 Okay, well, thanks. Yes, sir Okay, so yeah, this is a work on doing batch secure to party computation That is not interactive, which means there's two messages. It's joint work with Mike Rosolik So I don't actually know why I made this slide. This is secure to party computation So but we are interested in secure to party computation where there's only Two messages exchange, you know the one party sends a message the second party responds And then the first party essentially can compute the output from that. Okay, so that's sort of far This is the sort of protocol. We are interested in And you know, there's motivations for that if you are Computing or communicating over a high latency network You're rather to minimize the number of round trips that you have to do and also there may be Interesting somewhat unconventional ways you you may want to communicate such as through email or a bulletin board So these are sort of scenarios where the both both parties don't have to be necessarily be online at the same time one party can post their first message the second party can come online and later on and sort of post the second message and then then sort of you get the You get the output the first party gets the output So you don't you don't have to do this many many times. You're minimizing how much you have to do this You know, whether it's an attachment to an email or a bulletin board and so on so there's motivations for for doing that and There's lots of work that actually you know studies this theoretical constructions and And so on but there's also we actually know that You can also achieve this with sort of very good concrete efficiency That is fairly comparable with sort of the best secure two-party computation protocols We know well the best two-party computations we know kind of keeps changing right but as you saw in the last talk but sort of Very very close right in terms of sort of the efficiency you get so which is good. So If you can get the best minimize around complexity and sort of have very good concrete efficiency So we would do it What is so another aspect to secure two-party computation is sort of when you want to run many different Instances of secure two-party computation using different inputs. So that's sometimes called batched secure computation and here the goals are to Either get better amortized efficiency. So for example the work Several recent work show that you can get log n factor of improvement overall improvement in everything communication computation so on Where n is the number of Executions that you you want to have and concretely this this even works out better if you've been to some of the talks In the previous days so it's really good concrete gains when you are running many instances of secure computation and It also has a nice feature that you can do bulk of the computation in an offline phase where you don't know the inputs to the Computation and then in an online phase you have you have a very fast online phase that is sort of not proportional to the size of the Computation or the circuit you want to compute So we also know how to do this, but sort of the solutions we know are required Multiple rounds so so they are not non-intractive. So this stuff So what we were hoping for in this work was that can we get the best of both worlds you want to do many secure Executions of secure two-party computation and using different inputs But we really want to make sure that we actually only have two messages And then received and we get the same concrete sort of gains that we have for batch execution and non-intractive to PC So that's sort of the goal here I want to get the best of both worlds and I wanted to point out is that you don't actually have to run all those instances at The same time you may not have the inputs for them ready So it and that and that's fine. So for example, you if you're thinking of it in a online offline set phase you can sort of do the offline phase At one point and but then you want all the online phases to be To two messages whenever you have the inputs for them ready If you have some of the inputs ready you can run on those and then again when you have some of the other inputs again Each time you have inputs ready. You just want to have to exchange two messages. So that's sort of the goal Here, okay, so All our approaches of course are going to be based on garbled circuits. This is a very quick overview as Just to familiarize you with the notation here We're going to use we're going to have a circuit C that represents our function We're going to have a garbling algorithm that takes a seed and the description of the circuit and gives us a garbled circuit And we are going to use the same seed to encode Inputs or garbled inputs garbled inputs So this is essentially and the right and on your right hand side is the semi-honest security party Garbled circuits where there's a garbler who sends a garbled circuit and the garbled inputs to the evaluator And the evaluator also learns its own garbled inputs using oblivious transfer And then evaluates the garbled circuit on the garbled inputs to learn the output It's very high level. We don't have to get into a lot of details what we know this is this is semi-honest secure and It is actually can be is is already a two message secure to party computation The way to think of it is that you know in the oblivious transfer the evaluator first sends the first message of the oblivious transfer The garbler responds with the second message of the oblivious transfer along with the garbled circuit And it's garbled inputs and so we have a two message semi-honest To PC okay so And there are various ways to make this non-intractive of course, but since we're sort of one a concretely efficient protocol We sort of are going to look at the cut and choose approach Okay, so let's quickly against review the cut and choose approach So here you have the garbler send many garb multiple garbled circuits The evaluator will ask the garbler to open a subset of these garbled circuits And then it it has a guarantee that sort of the in the remaining garbled circuits The majority are correct so you can you can evaluate those and then recover the output. Okay, so that's the general approach and And And of course there as I'll mention there is this better approach that is sort of has different names for gen lose input recovery cheating recovery, but essentially The idea is that You you can you can improve the efficiency by sending less circuits because you only require the guarantee that At least one one of the evaluator garbled circuits is card as opposed to the majority of them being correct Okay, and so essentially how do you achieve that by this is by opening some of the circuits evaluating the remainder and then having a so a separate process that Says if the evaluator received two different outputs It can actually if and if you can prove that it received two different outputs It will learn the garbler's input, right? Which allows the guy the evaluator actually compute the output on its own and that's fine So that's the cheating recovery mechanism, but so and and but that cheating recovery mechanism It's going to be very sort of much more efficient than the original computation. It's as a Its size is not dependent on the original size of the bigger second Okay, so now we are sort of we're interested in in not in two message Nine interactive security party computation and sort of you can see that a lot of things they have to do It's not obvious how to do this in with just two messages. For example this of the previous a Lot of the techniques sort of have a separate to PC just for the cheating recovery, right? So you have to do the original to PC and it's cheating recovery to PC So there's sort of multiple rounds of interaction to do all of this Okay, so before sort of saying We're going to deny attractive to PC protocols Let me say if we're gonna use a primitive that is sort of very useful to us. It's called homomorphic commitments So these are commitments that you're all familiar with with the hiding and binding properties But we also want it to have a homomorphic property And it's sort of a somewhat a special homomorphic property That says, you know, if I commit to two values a and b I can of course open it to a x or b or a plus b whatever my homomorphic operation is But also that the opening itself the decommitment to the The opening itself is sort of a homomorphic operation on the decommitments the individual decommitments Okay, so that's that's the extra property that you will see become you becomes useful as we were going to try to do design our protocol but essentially all the Sort of very nice techniques we have now for doing homomorphic commitments have this sort of property Okay, so Paris and commitments is if you You're willing to use public key operations person comes are fairly communication efficient. You have very small Commitment sizes. There is a OT based commitments that were used in Work of Linda Riva for input consistency and so which means we can you we can use a lot of symmetric key operations and then there is very interesting work that is sort of is actually Has better rates in terms of how much message you can commit to compared to the size of the commitments that uses Uses oblivious transfer and coding techniques And there's sort of pros and cons to each approach as you sort of note like your person commitment has public key operations The other two can be dominated by symmetric key operations, which are faster The sort of Linda Riva solution has the advantage that it's it can be made non-intractive or to message without sort of anything fancy It's sort of it only uses OT The code base approaches are have much better rates But sort of they have this interactive setup, which you can get rid of if you are use random Oracle Or if you are sort of in an offline online phase where the offline phase is where you do the interactive setup But sort of otherwise it's at least was not obvious to us how to make it non-intractive So it all depends sort of on what you want to do But for us it doesn't matter all our protocols are kind of used this sort of homomorphic commitment in an abstract way as long as The the the opening is sort of has this homomorphic Property as well Okay, so let me start by the single execution setting and this sort of starting point is the Afshar et al's a protocol And which we sort of generalized a little bit to use a homomorphic commitments in abstract way and that allows us To do more interesting things with it. Okay, so what is the idea so the garbler will garb on multiple circuits This is for the cut and choose It will send all the garbler circuits to the evaluator It will also encrypt its garbled inputs for those circuits using some Ki right so we have GC eyes and the garbled inputs included with Ki Then what do we do for evaluators input? You know for every input of the evaluator they will be There will be ot's right and then the validator will learn the corresponding garbled input So this is again two messages For the cut and choose we will do another ot where the evaluator would say whether I want to open or evaluate this circuit and Depending on the choice of the bit it either learns the seed that was used to garble the circuit or it learns the key That was used to encrypt the garbled inputs So it can actually learn the garbled inputs of the garbler and evaluate the circuit and So so far we are all two messages this ot's we can run in parallel. So So we are two message protocol How do we have the garbler send its garbled inputs? In particular, how do we do the input consistency in a non-intractive way? So this is somewhat sort of a little bit different from the Afshar et al And so you're gonna use the homomorphic commitment. So if you remember sort of the garbler has to commit to It will commit to the two labels corresponding to Zero and one for each input wire. Let's assume there's just one bit of input, right? It's they are randomly permuted using a permutation bit. This is sort of a standard technique Okay, so what the garbler is going to do is going to commit to those labels in using a standard commitment, but it's also going to homomorphically commit to the permutation a bit and of course Separately also homomorphic commit to its input. So this is just done once. This is done per circuit Okay, those are done per circuit. Okay so And this is sort of a Linda Riva Riva technique for for doing input consistency to check Okay, but we were just using it in non-intractive scenario So what happens now and if if its circuit is chosen to be opened Of course, the the evaluator learns the permutation bits and check that and all the keys and can check that things were done correctly But if the circuit is being evaluated There will be what will be revealed to the evaluator is the opening of the X or of the input and the permutation bit Okay, so and so this actually takes care of the input consistency check because we know that The input can this input is fixed across all the different circuits So really you cannot use different inputs or change your inputs Right as long as the permutation bit is correct for one of the circuits Then we are using that input that you're committed to okay So that's how we we take care of the input consistency again non-intractively It's all happens through the same circuit OT you can think of In fact sort of the better way to think about it is that you will encrypt this sort of the commitment to the X or When it's along with the garbled inputs or in that key ki so that's sort of the better way to think about Okay, how do we take care of the cheating recovery? So here again, let's assume. There's one output wire and the garbler will come more frequently commit to the two output Output by for zero and output output label for zero and output label for one It will it will also Generate two random values, okay, these are the same for all circuits that are X or When they are X or they give you the actual input, okay, so these are Or other homomorphic operation. I'm just using X or as a as our homomorphic operation So and to show that this is the case. It will actually open the X or of these three Commitments And this is this is done. It's these are fixed commitments across all circuits So what happens now? then for circuits that are opened of course the The the valetary lens both labels, okay But for circuits that are evaluated the garbler will be revealing the X or of the output label and the corresponding random value Okay, and now what happens? How do we do cheating recovery now imagine that evaluator learns two different output labels? Then you will learn both W0 and W1 which it allows it to recover the input X Okay, and but if it's not there's no cheating The voucher will only learn one of the labels. Therefore it can only It cannot recover X. Okay, so that's sort of again now everything is happening through those two OTS So this is a two message protocol. Yeah, so that's that's sort of the single execution protocol using homomorphic commitments in a very abstract Okay All right, so how do we do batch execution? Let me remind you what sort of this batch execution techniques are now you're doing many executions We have many different inputs. So what we're going to do is we're going to generate a large number of garble circuits. We're going to have Multiple buckets each bucket represents a single execution with a different input. Okay, we're going to assign each garble circuit randomly To one of these buckets and we're going to sort of assume that the last bucket here is going to be this bucket Where we open the circuit. Okay, so this is sort of better abstraction for our For our non-attractive version. Okay, so that's how we're going to do things So the evaluator will be right choosing which circuits to go where randomly, right? And the garble puts them there and each bucket will correspond to one execution So this sort of allows because we are doing it in in a bad setting this allows us to have a Log n factor less garble circuits generated for the n executions that we want to have. Okay, so that's sort of the idea So we want to make this sort of approach And then you sort of each of these separate buckets you can think of it you would Repeat what we we were talking about before right? So they are just each of them are single Catering Jews to PC. So how do we do this in an interactive way? I want to just list the sort of What are some of the challenges? So now instead of sort of obliviously either Evaluating or opening a circuit you sort of have to obliviously assign these circuits to all these buckets So it's a little bit different not too hard, but you have to sort of change things in this way to make it oblivious assignment to these buckets But sort of a little bit harder is you now the garbler has to send garbled inputs for each circuit, right? But actually it doesn't know yet Which input will is correspond to which garble circuit? He doesn't know the assignments of the garbled circuits to buckets Which would determine which input you actually have to garble right because everything is happening in the same two rounds, right? It's not like it first finds out what the buckets are and then can garble the inputs those inputs for that second so it sort of has to do it without knowing and Similar things for input consistency, right? It has to sort of we wanted to prove that it's using the same input for the garbled circuits for one bucket Well, it doesn't know a Priari which circuits are gonna be in the same bucket So to do that proof for and again for cheating recovery It doesn't know again. Is it which two in different? Outputs of which two circuits if they are different it should it should learn the actual input recover the actual input from sort So we want to make all of these interactive and non-intractive So how do we do this? So sort of a sort of the first I have solution that comes to mind is you know Let's just have the garbler generate the garbled inputs for all possible inputs, right? of all the executions and also generate input consistency gadgets and Perhaps I'll put recovery gadgets everything for all the possibilities, right? And then for every circuit do a one-out of n sort of OT that where the receiver Chooses to learn the garbled inputs for one of these sort of buckets, right? The receiver decides what to do that. So of course, this is already inefficient because sort of you have to do n squared Communication where the number of executions is n and large. So that's not good But but it's actually it's not clear even then how to make it work because the possibilities are not just n, right? You if you think about it for output recovery, for example The possibilities are all the circuits that are going to go to the same bucket, right? So it's not more than n possibilities, right? You don't know which circuits are going to go to your bucket So you have to do the output recovery with those those circuits So it's not completely obvious even this sort of how to make this one out of an pair circuit work But our hope is to not to avoid this to really get sort of Do much better than so what is our idea? So our main building is sort of I'm going to just give you an idea of the techniques What's the main ingredient is this protocol called oblivious switching network? What does switching this oblivious switching network do? so we have our receiver on the right-hand side and his input to this sort of two-party protocol is a Permutation, okay? And and then we have our sender here and his input to the protocol are two input vectors One are sort of the input wires here to this box And then the second input vectors are sort of these paddings that I'm denoting by R1 to R5 They don't have to be random could be any input that the sender chooses Okay, and what is the output that the receiver receives? It's sort of the permuted versions of the XIs Exhort by the paddings where the paddings are not permuted right in the same order that they were originally arranged by the Sender okay, so that's our idea so but the way they are permuted is decided by the receiver So so you can think of it as that so the inputs to the switching networks Are sort of the all the garbled circuits course each wire corresponds to a single wire garbled circuit in this batch content choose and sort of the outputs are those Those those garbled circuits reordered in the way they're supposed to be located in in the buckets Okay, and so and that's what's decided by By the valve by the receiver here, okay? So we can do this sort of we've shown that you can do this Protocol using sort of n log n OTS where n is sort of the input size By using a switching network and then again because you can run all the OTS in parallel. This is this is a two message protocol So let's say we have such a protocol Then what can you do so let me give you so certain things start becoming easy Okay, so how do we do the content choose? How do we assign circuits to buckets, right? So what for example, how do we how do we open? The garb and the garbled circuits Obliviously without without the evaluator knowing so for example what what the what the gobbler What we can do is we can have the garbler feed the seeds the openings for all the garbled circuits as in as as the inputs to the The switching network and for the paddings it will use random paddings for the circuits for the executions That are going to be evaluated and zero for the circuit that Circles that are going to be open now as a result for only the circuit that is going to be Circles that are going to be opened And the evaluator actually learns the seed the opening for everything else. It just gets something random Okay, so this is how they're sort of the switching network is deciding for us for what what is being open? What is being evaluated? Okay? and similarly If you remember the the input consistency check that I was talking about if you were we had some homomorphic commitments for every Input so for every execution and we had homomorphic commitment for every permutation bit for every garbled circuit So this is xj and si right? So how do we open these because we don't know which one which xor pair we have to open a priari So what we're going to do is actually send these the commitments Through the switching network. Okay, so you can see that the paddings are going to be the decommitments to the inputs Right, so they are going to be and for the open circus There's going to be sort of a zero right because we don't we don't know we don't open the Decommitments for the open circuits and then sort of the the actual inputs to the switching network I'm going to be the decommitments for the permutation bits and they go through the switching network And what you get is sort of for the the seconds that are being evaluated you open the decommitment to The right input x or with the right permutation bit Okay, so so again the decommitments are being permitted in the switching network And you get the right decommitment and they evaluated and opens that xor Okay, so I'm gonna because I don't have much time sort of you have to do this and there's sort of for every single thing that we we need to do for Garble sending garbled inputs for both a garbler and evaluator for the cheating recovery sort of a similar sort of ideas Take place if you you you're careful about how you do it So every all is essentially the idea is sending these decommitments in the switching network and they get homophically So permuted and then sort of you get the homophic decommitment of what you really are supposed to learn Okay, so I'm gonna skip then The rest of these there's some subtleties being in various ones, but I don't have time to go So what is this is sort of a table that? Shows some the summary of results. I only talked about sort of the standard Batch execution where you you have all the inputs sort of at once and you'd and you're you're not assuming a random Oracle model, but essentially so the number of garbled circuits that you have to send the garbled circuits are not being sent through the switching network So you don't they don't they don't have this sort of the expense of the switching network is not They don't have to go through that complexity what you're sending through the switching network are essentially the commitments There are all the corresponding to the inputs and the outputs So this is the only thing that will be an o of n that will not have the log n improvement factor and And but everything else is sort of has the log n improvement factor And you can actually avoid that if you use random oracles or you are in the online offline setting where you online So both of those can be avoided if in these other two cases But this is sort of the summary of the complexities Let me finish with a bunch of open questions Things that can improve the sort of this approach are one is if you have OT extensions that are Only require two messages all the sort of because we don't have such OT extensions We we cannot use OT extension actually to in this sort of to achieve get non interactive protocols So that would be very interesting The oblivious switching network protocol is requires and log n OTS Okay, so it would be nice to become Have sort of this non interactive or obvious switching network or we should say not switching network oblivious Sort of permutation with this sort of padding property That we want we want it to be non interactive But I have all of n complexity. There is all of you can easily for example do get off and complexity with additively homomorphic encryption But it actually requires three messages. So it's not non interactive So it would be nice to sort of do that somewhat efficiently and then I Mentioned a bunch of other questions that I also mentioned I would be nice to get sort of and this may be already So I have no idea sort of but if you can get this sort of OT based homomorphic commitments That are non interactive and have constant rates Without assuming random or I think that would also be Interesting Edition that will improve efficiencies. Okay with that