 Hi, my name is Pratik and today I will be presenting our work on efficient and round optimal of previous transfer and commitment scheme with adaptive security. This is a joint work with my supervisor Ran Kaneti from Boston University and Xia Wang from Northwestern University. Today we will talk about secure competition. We consider the two-party setting for simplicity. There are two parties who have the private inputs X and Y. They want to jointly compute a function F on their inputs. To do so, they run a protocol Pi on their inputs and outputs the protocol output. The protocol should satisfy two properties. Mainly it should be correct. That is the function output should be same as the protocol output and the protocol should be secure. That is the protocol should not leak anything about the private inputs besides whatever it is computable from the output. The works of Yao, GMW, Beaver, Mikali and Rockaway presented the first few protocols for secure competition. Since then, secure competition has found numerous applications in privacy preserving machine learning, blockchains and many more. The initial protocols for secure competition were secure only against static corruptions. They provided security when the parties were corrupt at the beginning of the protocol. In this domain, there has been quite a lot of progress. This can be seen from the graph where the works of Yao, GMW and BMR were theoretical feasibility results. But these were later improved to obtain efficient FPC by the work of Lindel et al, Nielsen et al and Lindel River. Then they have been further improved to obtain practically efficient secure competition protocols and they have found applications in blockchains, privacy preserving machine learning and many other stuff. But adversaries in real life are adaptive. That is, they can corrupt the parties during or after the protocol. The first adaptively secure protocol was constructed by Kaneti, Lindel, Ostrowski and Sahai, following the GMW paradigm. In recent years, the works of Ben Mooda and Boyn Ben Mooda et al and Cohen et al obtained round optimal protocols. However, these protocols are theoretical results. In fact, it is really difficult to construct efficient protocols that are secured against adaptive corruptions. Since this is the strongest notion of security, in this work, we try to reduce the efficiency gap for adaptively secure protocols by improving the asymptotic complexity of adaptively secure protocols. We hope that this is a step forward towards improving the practical efficiency of adaptively secure protocols. Economic computation protocols require MPC primitives like Oblivious Transfer, Commitment Scheme, Zero Knowledge and many more. Some main steps towards building efficient MPC protocols involve building efficient MPC primitives. Also, the primitives need to be round optimal so that the underlying MPC protocol is round optimal. But it's really hard to obtain both round optimality and efficiency. This brings us to the question. Can we obtain efficient round optimal primitives? In this work, we address it in the prompt positive. We construct Commitment Scheme and Oblivious Transfer protocols which round optimal provide a better asymptomatic complexity compared to the state-of-the-art protocols and some of them are also secured in the strongest security model, that is, they are secured against adaptive corruptions. Before presenting our results, I would like to recall the security model. Our protocols are proven secure in the real and ideal world model. We consider a real world execution of the protocol where one of the parties is initially corrupt. He runs the protocol with the honest party. Let us denote his input, output randomness and protocol transcript as his view. This is the real world view of the protocol, as you can see. This view should not leak any information about the honest party's input. That is, view a real should not leak anything about y. So how do we capture this? This is captured by considering an ideal world execution of the protocol where the adversary interacts with an external party called the simulator. So the simulator acts on behalf of the honest parties and he has access to the honest party only through the ideal functionality. The simulator has to extract the corrupt party's input from the left-hand side of the left-hand side protocol, that is, the ideal world execution of pi and invoke the functionality with the extracted input x to obtain the correct output, fx, y. Now based on this output, he can simulate the rest of the protocol. Clearly, the simulator does not have any information about the honest party's input besides the protocol output. Similarly, we can denote the ideal world view of the adversary here. We say that the protocol is secure if there exists a probabilistically polynomial time simulator, that is, there exists a PPT simulator S, such that for all PPT adversaries A, the two views, that is, the real world and an ideal world view of the adversary are indistinguishable. We can also consider adaptive corruptions where all the parties are initially honest. The parties can get adaptively corrupted during or after the protocol execution. If a party gets adaptively corrupted, then the simulator has to provide the simulated view of the honest party in the ideal world. The simulated view should be indistinguishable from the real view even though it was constructed without the knowledge of the party's input. Thus, the simulator has to equivocate the simulated view to guarantee adaptive security. This is non-trivial to achieve and it is the strongest security model in MPC. Our work focuses on improving the efficiency of adaptively secure commitment and oblivious transfer. Now we will present our contributions. Our protocols are proven secure in the universal composability model of Kennedy so that the primitives can be seamlessly composed in larger protocols. All our protocols are based on decisional differential assumption. Now, finally, based on DDH, we obtain the following results in the UC model. We obtain the first adaptively secure non-interactive string commitment, previous non-interactive commitment schemes where bit commitments and the required common reference string whereas our scheme works in the common random string model. We will denote the common random string as CRS. Secondly, we obtain multiple results in the oblivious transfer literature in the CRS model and in the random oracle model. We consider an OT protocol where the receiver can get adaptively corrupted and the center can get statically corrupted such an OT protocol is called receiver adaptively secure OT. Such an OT is useful in constructing adaptively secure zero-knowledge protocols. In this regard, we obtain the first receiver adaptively secure OT which has constant exponentiation over it. In fact, our receiver adaptively secure OT requires only nine exponentiations and this is better than the state-of-the-art static OT protocols which require 11 exponentiations in the CRS model. Next, we obtain the first adaptively secure bit OT which requires constant number of exponentiations in the CRS model. Previous protocols required at least kappa square exponentiation where kappa is the security parameter. We also obtain results which are of practical interest. In the CRS model, we obtain the most efficient static OT with eight exponentiations. We also obtain the most efficient static OT in the global random oracle model. It requires only five exponentiations per OT. Finally, we combine our adaptively secure commitment scheme and adaptively secure OT to obtain a two-round adaptively secure MPC protocol in the CRS model that is the common random string model and this is round optimal. Moreover, we show that the size of the CRS depends only on the security parameter and not on the number of participating parties. We can have a short CRS where the CRS size depends only on kappa square independent of the number of parties participating in the MPC protocol. So, we will first describe the ideas behind our commitment scheme and then we will use them to construct our adaptively secure OT protocol. We will briefly recall what is a commitment scheme. A non-interactive commitment scheme consists of a commit phase and a decommit phase. In the commit phase, the committer commits to his input M as a commitment C. In the decommit phase, the committer sends his commitment randomness as the opening. Here, the randomness is alpha. The verifier accepts if the commitment can be reconstructed from M and the opening randomness alpha. The commitment should satisfy hiding that is a corrupt verifier should not derive any information of a message from the commitment. It should also satisfy binding that is a committer should not be able to open a commitment of a message M to a different message M prime. In addition, we require two more properties for the commitment scheme to satisfy use of security. It should satisfy the property of extraction where the message committed inside a commitment can be extracted when the committer is corrupt and the simulator can perform this extraction given the trapdoor of the setup string. Also, it should satisfy equivocation when the verifier is corrupt and the committer is honest. It means that a simulator should be able to commit to a junk message inside a commitment and later open to any valid message given the trapdoor of the setup string. Now, we will compare our commitment scheme with state-of-the-art and apricot secure commitment schemes. There are interactive string commitments in the literature like Damgard Nielsen 02, Damgard Groth 03. So, these commitments commit to a kappa bit message using order of kappa bits that is their string commitments. In the non-interactive commitment literature, the situation is different. All the protocols like Kennedy-Fischlin, Kennedy, Lendl, Ostrovsky-Sahai, Abdel-Lahetal, all of these protocols are bit commitments. That is, they commit to a single bit using order of kappa bits. So, we obtain the first string commitment which commits to polylock kappa bits using order of kappa bits. So, this reduces the efficiency gap between non-interactive and apricot secure commitments and interactive and apricot secure commitments. Moreover, all the other protocols are in the common reference string model whereas we are in the common random string model which is strictly weaker than the common reference string model. So, I would like to point out that our protocol is inspired from the statically secured dual mode commitment scheme of Lendl 15. Before going to our protocol, we will start explaining the dual mode commitment scheme of Lendl. In the scheme, there is a CRS which consists of four random group elements. The committer has an input bit m. He commits to m using randomness alpha. So, he computes capital B is g to the power alpha t to the power m and capital H is small h to the power alpha f to the power m. So, the commitment is capital B and capital H. For decommitting to m, the committer simply sends m and alpha. The verifier outputs 1 if the commitment can be reconstructed from m and alpha lc outputs 0. Lendl showed that the commitment is perfectly binding if the CRS is a non-DG stoople. That is if gh tnf is a non-DG stoople. In such a case, the committer's bit can be extracted using the discrete log of h which is a trapezoid of the CRS. Lendl also showed that the commitment is perfectly hiding if the CRS is a DG stoople. A simulator can commit to a junk message inside b and h and then he can open it correctly to any message given the trapezoid of the CRS. That is the discrete log of t. The two modes are indistinguishable due to the DDH assumption. So, in this work of Lendl, the mode of the commitment is programmed by programming the CRS. That is if the CRS is a non-DG stoople, then it's in the perfectly binding mode. And if it is in the DDH stoople, then the commitment is in the perfectly hiding mode. So, we will try to reduce this problem. We build our commitment scheme where the mode of the commitment can be set during the protocol execution. Instead of putting F in the CRS, we ask the committer to sample and F and send it along with the commitment as a commitment parameter. When the committer is corrupt, we are ensured from the DDH assumption that the commitment is in the extractable mode. That is the tupel G, H, T and F is a non-DD stoople. The simulator can extract M using the discrete log of H by invoking the extractor of Lendl's commitment. When the verify is corrupt, the simulator acts on behalf of the committer. Given the discrete log of T, he can compute F such that the tupel is a DD stoople. This yields the commitment in the equivocal mode and guarantees adaptive security for a committer since he can always produce a valid randomness for any message. Finally, the honestly generated tupel is indistinguishable from the simulated tupel due to the DDH assumption. So, this completes our adaptive security commitment scheme. We also observed that M does not need to be a bit. M can be chosen from a distribution of polylog kappa bits, yielding a string commitment. We cannot extend M to go for kappa bits because our extractor runs polynomial in the message space and so we have to restrict M to polylog kappa bits. Now, we will discuss the primitive of Oblivious Transfer. Oblivious Transfer is a two-party primitive. There is a receiver who has an input choice with B and there is a sender who has two messages M0 and M1. By performing the OT functionality, the receiver obtains the message of his choice that is MB. Now, OT security ensures that a corrupt receiver should not know the other message that is M1 minus B and the corrupt sender should not know the choice with B. We need two more properties for security in the UC model. Mainly, a corrupt receiver's input can be extracted by a simulator and a corrupt sender's input can be extracted by a simulator. We also require that security hold against adaptive corruptions of parties. We consider three types of adaptive corruption. The first one is receiver adaptive corruption, where the receiver can get adaptively corrupted and the sender can be statically corrupted. A stronger version is semi-adaptive corruption where only one party gets statically corrupted and the other party gets adaptively corrupted. Finally, we consider the strongest corruption model where both parties can get adaptively corrupted, which is full adaptive security. So, we will present our UC OT results in this slide and we will compare with other two round OT protocols. All the two round OT protocols have DDH based instantiations and we compare with their DDH variants. Some of them have instantiations from other assumptions. We will discuss them as well. So, firstly, we consider practically efficient results in the random oracle model. So, first we consider the programmable random oracle. In this setting, the state of the artwork by Masini and Rindal construct an OT protocol from DDH assumption. It computes six exponentiation. They have an optimized variant from a non-standard variant of DDH called interactive DDH. So, interactive DDH is not known to be reducible to standard DDH. The computation cost of this optimized variant is similar to the computation cost of our protocol, but we achieve it from standard DDH assumption. So, you can see that they are optimized variant and our version required five exponentiation. Next, we consider the observable random oracle model. So, we obtain the first two round OT protocol, which requires constant number of exponentiation on an amortized scale. Specifically, we required five exponentiation per OT and two NISICS proofs in total, which can be used for multiple OT protocols. The state of the artwork by Kennedy, Jane and Scafuro requires kappa number of exponentiation per OT. Next, we will discuss our results in the common random string model and compare it with other protocols which are in the common reference string model. So, there are no other protocols in the common random string model. The state of the art static OT protocol by Piker, Vacuant and Arthur and Waters requires 11 exponentiation per OT and they have instantiation from LWA and quadratic residuality, but we improve the exponentiation cost to 8 under DDH assumption. We can also add adaptive security for the receiver on top of our static OT protocol and it requires only one extra exponentiation. That is, we can obtain a receiver adaptive OT from nine exponentiation. Meanwhile, the other works by Gurg, Miao, Srinivasan and Benamudha, Lin, Polychronidau and Venkita Subramaniam, they require at least kappa number of exponentiation for each receiver adaptive OT. Finally, we obtain the first adaptively secure bit OT where each OT requires constant number of exponentiation and constant number of NC operations. The NC operations can be performed using the work of Chai et al based on DDH. The only two round adaptive secure bit OT by Benamudha et al requires kappa square exponentiation. Thus, we obtain the first adaptively secure OT with constant number of exponentiation. I would like to point out that the work by Benamudha et al was the first two round adaptive secure bit OT. Now we will discuss our OT constructions in the CRS model. We will first build our receiver adaptive OT, but the receiver's OT message is a commitment to its bit. We will add a sender algorithm to get our receiver adaptive OT. Receiver has input bit B and he commits to B using randomness alpha. He sends the commitment B and H as the OT first message. Sender encrypts her messages M0 and M1 using the commitment. She encrypts in such a way that the receiver can decrypt MB if the receiver has committed to bit B in the commitment. She performs this by constructing encryptions of M0 using randomness R0 and S0. Similarly, she encrypts M1 using randomness R1 and S1. And now the receiver obtains Z0, C0, Z1, C1 and he decrypts MB using randomness alpha. Now if the sender is statically corrupt, then B remains hidden in the commitment due to the hiding property of the commitment. A corrupt sender's input can be extracted by a simulator given the trapdoor of the CRS. Recall that the commitment simulator possesses randomness to open the commitment to both bit values 0 and 1. The commitment simulator can be invoked to decrypt both M0 and M1 using the opening randomness. Please refer to our paper for more details about the extraction process. Next, we turn our attention towards static corruption of the receiver. In such a case, the receiver's input bit can be extracted since the commitment is extractable. It can be observed that the other message which is M1-B remains hidden due to the pad T to the power RB. In fact, the other ciphertext looks pseudo-random to a corrupt receiver due to the digit assumption. So this completes our static security proof. I would refer to our paper for more details. Now if the receiver gets corrupted post execution, then we need to address adaptive security for a receiver. In such a case, the receiver's OT message which is a commitment to his input bit B needs to be equivocated. Recall that this can be performed by invoking the adaptive simulator of the commitment scheme. So this provides us with adaptive security. By optimizing our previous protocol, we can obtain a static OT with eight exponentiation and the receiver adaptive OT with nine exponentiation. We can further optimize our protocol if we consider the random oracle model where the CRS is generated by the receiver by invoking the random oracle on a random seed. In such a setting, we can reduce the number of exponentiation cost to five by using the sender's randomness for different OT executions. Next, we try to obtain a semi-adaptive OT by considering bit inputs for the sender in the previous construction. Recall a semi-adaptive OT is an OT where one of the party gets statically corrupted and the other party gets adaptively corrupted. The previous construction already achieved security when the receiver is adaptively corrupted and the sender is statically corrupted. However, it fails to achieve security against adaptive corruption of sender. This is because the simulator cannot equivocate the ciphertext C0 and C1 without knowing the discrete log of M0 and M1. We address this problem by considering sender's inputs to be bits instead of group elements. If the sender's input is M0, then he samples random ciphertext Z0 and C0, LC encrypts 1 in Z0 and C0. The same protocol is performed for M1. The receiver outputs 1 if Mb is 1, LC outputs 0. We know that Z1-b and C1-b are C2 random due to the redish assumption and this will allow us to achieve semi-adaptive security when the receiver is statically corrupt and the sender gets corrupted post-indicution. If sender is initially honest and receiver is corrupt, then the simulator extracts b and invokes a OT to obtain Mb. He constructs Zb, Cb honestly, but he always encrypts 1 in Z1-b and C1-b. If the sender gets corrupted later after execution of the protocol completes and M1-b turns out to be 1, then the simulator will give out the randomness used for constructing the ciphertext Z1-b and C1-b. So this is identical to the real-world execution of the protocol. If M1-b turns out to be 0, then the simulator claims that Z1-b and C1-b was randomly sampled. So equivocation in this case is successful due to the DDH assumption. Now we can obtain full adaptive security by considering the BLPV transformation which transforms any semi-adaptive OT to adaptive OT using augmented NC. This completes our results related to oblivious transfer. I would refer to a paper for the complete adaptive bit OT protocol. We can also reduce the size of the CRS such that it can be reused by multiple parties for different OT or commitment protocols. We can consider a single master CRS consisting of two kappa plus two group elements. These are random group elements. We assume that every sub-session has a unique kappa bit sub-session ID called SSID. Based on the bits of the SSID, the parties will generate the local CRS for the sub-session. Recall that the local CRS of the sub-session requires GH and a T. So let me denote the T for the sub-session SSID as TSSID. Suppose SSID is all 0 string, then TSSID is generated by multiplying all the U values corresponding to bit 0 of SSID. We show in our paper that the local CRS consisting of GH and TSSID can be used to perform the OT and commitment protocols in sub-session SSID. And the CTH assumption ensures that an adversary cannot compute the trapdoor of the local CRS GH, TSSID. Finally, I would like to conclude my talk by saying that we have more results in the paper. We obtain a two round adaptive security MPC protocol in the short CRS model. We also show that the first message, which is the receiver's message, of a two round receiver adaptive security OT is an adaptive security commitment scheme. Finally, I would like to say that our work improves the efficiency of round optimal UCOTs and make them practical under standard assumptions like DDH. It would be interesting to see if the efficiency can be further improved. Thank you. And this is our full version paper. And here are the references.