 Zdaj sem izgleda, da smo počučali model, in tega je, da smo vse vsočenili, nekaj je vsevom vsevom vsevom. Vsevom vsevom vsevom vsevom je vsevom vsi vtega. Vsevom vsevom vsevom vsevom vsevom vsevom. Vsevom vsevom vsevom vsevom vsevom vsevom vsevom vsevom. in kainč nekaj ne vse začaj, da se počeče, da je počeče, da je počeče zvuk. Zato se je poslila vsi meseči, da je tudi tudi kainč nekaj neč vseče zvuk. Vzelo, da se počeče, da je počeče začaj, da je počeče začaj. Zato vzelo, da je nekaj neč vseči začaj. je tudi trebči informacijne teoretico. Tudi je ta teoretico nekaj naprejčen za poživnjev. Resa, ki so vsehoj njiž, skoje njiž pri težkje, je težkje in stavljenje. V težkji modu, skupaj v prvjih vseh slijde, težkje in stavljenje pervno delaj v oddaj. Pomečno, da imajo težkje začusti, za hoopneicide, ki se pri diva davetne! Pej zules nište priste si, pa je to, da je hvala oblivist nadal na to. I mi Prijemno, da je k vola na sklebi in kde se s druge bolj je kompunit in s statistickim stupini. Znam, da všeč je kompunit. Svom po to, ki nimi izgleda, je taki o perfekte si, testo je izgleda, da ne so je ven nekajču doulateda. vse znojili, da imamo prejzvega, tako, na ko je bilo kompot, in danes je priješel, da se priješel na sega nekaj nekaj provetj. Kako se priješel? Zato zame priješel, da nekaj vse na končinati končinati vzvega, vse za prejzvega. Zato ne početimo, da neki se vse izniti, Ljupo. This protocol works against malicious adversaries, and as I said we are also interested in the round complexity, and our protocol has a single round in it. And this is achieved by querring the OTI oracle many times in parallel. For this talk I'm only going to talk about deterministic boolean functionalities, but our protocol easily generalizes to non-bulean buljene, randomize functionalities, as well. OK, so, good. So now I'm going to elaborate a bit more about the model that we're working on to try and formalize the result. So I'm going to start with WFS transfer functionalities. Specifically, what we are using is the 1 out of 2 bit OT. Here the server has two inputs bits, two input bits, A0 and A1, and the client has a single bit B. And now only the client receives an output, which is A sub B. And the server learns nothing about B, and the client doesn't learn anything about the other bit. And what is this good for? We know that oblivious transfer is used in many MPC protocol, and generally it implies statistical secure MPC protocols. We know that we can compute it very efficiently using what's called OT extension, which can also be done in pre-processing time. We know that many computational assumption realizes OT, and we even know that physical assumption can be used to construct OT with unconditional security. And now I can formally define our model, the OT hybrid model, and define security. So what is the OT hybrid model that we're using? So, again, like I said before, they can call oblivious transfer functionality at any time in the protocol. However, one thing that I want to stress is that they can do this in parallel. They can call the OT functionality many times in parallel. And when do we say that this protocol is secure, we're going to use a real ideal paradigm, where in the ideal world we have a trusted third party that cannot be corrupted, and the computation is done as follows. The server and the client send their inputs to the trusted party, which then computes the output and give it only to the client. So the server learns nothing. And what we'd like to have is that the OT hybrid model to emulate this ideal interaction. And we also want this to hold even if a malicious adversary is present. So if malicious, for any adversary corrupting the server, we can simulate the attack in the ideal model. So there exist an ideal, there exist a malicious server in the ideal world that is also allowed to change the input that it sent to the corrupted party, which also affect the output. And we want that this simulator, this malicious adversary in the ideal world to simulate the view of the real world adversary, of the real world server. And we want these two to be quite close. So what I mean by that is that the statistical distance between the two worlds is very, very small. And when I say that we have perfect security, I mean that there is no difference. The distributions are identical. And again, we also want the security versus a malicious client. So for any malicious client in the OT hybrid model, there exists a malicious client in the ideal model that can simulate the view of the real world client. Okay, so what do we know about this model? So I'm going to talk about both the statistical protocol, statistically secure protocol and perfect secure protocol. And I'm going to start with the statistical one. So we have the classical result by Kylian that shows that any client server functionality can be computed in the OT hybrid model with statistical security. And 20 years later, Ishae, Prabhakaran, and Tsai showed that how to do it a lot more efficiently. And three years later, Ishae Kusilovic, Ostrovski, Prabhakaran and Tsai also showed how to do it in a single round with parallel calls to the OT and their protocol is also efficient for NC1 functionalities. So this is the statistical setting. What about the perfect setting? Well, it turns out that we don't know a lot. What we do know, protocol by Basard, Kripov and Sansa showed that we can compute one out of n string OT in this model. And again, this is a single round protocol. Wolf and Walschläger showed that OT is symmetric meaning we can compute what they call TO, which is the same as OT, where the roles of the parties are reversed. And in a slightly different model, Ishae Kusilovic, Orlando and Paskin-Chernjarski showed and Meltgald showed that if the parties has correlated randomness, then anything can be computed with perfect security. Okay, however, the correlation depends on the functionality to be computed. Otherwise, and we have also a classical result which is in the multi-party settings. We have the BGW and the CCP protocols that show that any multi-party functionality can be computed with perfect security in the plane model assuming that the adversary corrupted strictly less than one third of the parties. And basically that's it. That's all we know in the perfect setting. And it should be understandable. Why should we care about perfect security? If we have statistical security, which is still unconditional, it will hold against any unbounded adversary and the security will hold for basically eternity, so why should we care about perfect security? Well, first of all, it's very natural. If we have a statistical security, can we push it further and get no error at all? And this is also a part of secure NPC, so we need to understand this setting if you want to understand general secure computation. And even on the practical side of things, it could be very useful since if we can construct efficient protocols in this with perfect security, then their efficiency is concrete since we eliminated the dependency on a security parameter. So again, what is our result? I can now tell you more formally. So we showed that almost anything can be computed with perfect security in the client server setting. So what is this almost all? That's the only thing I haven't told you yet. So almost all means that is the class of functionalities which are called full-dimensional, where we also need to assume that the server's domain is strictly larger than the client's domain. And what is this full-dimensional creature? So I'm going to explain it pictorially with an example, so let's say we have this function, the server chooses a row and the client chooses a column and the output is in the corresponding entry. So we can view this function as a collection of three points in the plane which gives us a triangle. Since the triangle is a two-dimensional object, we say that this function is full-dimensional. And this definition easily generalizes to larger functionalities where we consider f as the collection of x points over r, y. And we say that f is full-dimensional if the convex polytope that is defined by this collection of points is of dimension y. Okay, so what is our construction? So I'll start with a very high-level overview and then I'll go into more details. So first we start with the statistically secure ICOPS protocol, let me remind you, this is a single-on protocol that achieves statistical security. And what we do is we identify two key issues in the protocol that prevent it from achieving perfect security. And we modify the protocol accordingly and the resulting protocol will have perfect security against the malicious client for any functionality even if it's not full-dimensional. And the full-dimensional part comes into play when we consider malicious adversaries. Okay, so I'm going to now give a brief overview of the ICOPS protocol. So for simplicity, let's assume that the function is Boolean deterministic and also that the client input is a single bit. So here's a starting idea. Let's say that the server will compute the two possible outputs, f of x0 and f of x1, and send the correct one to the client using the OT. Again, so the server can do whatever he wants, so what we'll ask him to do is also send sort of proof of correct behavior using what's called the MPC in the head paradigm. So how does it look? So I'm going to explain it pictorially, so we have the server on the left and the client on the right, and the server, imagine in its head, secure multi-party protocol being executed. So it has many virtual servers, each holding a share of the original server's input, and what they compute is a functionality that has two parties, two virtual clients that will receive an output, where the first one will receive f of x0 and the second one will receive f of x1. And as we said before, the server will send the correct output using the OT functionality, and now in order to prove that it behave honestly, you will send what's called a watch list, and a watch list is basically just a subset of the virtual server's views. So he will send, let's say, these two servers to the real client, which then check for consistency, and if he finds some inconsistency, then he knows that the server cheated, and he will output a default value. And each view will be given with some constant probability, and this can be implemented using the one out of n string OT protocol that previously mentioned that it exists, the protocol of BCS. However, there is still slight issue with this protocol, it's still not secure, because malicious adversary can perform what's called a selective abort attack. Basically, what he can do is just temper with one of the virtual clients and change its output. And now, we cannot simulate this attack because basically the server said, on this set of input, you will output a default value, and on this set of input, you will output a correct value. So we cannot simulate this. So how I could solve this, they solve it, I'm going to simplify the solution, they give a much more efficient one, but the simple solution is the following. The client will first split its input bit, will share it and represent it as the XOR of many random bits, and now instead of one pair of virtual client corresponding to one bit, we will have many pairs of virtual client, each pair corresponding to one of the random bits that the client sampled. So the client will choose either the left or the right one based on the value of the corresponding random bit that is sampled. And now why does this work is because the server would need to guess these random bits, and it will only be successful with negligible probability. However, now it's not clear what values to give this virtual client because we need to ensure consistency of all the possible choices, and I'm not going to get into too much details, but there is something called decomposable randomized encoding, which is basically, you can think of it as an abstraction of garbling scheme that also allows for information theoretic security. So we know that it exists and we can use it. And this is the final ICOS protocol. So what are the two issues that prevent it from achieving perfect security? So the first one is with respect to the client, we said that each virtual view is given with some constant probability to the client, meaning that there is non-zero probability that the client will receive all of the virtual server's views, and therefore it will learn the server's input. So we need to deal with that. And the second issue is that the server can still attack, is a non-zero probability chance of attacking. For example, he could try and guess the random bits of the client and apply the selective abort attack. So this is the second issue. So now I'm going to explain how we resolve this issue. So I'll start with the first one about the client. So what we would like to compute is a fixed size watchlist, something of size exactly, let's say t, which basically amounts to computing t out of n string OT in order to get the views. However, we don't know if we can do it with perfect security. It's still an open question. But what we can do is we can ensure that no malicious client will learn more than two t of the views. So how is it done? First, the server will sample a very, very long random string and split it into n random strings, where n is the number of virtual servers. And additionally, he will share this long random string in an n minus two t out of n secret sharing scheme. And now he will give the client a choice. Either you will get a masked view or you will get a share. So why does this work? If the client shows too many views, too many masked views, then he will not be able to reconstruct the masking itself because he doesn't have enough shares. So we have security against the client. What about the server? The server, the security against the malicious server follows basically from the error correction properties of the secret sharing scheme. I will not go into too much detail, but basically because this is only the proof of correct behavior part of the larger protocol, this doesn't affect the original protocol. So we still have statistical security against the server. So what about the second issue about the server being able to still attack with non-zero probability? And the way we solve this is using ideas from the furnace literature. So in furnace, it's a different model, it's a different context where either both parties receive the output or none of them do. And it turns out that using similar ideas can help us here. So what do we do? It's very simple. Instead of having the client output a default value if he found some inconsistency, he will choose x zero, the input of the server uniformly at random and output accordingly. And the second thing that we need to do is having the parties execute the ICOPS protocol, the modified ICOPS protocol that I just showed you with a very large security parameter. And what we show is that this actually achieves perfect security, assuming that the function that the parties compute is full dimensional. So I'll not go into too much detail because this is a bit technical. So to sum things up, what we showed, we gave the first perfectly secure protocol for a very large class of client server functionalities in the OT hybrid model, which is also a single on protocol. Natural question, what about the functionalities that we are not able to deal with? Those that are not full dimensional, for example, equality. We don't know the status of this function. Another question is about the efficiency. Our protocol is not very efficient since we needed to execute the ICOPS protocol with a very large security parameter. And we'll additional round help us in answering these questions. That's it. Any questions before the break? Very, very largely. So we wanted the error in the simulation to be some epsilon where epsilon is one over the size of the client's domain factorial. In this very small level. I have a question. So you said you replaced the default value input with the randomized input. Yeah. So does it help you if it's not uniform? We can use a non-uniform distribution. It doesn't help much. It will get more functions, my question. No, if we don't get more, the only thing that could help us is to get more functions is if we somehow sample X0, which probably depends on the view of the client. Here we sample it independently of what the client saw in the protocol. OK. OK. Oh, another question. Hi. This may be a stupid question, but is there any natural generalization to a larger number of parties? Natural generalization. Maybe a lot of servers and one client or one server and many clients. So you need to check consistency that the server used the same input with all of them, for example. And do you think the result also extends to this type of settings? Oh, what? Do you think the result also extends? I don't know. I don't know how to do it. We don't know. OK, so let's take bar again.