 Hi everyone, thanks for joining this presentation on zero communication reductions. My name is Varun Narayanan and this is a joint work with Manoj Prabhagaran and Vinod Prabhagaran. In cryptography we use several information theoretic primitives like secret sharing, randomized encodings, private information retrieval or PIR, conditional disclosure of secrets or CDS, etc. These primitives are often simple to define and abstract out the essence of various cryptographic problems. They have been extensively studied over the years and are immensely useful in cryptographic constructions with information theoretic or computational security. In this talk, we introduce a novel information theoretic primitive called zero communication reductions or ZCR for short. ZCR is a bare bones model of two-party secure computation. As we shall see, it ties together various other primitives like CDS and private simultaneous messages protocols or PSM and secure two-party computation. It yields new upper bounds and lower bounds for them and also leads us to new open problems and directions. Our contribution is in three parts. Our first contribution is definitional. We define ZCR with varying levels of security and establish it as a central object in information theoretic cryptography with connections to several other important cryptographic models. We obtain new upper bounds for PSM, CDS and secure computation. All of these upper bounds follow from upper bounds for ZCR, thanks to its central nature. In some cases, this gives us an exponential improvement over known results. In the other direction, we also show that lower bounds on secure ZCR complexity will yield lower bounds for secure computation. Let me elaborate on the upper and lower bound results before getting into the definition of ZCR. Our upper bounds apply to complexity of PSM and CDS and to the number of oblivious transfers or OTs needed for secure two-party computation. All the upper bounds are obtained via an upper bound on ZCR in terms of information complexity, allowing a small constant statistical error. Our construction uses some recent advances in communication complexity literature. Specifically, we use the connection between information complexity and relaxed partition bound shown by Kerenidis et al in 2015. Interestingly, in that work, Kerenidis et al also defined a model of zero communication protocols. Our notion of zero communication reduction could be seen as a significant generalization of their model. Our upper bounds sometimes give an exponential improvement over existing constructions for PSM, CDS, and 2PC. A concrete example is the bursting noise function, which was introduced by Ganar, Kohl, and Raz in 2015 as a function with very low information complexity, exponentially smaller than its communication complexity. On the lower bound front, lower bounds are notoriously hard to obtain for many of these information theoretic primitives. For OT complexity, the best known lower bound are due to BMEL and Malkin from 2004, and since then there has been no improvement. We can recover these linear lower bounds using the connection to secure ZCR. Further, we present a new linear algebraic complexity measure for a function that can potentially lead to improvements. Our new complexity measure is what we call the invertible rank, which is defined for a matrix representing a function. A super linear bound on invertible rank of a function's matrix would imply super linear lower bound for its OT complexity. Such bounds will also imply lower bounds for circuit complexity and PIR due to their known connections with OT complexity. One may view that as a barrier for proving stronger lower bounds for invertible rank, but we can still pursue OT complexity, lower bounds by avoiding these barriers by focusing on existential results or focusing on randomized functions where such barriers do not apply. One can also hope that our new complexity measure could give a fresh approach to tackling some of these barriers. We present a purely linear algebraic conjecture called the invertible rank conjecture as a concrete target to prove or disprove without running into any known barriers. However, a constructive proof of this conjecture would need to break circuit complexity lower bound barriers. Okay, now let me tell you what a zero communication reduction is. It is a really simple model for a two-party secure computation, where as the name suggests, the two parties do not communicate at all. In a zero communication reduction of a function f to a predicate phi, Alice and Bob have inputs x and y. Based on the input, each party locally produces a candidate output along with an input to the predicate phi. The candidate output of Alice is A and her input to the predicate is U. Similarly for Bob, the candidate output is B and the input to the predicate is V. We require that the predicate accepts with a minimum probability for all inputs. This is the non-triviality condition. Additionally, the candidate outputs are required to be correct whenever the predicate decides to accept. This is the correctness condition. When the predicate accepts with probability at least two to the minus mu for all inputs, we call it a mu CCR of the function f to predicate phi. The smaller the value of mu, the better the zero communication reduction in that the predicate is accepted more often. We will also consider the setting where Alice and Bob have access to a correlation psi, which is of course independent of the inputs that could help the parties to coordinate. A correlation of particular interest is common randomness. CCR definition can be strengthened with varying levels of security. We study ZCR, weakly secure ZCR and strongly secure ZCR or simply secure ZCR. A ZCR has no notion of security and only needs to satisfy non-triviality and correctness conditions. Weakly secure ZCR or WZCR additionally requires that the inputs are hidden from an adversary who can see the decision of the predicate. The probability with which the predicate accepts needs to be the same for all inputs. In strongly secure ZCR, the adversary can also corrupt Alice or Bob. To ensure security against the corruption of Alice, the view of Alice must be similable. That is, for any input X, Y, the joint distribution over R, U and the decision of the predicate must be similable using only Alice's input and her correct output. A similar security requirement should also hold for Bob. We now illustrate zero communication reduction with an example. We know that every functionality where Alice computes F sub A and Bob computes F sub B can be reduced to the an predicate using common randomness. The reduction proceeds as follows. The parties will interpret the common randomness as a uniformly random input pair, X hat, Y hat over here. Alice's candidate output is F sub A of X hat comma Y hat and her input to the predicate is one if her input X matches X hat and this is zero otherwise. Bob also uses a similar strategy. The predicate accepts if and only if X hat equal to X and Y hat equal to Y. This happens with probability one upon the domain size of the functionality. And clearly the outputs are correct whenever the predicate accepts. The scheme is also weakly secure because the probability of accept is the same for all inputs, but it is not strongly secure since the parties learn each other's inputs. We will later see non trivial constructions of secure CCR. Next we present our upper bounds in more detail. The main theorem in this section can be stated as follows for any epsilon greater than zero. There is an upper bound of two to the information complexity of the function F for all the following quantities. The communication complexity of epsilon statistical PSM of the function F OT complexity of epsilon statistical two party computation of the function F and the communication complexity of the epsilon statistical CDS with FS predicate here. We are using the notion of inner information complexity. It is defined as the, it is defined as this information theoretic quantity minimized over all protocols with error at most epsilon under the worst distribution over inputs. Our construction follows the following sequence of connections. We use the bound on relax partition using information complexity of the function. Which we describe in a previous slide. We then construct a WZCR from the relax partition. And finally show CDS PSM and two PC protocols can be constructed using the WZCR. In fact, this can be done from a ZCR itself. To provide the intuition behind this construction, we show a weaker result and upper bound on communication complexity of statistical PSM in terms of tiling number. Tiling is a partitioning of the truth table of a function into monochromatic rectangles rectangles monochromatic if the functions value remains constant inside the rectangle and the color denotes the value of the function. Tiling number of function is the smallest number of tiles needed to tile it tile the function. Given a tiling we construct an epsilon PSM protocol. The protocol will be in the order of the number of tiles in the given tiling. Our first step is to construct a WZCR of the function to the and predicate using common randomness. This construction is quite straightforward. Alison Bob interpret the common randomness as a uniformly random tile. Each party sense accept to the predicate if their input belongs to the tile that showed up as the common randomness. This is the color of the tile as their candidate output. Since the and predicate accepts if both parties are in the same tile the output is correct on accept. And this is a WZCR as the accept probability is one upon the total number of tiles for any input. The WZCR can be repeated enough times to boost up the acceptance probability to one minus epsilon. We can securely choose the output of the first CCR amongst these reputations that was accepted using an efficient PSM protocol. Indeed our constructions of CDS protocol and two PC protocols using WZCR also are similar to this construction. Our final construction is a generalization of this construction. Consider the notion of the partition complexity, which is a generalization of tiling. Here we want to put weights on monochromatic tiles in such a way that every input XY is covered by tiles of weight one. The goal will be to minimize total weight overall tiles. We show that any partition of a function corresponds to a WZCR with complexity related to the partition complexity. Here a relaxation of the partition complexity called relax partition complexity implies a statistical WZCR. We then use this statistical WZCR to build protocols for PSM, CDS and two PC along the lines of our previous construction. The complexity of such protocols would be exponential in the complexity of the WZCR. Now follows by appealing to the result that shows that relax partition is upper bounded by two to the information complexity of the function. We now move on to our results on the lower bounds on OT complexity. Our main result in this section shows a construction of a strongly secure ZCR using two party secure computation protocol. Here we show that using a two PC protocol for an NBIT function, which uses MOT correlations. We can construct an SCCR that uses common randomness and reduces the function to an M plus one OT support check predicate. This predicate checks if its input are in the support of M plus one OT correlations. The complexity of SCCR is in the order of the size of the function and OT complexity of the protocol. The theorem implies that a lower bound on SCCR complexity or the size of the support check predicate implies a lower bound on OT complexity. The theorem has two important consequences. Firstly, we can use it to recover the best known lower bound on OT complexity, which is linear in the input size of the function. Secondly, due to the simplicity of SCCR model, it allows a purely linear algebraic characterization. We use this characterization to define a quantity called invertibility, invertible rank of the true table of a function. A bound on invertible rank would imply a bound on the OT complexity of the function. Finally, we give an overview of our construction of SCCR using two party secure computation protocol. Our goal is to use a protocol with small OT complexity to construct an SCCR using common randomness with high acceptance probability to a low complexity predicate. The construction uses the following intuition. In, if for all inputs, the parties can sample appropriate transcripts and OT correlation, they can use them to produce the outputs locally without communicating with each other. How do we go about sampling transcripts and OT correlations without communicating? Parties can agree on a transcript using common randomness, but since they cannot communicate, it is impossible to sample valid OTs. But instead, they can attempt to independently sample their own part of the OT and use their OT support check predicate to abort whenever they make invalid choices. The party can locally compute their output using their view of the in the protocol that consists of input transcript and OT correlation. The following idea is at the core of the way Alice and Bob samples their transcript and OT correlation in this kind of construction. The communication protocols naturally decouple the joint distribution of Alice and Bob's view in the following sense. The probability of any transcript Q condition on inputs and OT correlations is actually the product of two functions, row and sigma that depends only on what Alice sees and what Bob sees respectively. Note that row and sigma here are not probabilities themselves, but they are positive functions whose product forms a probability distribution. Here is an informal overview of the construction of SCCR from a two-party secure computation using M-copies of OT. While Bob interpreted the common randomness as a random transcript, Alice then samples her side of M-copies of OT correlations, say R, with probability proportional to row of Q, R, X. She then chooses her candidate output based on her transcript, her side of the OT correlations and her input. Similarly, the predicate accepts when all the M-copies of OTs chosen by Alice and Bob are valid. When the predicate accepts, that is the sampled OT correlations are valid, the correctness follows from the correctness of the two-party secure computation protocol. It also inherits its security from the protocol whenever the predicate accepts. The construction almost works, but with the caveat that the acceptance probability varies across inputs. Our final construction fixes this issue by making Alice and Bob send out BOT to the predicate with appropriate probability that depends on their input. The predicate now does an M-plus 1-th check to see if the user has sent a BOT. This concludes the construction. In conclusion, we introduced a minimalistic model of secure computation, which is combinatorially simpler than communication protocols. The simplicity of the model allows for connections to several well-studied models of secure computation. We could use them to show upper bounds on PSM, CDS and OT complexity in terms of information complexity. We also showed that it provides new routes for attacking the problem of lower bounding OT complexity of two-party computation. This concludes the talk. Thank you.