 Hi, everyone, I'm Xiao, so I'm going to talk about how to improve authenticated garbling for faster secure two-party competition. So this is a joint work with Jonathan Katz, Simon and Luqi, and Michael Roslick. And so a little bit of advertisement, I'm going to join Boston University and MIT for when your postdoc and I will start at Northwestern since next year. So as we know, there has been a long line of work to how to improve the efficiency of maliciously secure two-party competition in the past 10 years for the concrete efficiency. The first implementation of maliciously secure two-party competition is by Pinkers et al. Roughly 10 years ago. At that time, like a malicious two-party competition, it's going to take roughly a thousand seconds to evaluate an AES circuit with malicious security. And then we have been working with a lot of effort to try to reduce the cost of evaluating AES like in the following 10 years. So the seed of the art is the protocol so-called authenticated garbling that can actually evaluate AES with roughly 37 milliseconds. So if we look with a little bit more detail, so in the semi-honest case, we roughly need like 20 milliseconds to do the base OT and then the rest part of the computation for AES is like a 2 millisecond. For authenticated garbling, the base OT is roughly the same using the seed of the art optical protocol and the rest of the computation is roughly 17 milliseconds. So this is really awesome. And in this talk, we are going to further improve the rest of the computation part by a big margin. So before I talk about the maliciously secure two-party computation, let me first give a very, very, very brief introduction on what is the semi-honest version. So it's a very, it's like the classical Garbo circuit where Alice holding a bid is going to garbo a circuit that represents the function, Alice is also going to send the input key for her own input as well along with the garbo circuit. And then they are going to run some protocol called oblivious transfer to let Bob get the input key for Bob's own input. So here, orange object are kind of constructed by Alice and blue object are related to Bob's stuff. And then Bob getting all this kind, all this object can evaluate the garbo circuit using both parties' garbo key locally and get the result. So authenticated garbling roughly works in three stages. The first stage is called function independent preprocessing, where we actually compute a lot of authenticated version of N-triples, like B-way triples. And then in the next stage is so-called function dependent preprocessing, where we actually use all these N-triples to compute a single authenticated garbo circuit. And then in the last phase is the online phase where they do something like oblivious transfer and stuff to get the input keys, and Bob is going to evaluate it. So in the previous paper, what we can do for 1AES is that the preprocessing takes roughly 3 megabytes of communication, or like 10 milliseconds of time for 1AES. And then the function dependent phase is going to be a garbo circuit. And this garbo circuit contains four rows. It's like the classical version of garbo circuit. And for each row, we need kappa plus row bit. So among these kappa plus row bit, the kappa of them is for the original garbo keys. And the row bit is for the authentication of the masked value. So in this work, we actually improved the function independent preprocessing and the function dependent preprocessing. In particular, we reduced both communication and computation in the dependent phase by a big margin. And then we actually make the state-of-the-art garbling scheme that is the half gate compatible with authenticated garbling. We also strip off the MAC from four row bit to just one bit. So with all this stuff, it means that it actually solved a partially solved one of the open problem that was mentioned in one of the few of the previous papers on how to make half gate compatible with distributed garbling. But we only did it in the two-party setting. This also indicates that, so now if we want to do maliciously secure two-party competition, the only difference is function independent preprocessing. After the function independent preprocessing, the protocol is almost identical. And in the semi-honest case, we don't need any function independent preprocessing. But in the malicious case, we need to construct some authenticated end gate. So let's start with some introduction on the authenticated garbling to give some idea of how the improvement works. So let's start with a bit authentication. In the bit authentication, Alice has a bit X and Bob has an authentication key, that is delta B. So if we want to authenticate a bit, then Bob has a so-called MAC key. And Alice has a MAC on this bit. So the relationship is that this MAC is going to be the same as the key if X is zero and the MAC, and there will be a difference of delta B if the bit is one. And we can generate, let's say if we want to authenticate another bit, we can just do the similar thing except that the global authentication key is the same. The consistency of this global authentication key gives us some kind of XR homomorphic in the sense that if we have MAC on two bits, then we can compute the XR of them locally without interacting at all. So now once we can locally authenticate a bit, then we can authenticate secret shares. It's quite simple because we just need to do it two times with different direction. Now we just need to, so everybody holds one share of the bit and everybody just authenticated their share of the bit to the other party. And the relationship is also symmetric. Okay, so now let me introduce another ingredient of authenticated garbling, which is the garbling scheme proposed by Dan Garda-Ishai in 2005. So here, let's first talk about the invariant in this garbling. So let's say we have a wire A, then in the garbling scheme, Alice is always going to know a masquered bit associated with this wire and also the two garbling labels associated with the wire. As the A valuation goes on, all the wire values is going to be defined. But we don't want any party to learn this value because this is actually, this is some secret value that depends on the input. So instead, we actually let Bob to learn the masquered value of the wire value. That is the head of the alpha, the A. And in addition to that, we also let Bob to learn the garbled key associated with the masquered value. So now let's go to the garbling part of the scheme. So let's say we have an end gate with A and B as the input wire and C as the output wire. So now the garbled table looks like this, which is a little bit complicated. But let's use an example of evaluation to explain what it is working, what it is doing here. So let's assume that actually Bob has two masquered value, one for each of the input wire. Let's say on the A wire, it is 0 and the B wire, it is 1. And from the invariant, we know that Bob also has A0 and B1. So what Bob is going to do to evaluate this gate is that Bob is going to pick the second row corresponding to 0 and 1 and the strip of the hash out of it and get a bit and a garbled label. So now I'm going to claim that using this because of the construction of the garbled table, we actually can make sure that the invariant still holds. So why this is the case? So here is a very simple deviation. So the first equation is by the definition of the wire value. The output value is the end of the input value. And then the second one is due to that we are using the second row. And that is how it is constructed by the Alice. The last two row is because we have a head of A at 0 and a head of B at 1. So if we just do some very simple elementary mess by combining all these equations, we actually get that the output B is indeed the masquered of the output wire. So now let's talk about authenticated garbling. So authenticated garbling, the first step of authenticated garbling, we try to make it computed distributively among two parties. But this is a little bit too complicated, so let me just focus on the first row. So because we want to make it distributively among two parties such that nobody knows the row, so we can let Alice learn the masked bit. So we are going to hide it out of Alice. So let's see how to distributively compute this row. So for the first part, it's quite easy because Alice can compute it directly by herself locally. So it's a part that is after the XOR. Well, so the first part is just one bit, and we can find a way to do it easily. Because what's hard is the second part, because this is a kappa bit garbled key, and we want to compute this kappa bit garbled key distributively among two parties. And this is going to be the focus. So what we are going to do to compute this garbled key distributively is that we are going to align free XOR with authentication. So in detail, let's suppose that we want to compute the label C lambda, where the lambda is a secret bit. So first, we are going to apply the famous free XOR technique, and we express this label XOR with a shift. And then we are going to align the free XOR delta with the authentication key. By aligning these two, we are essentially aligning the labels with the max in the information theoretic MAC. Now we can do some simple math. So since lambda is a secret shared bit, we are going to share it by lambda a and lambda b, each hold by one of the parties. And then now we see that lambda b delta a is actually the XOR of the information theoretic MAC on lambda b. We call that the picture is like this, where Bob has the MAC of lambda b and Alice has the key of lambda b. So now we see that actually the first three part is owned locally by Alice, assuming that they have authenticated a share of lambda. So from a summary, we know it's like if we have authenticated a share of a bit lambda, we can obtain the shares of lambda b delta a, which will give two parties shares of lambda c lambda. So let's take a step back and have a high level view of exactly what's going on. So now if we have a row, we are going to secretly share it among two parties, and we want to compute all the content in the garbled table. And the previous slide already tell us that if we have authenticated a share of the bit, then we can compute authenticated garbled of the corresponding row. Fortunately, this head of the zero is a linear combination of a set of masked bits, that is lambda a, b, c, and lambda a, and b. And similarly, if we have this set of value, we can also compute authenticated shares of other bits, and that actually indicates authenticated garbled of the rest of the rows in the garbled table. So from a high level view, the protocol works like this. We will first compute authenticated end gate, and both parties will get the share of the end gate. Then they will locally compute authenticated garbled on the end shares. Then Alice is going to send here a share of authenticated garbled and the input keys as you are. And Bob is going to reconstruct authenticated garbled circuit locally, and the rest part is essentially identical to the semi-honest case. And Bob later can evaluate this circuit. But there is one problem over here. So the problem is that we haven't ensured the correctness yet, because Alice can essentially just trick the garbled circuit in any way she wants, as long as the garbled circuit is correct. But to compute some function that they don't want to compute on. So the way that we are, the way to handle it is to add a mask on top of it. So now we are going to add a mask on top of the bit that is shared by the two parties. So let's say if Bob actually want to open the first row of the garbled table, then Bob is going to use the authentication Mac key to check that this bit is indeed correct. And by doing so, we can actually make sure that the correctness can be guaranteed. So now the protocol is tricked a little bit. So we are going to, along with the authentication of the authenticated garbled circuit, we are also going to associate four Macs with each of the gate. And during the evaluation, we are going to evaluate and authenticate each of the gate one by one. OK, so now everybody has a little some idea on how authenticated garbled works. Let's talk about the improvement on top of it. So our first party, our first idea is that we don't really want to do this Macs, because they are long, and we need to send it per gate. So let's just get it out. And think about what exactly we want to do. So suppose that actually Bob is going to open the first row, then Bob essentially wants to check that the key that he obtained is consistent with the first Mac. And if it is another case, then Bob essentially wants to check that the updated key is consistent with the second Mac and so on. So this is actually very, very like if we want to do this kind of distributed Mac checking without knowing which Mac we want to check, it's actually very, very expensive. But we realize that we probably can make the masked bit public to both parties. Why this is going to help? Because now everybody know which Mac that they are checking, and the bit is public, then they can actually check the bit, check the Mac essentially for free. It turns out that it is indeed secure to make this bit public. The reason is that this masked bit is masked by a mask that is shared among two parties, where nobody know the actual mask. So this public bit, this bit is actually random to both of the parties. OK, so now we need to check the protocol a little bit. So instead of sending the Mac, we are not going to send the Mac, but we are going to let Bob send all masked wire values to Alice. And this is going to be 1 bit for end gate. And then Alice and Bob can locally control the candidate Mac and do the 2A equality on the whole stream, which is if we amortize it among the circuit, it's essentially free. So now we don't have the Mac. Let's see how to make the Gabor table smaller. So as we go in the semi-honest case, we first have a Gabor row reduction, and then we come with half gate. So let's first do the similar thing in the authenticated case. So as a very high level summary in the authenticated Gabor link, we take the Damgar is shy Gabor link and make it distributed. So our first attempt is that, OK, so we are going to first apply a Gabor row reduction. There is a typo. And then make it distributed to the authenticated Gabor link case. So let's see how to make the Damgar is shy Gabor link compatible with Gabor row reduction first. So this is the Gabor table that we see before. So what is GRR? GRR essentially means that we are going to make the first row as 0. Because if the first row is 0, then we don't need to send the first row. And so if we work out the Mac carefully, it means that we can set the 0 label as this little bit complicated formula. So this implies that the C of head of 0 is going to equal to hash. And if we put it back to the formula, we can find that actually G0 becomes 0. However, it looks fine in the setting where Alice Gabor is locally. It's actually not compatible with the authenticated Gabor link or any distributed Gabor link scheme. The reason is that in GRR 3, the output key actually implies all these masks that we want to keep secret. In particular, let's say if we know C0 and we know C0, A0, and B0, we can essentially just bottle false all possibilities of the mask to find what's actually the correct combination that leads to this formula. So we cannot just use GRR directly. So how are we going to do it? So we are going to think in more general what GRR actually do. So GRR actually means that I don't really want to make the Gabor-Gabor rule 0. I just want to make my communication 0. So this means that, OK, so let's say that we have our original authenticated Gabor link. What we are going to do is that we just want to make this rule as 0, which is a distributed version. If we start from this point, actually it means that the shares should be the hash of the input labels. And if we work out more carefully, it means that actually the 0 label now depends on the input labels as well as some shares. So although this formula looks as if that the output key still depends on the input of all the masks, but actually it does not. It only depends on the input Gabor keys and all the masks on the authenticated AND gate that we are computing. So now if we apply the same idea on the half gate, it becomes much easier to understand. So the first part, to make half gate construction disputatively computed by two parties, this part is easy. We can essentially just distribute the part that is after the hash following the same idea that I mentioned previously. And for the output label, we are going to, and for this, actually the underlying Gabor circuit is the same as the half gate. The formula is the same. And for the output label, we are going to have the shares in a similar way. Although it's written in a similar way, it's actually a different formula for output keys. Because Bob does not have a share of the output keys, then this is the only definition of the output key. And for the more details, please refer to our paper to see how it works. And in addition to the function-dependent preprocessing, we also have a bunch of more optimizations for the function-independent preprocessing that compute authenticated AND gate. So the first optimization is that if we know the function, the circuit in advance, then we don't really need to compute all the authenticated AND gate independently. We can actually apply some optimizations proposed by Araki at all last year, and the reduced number of AND gate, a number of authenticated bit using the protocol. So the second optimization is that we can actually compute the d-key and triples much more efficiently by using some techniques from half gate. But due to the time limit, I won't talk in detail about it. So because of all these optimizations, actually, our protocol works with two versions. The first version actually minimizes the total cost including all stages in the computation. And the second version actually minimizes the function-dependent phase and the online phase, and not including the function-independent phase, where we compute all the authenticated gates. So among previous work, there is only one work in the malicious setting where the function-dependent phase is the same as the semi-honest copper circuit. It is a work in NDSS last year. So compared with their work, actually, we can achieve the same function-dependent and online cost with the total cost roughly five times, four times smaller than theirs. And compared with the best previous result in terms of the total communication, actually, we can pull off most of the computation to the function-independent phase without really increasing the total cost. So now, I would imagine everybody would be very curious about how it works in a multiparty setting. So I'm not going to spend another 20 minutes to talk about it because we actually don't know how to do it. Yeah, so let me give you some idea why this actually, why it is hard. Suppose that we have four parties, we have three of them are garbolas and this gentleman here is the evaluator. And so from almost all distributed garboli, every garbola is going to have a pair of subkeys. And so if we follow the generic paradigm, so what they are going to do is that everybody, so they are going to construct three copies of sub-garbola circuit where each sub-garbola circuit is garbled using one party's garbled keys. So over here, the yellow shares is done by, is for garbola one, the green shares for garbola three and the purple shares is for garbola two. So if we apply, actually we can apply half gate, but even after we apply half gate, we can only reduce the size of the garbola circuit for the garbola themself, which means that it actually does not increase the efficiency a lot. It's at most by a factor, roughly one over the number of garbolas. So what we really want is to reduce the size of the garbled tables for all of the shares, which seems very, very hard. So we think it might be possible, but here are some potential directions. One is that we probably can use some kinds of key homomorphic PRFs proposed last year in Asia-equipped. Oh, we probably need to use some other variant of garbled row reduction. Thank you.