how to implement this protocol with just one single VSS, instead of having a linear amount of VSSs. And the key idea is that maybe we can do secret sharing of a polynomial of degree 2T, instead of a polynomial of degree T. How can we do that? So, before we actually proceed, let's just take one step back. So, essentially, we're going to follow a different invariant than that of BGW. We assume that each wire is even using a bivariate polynomial of degree T in both variables, and not just a univariate polynomial, as in BGW. This makes the following changes that we see over here in the functionality. And the goal is to get two univariate polynomial shares on the output wires, like we have over here. We know that this invariant removes another building block from BGW, and without it, our current improvement is not going to actually reduce the communication complexity. So, we need to take also this technique in order to actually get the improvement over BGW. Okay. So, how do we share a polynomial of degree 2T? Or what happens if we take the verifiable secret sharing protocol of BGW and try to use it for sharing a degree 2T polynomial? So, again, I'm going to assume you're some familiarity with the protocol for verifiable secret sharing. There is a link over here that you can scan and see the protocol in detail. So, in our case, the dealer is going to distribute a bivariate polynomial in degree 2T in X and degree T in Y. In the first one, the dealer is going to send, is going to define the share of party PI as the evaluation of the polynomial where we fix the Y with a Y part, and also going to define a GIY where we're going to fix the X part in the polynomial, in the bivariate polynomial. In the first one of the protocol, the dealer sends to each party its two univariate shares, its two univariate polynomials. Know that F is of polynomial, is a univariate polynomial of degree 2T, while G is a univariate polynomial of degree T. Then, exactly as in BGW, we're going to extend subshares. I'm going to evaluate IMPI. I'm going to evaluate FINGI on the point J. I'm going to send that to party PJ. Each party checks that whatever it receives, that's the third round, or the end of the second round, each party is going to see all the values that it received, and then it's going to check that it's the same as the one that expected as was sent by the dealer. If not, it's going to complain. The dealer will have to open those that have false complaints, and at the end, we're going to have a complete resolution phase where each party checks that whatever was broadcasted fit to the view, fit to the shares that they have, and if so, they're going to broadcast good. We're going to accept the dealer, the shares of the dealer once we have 2T plus 1 good votes. Now, to have a recall that we have 3T plus 1 parties in total, so we want that 2T plus 1 parties are going to be happy with their shares and whatever they saw. What happened when 2T plus 1 parties voted good? It means that only T plus 1 honest parties are actually happy, with what they see, because we might have T corrupted parties that vote on something which is incorrect, or the dealer is malicious and T parties just vote good even though nothing is actually good. What does it mean that we have only T plus 1 honest parties? It means that when the dealer broadcasts and make public reveal a share of some party, it needs to reveal both the f-share and the g-share. However, the f-share is of degree 2T plus 2, it's of degree 2T. So we need 2T plus 1 points to actually fix that polynomial. However, we have only T plus 1 honest parties that see that polynomial. So this is, so if we have only T plus 1 honest parties that broadcast good and say, okay, I'm happy with this public reveal polynomial, it doesn't mean that this f-pollinomial is actually correct, because it is a polynomial of degree 2T and we just know that T plus 1 points are actually consistent with something that the core of the honest parties that define the bivariate polynomial is actually correct. So in other words, at the end of the protocol we might have the case that some honest parties, that some honest party that his share was publicly revealed doesn't hold the correct f-pollinomial because it doesn't really agree with all the other honest parties or it agrees with T plus 1 honest parties but it doesn't uniquely define the polynomial. So to avoid this problem, we simply give up and we ask the dealer to reveal only the g's polynomials whenever it is to publicly reveal a polynomial because the g's are of degree T. What does it mean? It means that at the end of the protocol of this sharing phase of polynomial of degree 2T, there are going to be parties, honest parties that don't have an f-pollinomial, that don't really have a share on the polynomial. We are going in the reconstruction, we are going to ignore those parties and only those that voted good are going to contribute to contribute in the reconstruction. So what do we have so far? So if the dealer is honest, then we know that the parties will going to extend sub-shares, everything is going to be correct and the dealer will never have to reveal a polynomial of an honest party. This means that at the end of the protocol there are going to be 2T plus 1 honest parties that have both the f-pollinomial and the g-pollinomial. When the dealer is corrupted, if the part is actually accepted in the shares, it means that we have only T plus 1 honest parties that have both f and g. It means that during the reconstruction, we will need the help of the adversary in order to reconstruct. Let's see the reconstruction. So the reconstruction is going to be as follows. The dealer is going to broadcast this polynomial. This is a polynomial of degree T. And each party that has an f-share is going to check the point, the intersection of the two polynomials. And if it's actually okay, and this is the correct value, then it's going to say good or okay. And if 2T plus 1 parties are going to say good, then we're going to accept this polynomial that was broadcasted and reconstruct the constant term. So however, we have only T plus 1 honest parties that have correct f-pollinomial. This means that in actually to reconstruct, we must have the help, we must need the help in the case of a corrupted dealer of the corrupted parties in order to reconstruct the secret. However, we do have binding. What do you mean by that? Is that the dealer cannot now, if the party's accepted the shares in the sharing phase, the dealer cannot give a polynomial that is different than the polynomial that is defined by the shares of the T plus 1 honest parties. So during the reconstruction, either we are going to reconstruct the right, the correct constant term, or we're going to reconstruct bottom. Namely, we know that something failed. This is in other words what we so-called weak secretary. There is binding, but reconstruction is not guaranteed. So our multiplication with the dealer looks like the following. So the dealer holds polynomials A and B, and the dealer shares a bivariate polynomial satisfying this relationship. So its constant term is the multiplication of these two polynomials. Each party is going to have a share on A and B, and a share on the bivariate polynomial C. The dealer is going to define a single one polynomial, dxy, which has degree 2t and x, and degree t and y, such that the following relationship holds. So this is dx0 equals ax times px minus cx0. Note that on 0, if indeed a c00 equals a0 times b0, then the constant term of d is supposed to be 0. Each party is going to verify that this relationship actually holds. So we look at this polynomial, and this polynomial, and we try to find if those two polynomials are actually the same. If they are not the same broadcast complaint, we are going to reconstruct, see that if something, we can publicly reveal the shares of a party that broadcasted a complaint, and we can publicly reveal if the complaint is true or not. And then after we did all of that, and we actually see that those two polynomials are the same, the dealer is going to publicly reveal this polynomial, t, 0, and y, and all the parties can publicly verify that the constant term is 0. Now, recall, this is just a weak secret chain. So it might be that this reconstruction is not going to work, but if it doesn't work, we don't care, because this means that the dealer is corrupted, and we can reconstruct a and b and learn the constant term. So essentially, we just need to share here one secret chain. We need to do only one VSS of a degree 2t polynomial, but instead of having verifiable secret chain, we just have weak secret chain. Let's just see it in a picture. So the dealer is going to define a univariate polynomial, this one that's going to satisfy dx of 0 equals ax times bx minus cx0. Okay, so it's going to share the polynomial c, that its constant term is supposed to be a times b. And then it's going to choose a polynomial d that satisfies this equation. So it's going to choose just this univariate polynomial in degree 2t, and build a bivariate polynomial on top of it. It's going to do a secret chain of that, a weak secret chain of that degree 2t polynomial. And during the reconstructions, the parties are going to reveal, the dealer is going to reveal this polynomial, but this polynomial reveals nothing because the dealer, the corrupted part is already, this is a polynomial of degree t. The corrupted part is already hold t shares on this polynomial, and they already know, are supposed to know that dx of 0 is equal to 0. I mean, otherwise, we have a problem and we need to reject the sharing of the dealer anyway. What about the bonus? So far, we looked at how to do one single multiplication. We can also look at more complicated gadgets. In fact, any sub-circuit with multiplication depth 1, or any layer in our entire circuit. Each party can compute this sub-circuit on all the shares of the inputs that it has. And this, and then prove using one single VSS per output wire that this was actually computed correctly. So for conclusion, we show improvement of a classical protocol for secure computation, which also significantly simplifies the protocol. The protocol also beats the state of the art protocols for some applications, as we say it for shell or wide circuits. And for some applications, our protocol also achieves sub-linear communication complexity. This is the first time that, from the best of our knowledge, this is the first time that happens in the perfect setting. So thank you so much for listening.