 Hello everyone, my name is Ariel Norf and I will present a paper, Efficient fully secure computation via distributed zero-knowledge proofs. This is a joint work with Alette Boyle and Imgilboa in Uval-Ishai. So in multi-party computation, we have N-parties who wish to compute jointly some functionality over the inputs without revealing anything but the output. This computation should be carried out in the presence of an adversary, and there are usually two main types of adversaries that we consider. To be semi-honest, where the adversary follows the protocol but may try to learn more than allowed and malicious, where the adversary may behave in any arbitrary manner. When considering malicious security, there are usually two main types of security guarantees that are considered. The first is security with a boat, where the adversary is allowed to mount a denial-of-service attack and prevent the parties from receiving their output and full security where the output is guaranteed to be delivered. And we know that in general this can be achieved only in the honest majority setting which we consider in this work. Now, a basic fundamental question in the field of MPC is can we close the gap between semi-honest and malicious security? Or in other words, can we achieve full malicious security with the same amortized communication cost as for semi-honest and without giving up on concrete efficiency, which in this work is interpreted as using only cheap, symmetric hip-toes such as black-book use of any PRT. So in this work, we have two results. The first result is a protocol for malicious security with a boat with the same amortized communication cost as for semi-honest. This protocol is for arbitrary number of parties, it works over both fields and rings and with any linear secret sharing. The second result is a protocol for full malicious security with the same amortized communication cost as for semi-honest. This protocol is only for constant number of parties because it is based on replicated secret sharing and in this scheme the size of the share grows exponentially with the number of parties. Now, if we instantiate the underlying semi-honest protocol in both these protocols with the best semi-honest protocol that are out there we obtain maliciously secured protocol where each party is required to send less than 1.5 ring elements per multiplication grid. Now, we are not the only one who had similar results recently. There has been other papers with similar results so I want now to explain the differences between our protocol and their protocols. So, for security with a boat, there are two relevant papers the paper of Buonetal from Crypto19 and the paper of Goyal and Song from this year. As you can see in this table, our protocol and the protocol of Buonetal work over both fields and rings whereas the protocol of Goyal and Song works over fields. Our protocol and the protocol of Goyal and Song works with arbitrary number of parties whereas the protocol of Buonetal works for constant number of parties. If we look at the communication cost additive term which is the communication cost which is added when moving from semi-honest to malicious security then in all three papers this additive term is sub-linear in the size of the circuit. However, in our work and in the work of Goyal and Song it is logarithmic in the size of the circuit and in Buonetal it is square root of the size of the circuit. And if we look at the number of rounds which is added when moving from semi-honest to malicious security then in our work and in the work of Buonetal it is constant and in the work of Goyal and Song it is logarithmic in the size of the circuit. So, as you can see from this table we achieved the best of both papers and the best result in all four categories. So, for full security there is one relevant paper, the paper of another paper of Goyal and Song from this year as you can see our work has the advantage of working over both fields and rings and that the communication cost matches the best semi-honest protocol in our setting which allows use of a PRG. On the other hand the protocol of Goyal and Song has an advantage over our protocol in allowing arbitrary number of parties. On the other hand their amortized communication cost does not match the best semi-honest protocol in their setting which is information theoretic. In particular they require two field elements beyond the cost of the semi-honest protocol when cheating occurs. So, we hope this clarifies the differences between our result and other previous results. So, now let's move to our solution. So, the high level approach of our protocol works in the following way the parties start by sharing their inputs then they run a protocol to compute an arithmetic circuit this protocol is only private in the presence of malicious adversary it does not guarantee correctness and therefore the parties then run a verification step to verify the correctness of the computation and this step should be very cheap and fast because this cost will be amortized away and if this step passes successfully then the parties proceed to reveal the output. So, let's focus now on the verification protocol which is the main contribution of our paper. So, our verification protocol relies on a tool which is called Distributed Zero Knowledge Proofs a tool which was introduced by Bonetal and in this setting we have one approval and several verifiers and the prover wants to prove that given some input X that it holds then for example if we compute a circuit C over this input then the output will be zero and the idea is that the input X is held in a distributed manner across the verifiers which in this work is translated to X being secret shared among the parties and what Bonetal showed was that if the circuit C is a degree-to-circuit and if X is robustly shared among the parties which means that the shares of the honest parties alone are sufficient to compute all the other shares so if these two conditions hold then we can have a proof with size that is sublinear in the size of the circuit so how can you use this tool to verify the correctness over computation? So, in our verification protocol the parties hold many triples where each triple corresponds to one multiplication gate and the parties hold a robust sharing of the inputs of the two inputs and the output of this gate and the one to verify that all these triples are correct multiplication triples and there are two approaches of how to use the Sebudi zero-manage proofs to achieve this goal in the first approach which we call the single-prover approach the parties, each party is required to prove that it acted honestly in the multiplication protocol to compute each of these triples or in other words each party is required to prove that it sent the correct messages in the multiplication protocol this approach was used to achieve free-party computation with abort in Bonnetal and was later extended to full security by Boiletal the problem with this approach is that it is not clear how to extend it to more than three parties specifically in order for this approach to work we need all messages in the multiplication protocol to be a degree-to function of robustly shared inputs this holds for the free-party protocol that was used in these papers but not in general for protocols for more than three parties so because of this problem a second approach was proposed which we call the multi-prover approach and in this approach the parties jointly prove that the sharing they hold on the output of each multiplication gate is a sharing of the correct value given the inputs and this approach was used by Bonnetal to achieve multi-party computation with abort for constant number of parties the problem with this approach is that it is not clear how to extend it to full security specifically when moving to full security we need some mechanism as we will see to identify cheaters now in the single-prover approach in each proof we have one prover who knows all the information and we can use it to identify cheaters in the multi-prover approach there is no such a prover and it is not clear how to identify cheaters so the question of achieving full security for more than three parties remains a challenge and in order to overcome this challenge we combine these two approaches in the following way so our verification protocol starts with the multi-prover approach where the parties want to prove that the sharing that they hold on each output of each multiplication gate is the correct sharing and what we want the parties to do is to compute a linear combination of the difference between the output and the two and the multiplication of the two inputs we denote this value by V so what we want to do is to check whether V equals to zero or not if V equals to zero then we know with high probability that all the triples are correct if V does not equal to zero then the parties know that at least one triple is incorrect and they will reject they will output reject at the end of the verification protocol so our main our first observation towards achieving this is that the parties can locally compute an additive sharing of V why is this true? so for example let's look on Shamir's secret sharing if the parties hold a Shamir secret sharing of X and Y with degree T they can multiply it together and obtain, multiply it locally and obtain a degree 2T sharing of X times Y and if they subtract it from a degree to degree T sharing of Z they will obtain a degree 2T sharing of Z minus X times Y and in the honest majority setting we can convert this 2T degree sharing using Lagrange coefficients to an additive sharing of the result and this holds for other secret sharing in the honest majority setting as well and therefore the parties can locally compute an additive sharing of V however this is of course still not enough the parties cannot simply open this additive sharing because it is not robust and the corrupted parties can open it to any other value they want so what we will ask the parties to do is to first secret share the additive sharing and then once each party holds an additive sharing, a robust secret sharing of each additive sharing they can sum it together and then they obtain a robust secret sharing of V and then they can open it and now since the secret sharing is robust the corrupted parties cannot cheat and open it to any other value but the correct value of it however this protocol is still not secure because in step 2 a corrupted party may cheat and secret share a different value not its actual additive sharing of VI here is where we use the single proven approach to distributed zero knowledge proofs so if we look at the computation each party does in order to compute its additive sharing then each party uses its shares of X, Y and Z now X, Y and Z are robustly shared among the parties however if we have a robust secret sharing of X we have also a robust secret sharing of each share of X why is this true? so again if we look at Shamir's secret sharing if the parties hold a robust secret sharing of the value encoded at the point 0 of the polynomial then they also hold a robust secret sharing of the point on any other point on the polynomial so the parties hold also a robust secret sharing of each share of X, Y and Z now the computation that each party performs is also a degree 2 computation so eventually what we have here is a degree 2 computation over inputs that are robustly shared with the parties and here is exactly where we can use the single proven distributed zero knowledge proof to verify the correctness of this computation so going back to our verification protocol we will add one more step where each party proves that it shared the correct value using the single proven distributed zero knowledge proof now if this step passes successfully and all the proofs were accepted then the parties know that they hold the correct secret sharing of all the additive shareings and in step 4 they can sum it together and they know that they hold a correct robust secret sharing of V so this is our verification with a broad protocol now let's look at the cost of this protocol so the first step is a local computation in the second step each party secret shares one value and so the cost is constant in the third step we run the zero knowledge proof and here we have a cost which is logarithmic in the number of triples to verify and in the last step the parties open one value and so again the cost is constant if we look at the number of rounds so to share one secret the parties need only constant number of rounds we can run the zero knowledge proof with constant number of rounds using the Fiat-Chamille transform and finally to open a secret sharing or one value then we also need the constant number of rounds and so overall we obtain a verification protocol where the communication cost is logarithmic in the number of verified triples and the number of rounds is constant so this is our verification with a broad protocol now let's see how we obtain full security so in order to achieve full security we use the player elimination framework where the circuit is divided into segments and each segment is evaluated separately which means that at the end of each segment the parties run the verification protocol and if the verification succeeds then the parties proceed to the next segment otherwise what we want the parties to do is to find a semi-corrupt pair which is a pair of parties such that one of them is guaranteed to be co-opt and then the parties will remove this pair and recompute the segment with less parties so in order to achieve full security we have two things that we need to show first is how to find a semi-corrupt pair and second how to remove this pair in a secure way so let's start with the first task of finding a semi-corrupt pair and here we use two properties which are unique to replicated secret sharing and this is why our fully secure protocol works only with this secret sharing scheme so the first property is called pairwise inconsistency which means that if we have a sharing that is inconsistent this implies that there is a conflict between two parties and we can use this conflict to obtain a semi-corrupt pair for example if we look at this at a three-party secret sharing with one corruption then each share is held by two parties and x3 for example is held by p1 and p3 and so one way to have an inconsistency is to have a conflict between p1 and p3 where each party claims to hold a different value for x3 and we can use this conflict to find a semi-corrupt pair the second property is in the distributed zero-knowledge proof or more accurately in the single prover distributed zero-knowledge proof and when using replicated secret sharing we claim that all the inputs to each proof are known to the prover why is this true? so again if we look at our example and let's say that p1 is the prover and p2 and p3 are the verifiers so p1 wants to prove that it performs some computation over its inputs which are x1 and x3 and x2 is basically not relevant to this computation because p1 does not know this x2 at all so what we can do in the proof of p1 we can replace x2 in the secret sharing by the value of zero and therefore we obtain a replicated secret sharing which is used only in this proof where p1 knows all the shares now once the randomness in the proof is chosen jointly by the parties then basically the prover knows everything and in particular he will know what messages to expect in the proof and so if the proof is rejected we can ask the prover to identify one of the verifiers as a cheater and then the prover together with this identified verifier will be the new semi-corrupt pair if the prover is corrupt then obviously we have a semi-corrupt pair otherwise if the prover is honest then we know that it can identify a corrupted verifier and so again we have a semi-corrupt pair so how do we use these two properties in our verification protocol to find a semi-corrupt pair? so let's go back to our verification protocol and go over it step by step so in the first step it's a local computation nothing can go wrong in the second step each party secret shares one value so what can happen here is that a corrupted party will send inconsistent shares but as we said when we have inconsistency we can identify a semi-corrupt pair in the first step what can happen is that the proof will be rejected again as we said before when the proof is rejected we can identify a semi-corrupt pair in the last step there are two events that can happen first the corrupted parties may send incorrect shares for V and again we will have inconsistency so we will be able to find a semi-corrupt pair but there is another event where none of the previous events have happened but still V does not equal to zero and in this case it's not clear what to do however we observe that if this happens then we know that none of the parties cheated in the verification protocol itself because all the shares were consistent all the proof were accepted all the proofs were accepted and therefore we know that all the parties acted honestly in the verification protocol and this means that if V does not equal to zero then one of the triples must be incorrect at least one of the triples and there and so we can use it in the following way so our verification protocol starts with M multiplication triples the parties run the sub protocol to verify these M multiplication triples and then we have three events the first event is that V equals zero the parties accept the triples and they proceed with commutation the second event is that a semi-corrupt pair was found as we've seen in the previous slide in this case the parties remove the pair and recompute the segment the last event is that V does not equal to zero but the parties do not hold a semi-corrupt pair in this case we know that there exists at least one triple which is incorrect and so what we will do is ask the parties to run a binary search in this search each time the parties run the verification protocol on a smaller set of triples and we know that in this process one of two things can happen either the parties will find the same corrupt pair or that eventually the parties will hold one triple which they know to be incorrect in this case we can ask the parties to run a secure MPC protocol which looks into the transcript of the multiplication protocol to compute this triple and find a cheater so this is how we find a semi-corrupt pair in our verification protocol so now let's move to see how to remove this semi-corrupt pair so when using a replicated secret sharing this means that we want to move from a T plus one out of N secret sharing into a T out of N minus two secret sharing in other words before each share was held by T plus one parties now we want each share to be held by T parties so suppose PI and PJ are eliminated from the computation so we go over all subsets of T plus one parties and we have three cases the first case is that this subset does not contain PI and PJ the second case is that it contains one of them and the third case is that it contains both of them so in the first case we have more than T parties which remain active and no this share so in this case we don't need to take any action in the second case we remove one party but still T active parties remain which no this share and therefore again no action is needed the third case is the problematic case here we have T plus one parties we remove two parties and then only T minus one active parties remain which no this share so here we need to take an action so what we will do is we will give the share of this subset to another party PK which is outside of this subset the challenge here is of course how will PK know that it received the correct share so here we use authentication tags which allow PK to identify the correct share and since we know that each share is held by at least one on this party we know that PK will receive at least one correct share and he will be able to identify it using the authentication tag so what are these authentication tags so without going into the details these are computed using this formula we have one tag for all the shares held by each subset of T plus one parties and we have authentication keys which are held in which are secret shared across the parties and are expanded from seeds that are shared in an authenticated way and the point here is that these authenticated tags are basically a result of a degree to computation and therefore we can use the same zero knowledge machinery as before to ensure that they are computed correctly now in the paper we show how to further optimize this process until eventually we can show that if we take into consideration the fact that in the future less parties participate in the computation and therefore we have less communication then taking into consideration this fact we basically have a process to remove a semi-corrupt pair which is almost communication free so we have seen how to find a semi-corrupt pair we have seen how to remove a semi-corrupt pair once it was found and these things together allow us to achieve full security so let's summarize our protocol and analyze its communication cost so the parties first compute a circuit C or a segment C with a private multiplication protocol and here each party sends a constant number of elements per gate then the parties run the verification step and in the worst case if cheating took place they need to call log C times the verification sub-protocol and in each call the number of elements per party is logarithmic in the size of the circuit and the number of rounds is constant using Fiat-Chemere there is also constant number of calls to a broad-route channel which cannot be avoided in our honest majority circuit so overall the amount of communication is linear in the size of the circuit plus an additive term which is sub-linear in the size of the circuit and the number of rounds is proportional to the depth of the circuit plus a term which is logarithmic in the size of the circuit so with this I will end my talk the full version of the paper is on e-print thank you very much for listening