 Okay, so let's see what's an encryption switching protocol. It's a two-party protocol introduced by Couteau, Peters and Poichwell last year at crypto. It involves two homomorphic encryption schemes with threshold encryption. One will be additively homomorphic with a red color and one will be multiplicatively homomorphic. And we want to have protocols for switching from an encryption of M with the additive protocol to an encryption of the same M for the multiplicative homomorphic encryption scheme. So this switch protocol will be a two-party protocol and we want to have the reverse protocol from the multiplicative encryption to the additive encryption. So for the talk, the red box will denote an additive homomorphic encryption of M and the blue box, a multiplicative one. So these kind of encryption switching protocols give naturally rise to a secure two-party computation protocol. Let's see that with an artificial example. We have that function where A is the secret input of Alice and B the secret input of Bob. So Alice and Bob starts to encrypt the secret using the additive encryption scheme and send the encryption of A and B to each other. And then both Alice and Bob can compute an additive encryption of A plus B and A minus B. And then they use the switch protocols from the additive encryption to the multiplicative one. And then both can compute each on their side the encryption to the power U and V by the traditional explanation algorithm. And then since we want that function with a plus, we have to switch back to the additive protocol and then both can compute the encrypted result and then decrypt it to refer to party decryption to get the result. So here we have a constant number of runs with respect to the exponent U and V and a log of U and log of V operation to compute that power. So with this kind of... this is an artificial example but this gives you an idea on which kind of function encryption switching protocols are efficient both in terms of number one and computation for two-party computation. So let's see in more details the original construction of Kuto at Ali. For the instantiation they use the Payet encryption scheme for the additive homomorphic scheme which is defined over Z over NZ where N is an RSA integral. And they use Elgamal for the multiplicative scheme. So the main technical problem is that Elgamal is traditionally defined for the square of Z over PZ. You can define it for the set of elements of Jacobi symbol 1 in Z over NZ but in order to extend it to the whole group they have to design a clever solution in order to not lead the factorization of N and this gives a complex threshold description for Elgamal and this results in a large number of runs and it seems that it makes a generic approach for designing such protocol impossible. So our alternative is to use a scheme that we designed with Fabian Lagumi two years ago at CTE USA instead of the Payet scheme. So this CL scheme has a message space which is Z over PZ where P is a prime. So we use that and for the multiplicative scheme we stick with Elgamal so we only have to extend Elgamal over the whole group Z over PZ which is a lot more simple than the case of Z over NZ. This gives rise to a natural threshold description and reduces the number of runs of the original construction and by looking, inspiring by the construction of Couto at Ali this gives rise to a simple generic construction. So we see more details of that construction. So first let's see some building blocks. So first we use a linearity of its encryption scheme. Use that previously but let's see that in more details. So it's a public encryption scheme and we suppose that the set of playtakes is a ring and if we have an encryption of M and N prime we have a public function that takes the encryption and the public key and gives an encryption of the sum of M and N prime. And we also have an operation, sort of scalar multiplication. There's a typo, it should be an A here that takes the public key, the encryption of M and A and gives an encryption of A times M where A is open text. So an example of linearity homomorphic encryption scheme are the global thermally scheme which takes the space Z over 2Z, the body scheme that we saw and the scheme with Fagina-Gyomi that takes Z over PZ where P is a prime. There are many others, that's the one that I will use here. We also want two-party decryption for our scheme, our encryption scheme. So this is a special case of threshold system. We only have two-party here. So to fix the notation, SKA will be the share of the circuit key of Alice. SKA will be the share of Bob. We do encryption as usual and for our generic encryption we suppose that the decryption protocol is in a single one. That means that Alice has an encryption of M, combines it with a share of the circuit keys, do some computation and sends the result to Bob and Bob finish the computation with his share and output M. There is no other round and this is critical to prove the security of the generic encryption that there is only a single one. Another big box that we use is a protocol for multiplication for linear encryption an interactive protocol. So we can see this protocol in many works on MPC with linear encryption. For example, in the paper of Commander of the Garden of Nielsen. Alice and Bob start with encryption of X and Y, additive encryption and they want to compute an additive encryption of the product of X and Y. So Alice starts to sample a random non-zero amount of the plain texture group from X and R, she can compute an encryption of minus R, X. She sends this to Bob. She also compute an encryption of R plus Y and initiate two-partied encryption with Bob. From that Bob gets R plus Y, Y is encryption of X to get that and subtract this to get the encryption of X and Y. So now let's see the generic construction. So we start with the generic construction without dealing with the zero element inspired by the works of Kuto and Ali. So to simplify, we will suppose that the set of plain text is a feed. It can be something that looks like a feed, like Z over and Z where N is an RSA antigo. But we keep it as a feed. We start with our two encryption protocols, the additive one and a multiplicatively morphic one over the set of non-zero, the group of non-zero element. And we suppose that we have a two-partied encryption for both cryptosystem in only one one. As I said before, this allows to prove the zero analysis of our generic construction without any additional properties. So let's see how to switch from the additive protocol to the multiplicative protocol. So now Ali and Bob share for both the additive and the multiplicative secret keys of the scheme. So Ali starts to sample a random element R, non-zero one. She computes an encryption of additive encryption of M times R and an encryption of the inverse of R. She sends that to Bob and initiates a two-partied encryption for the other one. Bob gets M times R in the clear and an encryption of the inverse of R. You can then multiply both to get an encryption of M. And we have the same protocol in the other way around because all that we use here is the property that we have a scalar multiplication. We can multiply a plain text by an encryption. We can do that also with the additive encryption. So we have a simple solution and the reverse is the same. So now how can we deal with the zero element? Again, we followed the ideas of Kuto and Ali. We extend the multiplicative scheme to deal with the zero by defining this bit B, which is one if M is zero and zero if M is not zero. Like this, M plus B will be always non-zero. And we can encrypt it with our multiplicative scheme. And then, in order to decrypt, we have to encrypt B and we want to preserve the morphic properties. So let's see that. If we look at M, the zero element is absorbent. So if we multiply to M, we have that table. And for B, this means that we have an OR gate. And we want to design an encryption of B, which is morphic with respect to the OR gate. Here we deviate from the original construction. We will do that with an additive solution. So if B is zero, we will set an element to zero. If B is one, we will consider a random non-zero element. And like this, if we add that two tables, which is the same as for B, because if we add two random elements, we get a random element if the non-zero element, if the mesh space is sufficiently large. So we get that. So M is M plus B. We encrypt M plus B. That means if M is zero, we encrypt one. And an additive encryption of R with R, a random non-zero element. And if M is zero, big M would be M plus B. So this will be a small M. And we encrypt zero with the additive scheme. And we can decrypt easily from that. So now let's see how to switch. So we still suppose that this is the notation of the previous slide, in the first slide. And to be able to switch, like in the original construction, we suppose that we have a black box and an encrypted zero test to party protocols that form an encryption, an additive encryption of X, gives an additive encryption of the BDB. That is one if X is zero and an encryption of zero if X is not zero. So this can be sketched with gavel circuit, for example. But we treat that like a black box. So now how to switch with this extension of the multiplicative scheme that deal with the zero and to the additive scheme. So we start for an encryption like before. First, we switch the first coordinate like before because big M is always not zero. So we can apply the previous protocol to get an additive encryption of big M. And now we have to see if we are in this case or in this case. And for that we apply the ZT protocol to R. And it can be checked that we give an encryption, an additive encryption of the complementary bits of the BDB. Now we apply our protocol that compute multiplication from two additive encryption. And we get an encryption of bar B times M from the formula here. And we check that this is the additive encryption of M. So this gives our protocol to switch from the multiplicative side to the additive side. And the reverse way is more like the same. We use an ZT protocol. And then it's more simple we don't need to do a multiplication. So the reverse side is a bit more simple. So now let's look at our extension. So now our Mr. Space will be Z over PZ. So as I said before for the additive protocol we use the CL scheme. The CL scheme is an algorithmal type system. And it's defined over a class group of product order. And in this case it will be an order of discriminant minus P to the third. And in this class group we have the property that there is a subgroup of order P where the discrete algorithm problem is very easy. Just a few operations to solve it. And this gives an additive of morphine by encrypting M in the exponent in an algorithmal type scheme. By encrypting an algorithm we get F to the power M. This F is a generator of the subgroup where the DL is easy so we get M. So we don't have to restrict to small messages. And we have homomorphy above the wall Z over PZ. For the multiplicative scheme we use a variant of a Gamal. So we only have to extend that Gamal to form the square of Z over PZ to the wall multiplicative group. This can be done like this. We consider Sophie Germain prime. In that setting minus one is not the square. So here we have the Legendre symbol of M and times M it will be always a square. So this gives M if M is a square and minus M if M is a non-square. And we also encode the Legendre symbol like this with a bit which is zero for square and one for non-square. And we only have to encrypt that bit to be homomorphic over Z over PZ. And we can do that with the Galvasser-Mickley scheme. So we have the Gamal part here and here the Galvasser-Mickley encryption of the bit LM. So that's it for the two schemes. Let's see our result. So first we will look at that. We will compare our one complexity with the original solution. So first for the switching protocol result zero. For the additive to the multiplicative we have the same number of one because this is exactly the same solution. But in the realest part we have the same protocol as before so only two ones. But for the original solution there was that complex FGML decryption step that lead to more one. And for the full homomorphic the full ESP protocol that is with the zero. For the first line again this is the same solution so we have the same number of one. And for the second line we have again four one of gain from that. And the other one comes from the fact that we encrypt the additively the extra bit. So now if we look at the bit complexity so there is two reason. One is with the CEL scheme that relies on the DDH and the other one is a variant with less standard security option. And we can see that we are more or less from the same molecule out there at the original solution. This comes from the fact that the CEL scheme and there's more bits. We have more group element in the PIL scheme especially in this case where P is very large. So to conclude there are other things in the paper. So the CEL scheme use a group of an order. So there are some technicalities to foreshadowing the keys. So we improve the key generation but something with this criterion is standard of uniform. So this is the number of bits of the keys. Here we have a solution that is secure in the almost mysterious model. But it's possible to instead to against active adversary by adding zero knowledge proof. And now for the open problem there is still room for improvement. We saw that there is this external EZT protocol. So it would be interesting to find more other methods to this with the zero element. And maybe of course we have a generic construction. It would be interesting to find other instance for example based on lattices. So this is more less easy for the additive morph scheme but less for the multiplicative one. So that's it. Thanks for your attention.