 Hello everyone, my name is Yifan Song. Today I'm happy to give a talk about our results, unconditional communication efficient NPC via horse merry theory, co-authored with Vipo Goya and Antibony Polychroneado. Multi-party competition allows several mutually distrusted parties to evaluate a function on their private inputs. It guarantees that the protocol execution does not leak anything about the individual inputs beyond what can be inferred from the function output. Usually the functionality is represented as a circuit and in particular, here we choose to use an arithmetic circuit over a finite field. The circuit supports addition and multiplication operations. In this work, we focus on the information series setting with honest majority and assume a P2P channel between every pair of parties. We are interested in both the semi-unique security and the malicious security with the board. In the following, we use N for the number of parties and T for the number of corrupted parties. Before we move on, I would like to motivate my talk by answering the following two questions. First, why do we care about the unconditional NPC? A key feature of the unconditional NPC is that we do not need any expensive cryptographic primitive such as public encryption or obvious transfer and the protocol is secure unconditionally. Comparing with protocols in the computational setting, one major benefit is that the protocols usually do not require complicated and time-consuming local computations. As a result, the most efficient NPC protocols are in the unconditional NPC paradigm. Second, why do we focus on the communication complexity? Since the local computations are typically simple, often just a series of linear operations, the efficiency of a protocol in the real world is dominated by its communication complexity. The dream in the information series setting is to achieve all of C total communication complexity or even less, where C is the circuit size. Note that it means that with the increase of the number of parties, the communication complexity per party decreases. In the so-called optimal threshold setting, where T is equal to N minus one over two, best known results require order of N times C total communication. When we move to the suboptimal case, where there is a gap K between T and N minus one over two. The work by Franklin and Jung introduced the pack secret sharing technique that allows to store multiple secrets within a single sharing. Relying on this technique, they showed how to evaluate K copies of the same circuit, such that the amortized communication complexity per circuit is order of C. Later on, DIK10 and the GIP15 showed that the pack secret sharing technique can be used to evaluate a single circuit with communication complexity order of log C times C. On the other hand, GIoZ17 used the idea of selecting a small committee and achieved order of log and to the power of one plus epsilon times C communication complexity. Two recent works published in Eurocrypt also tried to solve this problem. The work GSY21 combines the idea of pack secret sharing technique and selecting small committee and achieved order of C offline communication plus order of log and to the power of one plus epsilon times C online communication. We can see that the desired efficiency is only achieved in the offline phase. The work BJJK21 focused on a class of circuits that have highly repetitive structures and showed that order of C communication complexity can be achieved on this restrictive class of circuits. Many attempts towards solving this question lead to our following question. Is it possible to construct information through the MBC protocols for computing a single arithmetic circuit with total communication complexity order of C? In this work, we answer this question affirmatively by showing the following theorem. For all case models and unmet one over two, there is an information directed MBC which computes a single arithmetic circuit against unmet one over two minus K corrupted parties with communication complexity order of unmet one over K times C. Note that when K is equal to order of N the achieved communication complexity is order of C. An example calorie is that when T is 0.49 times N the achieved communication is order of C. Our work makes use of the packed secret sharing technique. In the standard Shamier sharing we use a random polynomial to add a single evaluation point. The idea of packed Shamier sharing is to have multiple secret laws as illustrated in the picture. Let X be a vector of dimension K. We will use square brackets of X to represent a packed Shamier sharing of the secret X. As the standard Shamier sharing the packed Shamier sharing is also linearly homomorphic namely adding two sharing X and Y yields a sharing of the secret X plus Y. In general, to evaluate a single circuit via packed Shamier sharing we may want to pack K values within a single sharing and evaluate a batch of K gates each time. However, there are two difficulties with this approach. The first difficulty is the need of aligning input sharing because that each packed sharing contains a vector of K secrets. Basic protocols for addition gates and multiplication gates only support coordinate-wise operations. This requires the secrets to be in the correct order to obtain the correct answer. During the evaluation we may encounter the scenario where the secrets are not in the order we want. For example, all parties hold an output sharing from last layer which contains the secrets X1, X2 and X3. But to compute the addition gates in the current layer all parties need to hold an input sharing of the secrets X2, X3 and X1. We need to design an efficient protocol for secret reordering. The second difficulty is the need of collecting secrets from multiple shareings. During the evaluation the secrets we need to be in a single sharing may scattered in different output shareings from previous layers. In this graph we can see that the share when we want needs to contain Y1, Z1 and W1 which are scattered in three output shareings from last layer. We need to design an efficient protocol to collect secrets from different shareings. Therefore, the whole evaluation works as follows. In the input layer all parties transform their individual inputs to packed shareings. For each intermediate layer all parties first prepare input shareings by collecting secrets from shareings in previous layers. We refer to this step as global network routing. Then all parties perform presentations on the secrets of each sharing to obtain the correct order. We refer to this step as secret reordering. Finally, all parties evaluate a batch of addition gates or multiplication gates using the basic protocols. After evaluating all intermediate layers all parties together reconstruct the final output. Our main contribution is constructing efficient protocols for secret reordering and global network routing with constant overhead. Previous solutions either have order of log C overhead or only work for a restricted class of circuits. In this talk, we mainly focus on our solution for secret reordering. Let pi be a linear map that promotes the secrets to the order we want. Then given an input sharing X our goal is to compute a sharing of the secrets pi X. In the IK10 this is achieved by first preparing a pair of random shareings R and pi R where R is a random vector. Then all parties locally compute the sharing of X plus R relying on the linear morphism of the packed sharing. Next all parties interactively reconstruct the secret X plus R. Since all parties hold the vector X plus R they can locally promote this vector and compute pi X plus R. The final step is to compute pi X by subtracting the sharing of pi R from the public vector pi X plus R. This step relies on the linearity of pi. As noted in the IK10, the main difficulty is to prepare the random shareings R and the pi R efficiently. Although there are known techniques to efficiently prepare a batch of random shareings for fixed permutation if only one pair is needed the rest of pairs are wasted. In the worst case when we need a different permutation each time the cost for the wasted pairs will eliminate the benefit of the packed sharing. Therefore we need to limit the number of different permutations. In the IK10 this is achieved by applying a circuit transformation. In this way they only need a limited number of permutations but on the other hand the circuit size increases by a factor of log C. Our solution contains two phases. In phase one we will prepare random shareings only for a limited number of different permutations. In phase two we show that we can efficiently transform them to random shareings for the permutations we want. Our starting point is a simple observation. We note that for packed sharing all parties can locally decompose it into small components. For example for a packed sharing of x1, x2 and x3 we can obtain the following three shareings. A sharing of the secrets x1, 0, 0 a sharing of the secrets x2, x0 and a sharing of the secrets 0, 0, x3. The observation towards sharing decomposition is that all parties can locally compute a higher degree packed sharing of each component. For example to obtain a sharing of secrets x1, 0, 0 all parties will locally multiply the sharing of x1, x2 and x3 with a sharing of 1, 0, 0. The result is still a valid sharing but has a higher degree and the secrets become x1, 0, 0. Now consider a permutation P which maps 1, 2, 3 to 1, 3, 2 respectively. Then we want to prepare the following two random shareings. The first sharing contains the secrets R1, R2 and R3 and the second sharing contains the secrets R1, R3 and R2. We may visualize these two shareings by using the same colors for the same values. Relating our observation of sharing decomposition we can decompose it into three components one one component, two three component and three two component. Consider three helper permutations q1, q2 and q3. Each of them contains one component we need for the target permutation P. Specifically the permutation q1 contains the one one component the permutation q2 contains the two three component and the permutation q3 contains the three two component. If we have prepared random shareings for q1, q2 and q3 we can decompose those shareings select the components we need and locally add them to obtain the random shareings for the target permutation P. Therefore to prepare random shareings for the permutation P it is sufficient to prepare random shareings for q1, q2 and q3. Because that k is the number of secrets contained in a single sharing this approach requires to prepare k pairs of random shareings for each target permutation which is too expensive. Our observation is that the unused components in q1, q2 and q3 can potentially be used to prepare other shareings. Therefore we can summarize our two observations as follows. Suppose P1, P2 to Pm are permutations we want to perform during the evaluation. Here M is of size order of C. To prepare shareings for permutations P1, P2 to Pm it is sufficient to prepare shareings for a different set of permutations q1, q2 to qm such that these two sets of permutations contain the same number of ij components for all i and j. Because that we want to limit the number of different permutations therefore our goal is to find such q1, q2 to qm such that they only contain a limited number of different permutations. We would like to point out that we cannot simply combine any k components we need in a single permutation since they may not form a valid permutation. An example is when we need one one component one two components to one k component. These k components do not form a valid permutation. We note that this problem is closely related to the graph theory. We first recall some basic notions in the graph theory. We say a graph is a bipartite graph if we can divide the nodes into two sets such that all edges are connecting nodes from the first side to the second side. For example, in this graph we can divide the nodes into the left part and the red part. For bipartite graph, a perfect matching is a set of edges such that each node has degree one. In this graph, the set of edges in red is a perfect matching. Note that a perfect matching corresponds to a permutation. For each edge connecting the s nodes in the left part to the j nodes in the red part the corresponding permutation p maps the value i to the value j. In this graph, the perfect matching in red corresponds to the permutation that maps one, two, three, four, five, two, two, four, one, five, three. Hausmeyer's theorem is a well-known theorem in graph theory which has many applications in mathematics and computer science. It provides a necessary and sufficient condition of the existence of a perfect matching in a bipartite graph. In this work, we use a weaker version of the Hausmeyer's theorem which states that for a bipartite graph where each node has the same degree there exists a perfect matching. Now we connect our problem to the Hausmeyer's theorem. Suppose p1, p2, pm are permutations we want to prepare random shareings for. We first construct a bipartite graph by inserting the perfect matching corresponds to each permutation. The graph on the red is an example when m is three and p1, p2, p3 are as follows. Note that the number of edges between i and j is the number of ij components in the permutations p1, p2, pm. Recall that our goal is to find q1, q2, qm with limited number of different permutations such that they contain the same number of components of each type as the permutations p1, p2, pm. Therefore, this condition is equivalent to that these two sets of permutations map to the same bipartite graph. Now we are ready to describe our solution to find the permutations q1, q2, qm. The first step is to find a perfect matching in the bipartite graph. We can show that the graph satisfies the condition in Hausmeyer's theorem. Therefore, the existence of a perfect matching is guaranteed by Hausmeyer's theorem. In the second step, we repeatedly remove this perfect matching until one kind of edges is used up. Each time of removing this perfect matching means that we choose the corresponding permutation. Note that there are at the most k square different kinds of edges. If the graph is not empty, then we go to the first step and we run the whole process again. Since each time we will use up at least one kind of edges, the whole process will terminate within k square iterations. In each iteration, we only find one kind of perfect matching which corresponds to one kind of permutation. Therefore, the permutations we find contains at most k square different permutations, which is independent of m. Because that k is the number of secrets we pack in a single shearing, which is order of n, and m is the total number of permutations we need to perform, which is order of the circuit size. Together with sharing the composition, we can efficiently prepare random shearing for any permutations. In summary, our idea works as follows. In phase one, we first use the Hausmeyer's theorem to find a set of permutations with a limited number of different permutations and prepare random shearing only for this set of permutations. Then in phase two, we use the idea of sharing the composition to transform these random shearing to those for the permutations we want. We briefly discussed our solution for global network routing. Because that's the problem is to collect secrets from multiple different shearing, we point out that the idea of sharing the composition does not change the positions of the secrets. If we need multiple secrets from the same positions, we cannot obtain a single shearing of the selected secrets just using sharing decomposition. For example, suppose all parties hold three shearing in the previous layers, and they want to obtain a new shearing in the current layer, which contains the first secret of each shearing. Using sharing decomposition, we may obtain three shearing X100, Y100, and Z100. But since they are all in the first position, it is unclear how to directly obtain the shearing X1, Y1, Z1 from these three shearing. Our solution uses the permutation protocol as a building block and the Hausmeyer's theorem to achieve what we call non-clearing property. This property ensures that the secrets we want to collect are coming from different positions. This allows us to use the sharing decomposition idea to solve the global network routing. Interestingly, we use the Hausmeyer's theorem in a different way to achieve non-clearing property. As a summary of this talk, we first use the idea of sharing decomposition and Hausmeyer's theorem to construct an efficient protocol for secret reordering. Then relying on our efficient protocol for secret reordering, Hausmeyer's theorem and the idea of sharing decomposition, we construct an efficient protocol for global network routing. Finally, together with the basic protocols that evaluate a batch of addition and modification gates using Pax-Chemier's shearing, we obtain an MBC protocol that achieves all the obviously communication complexity. Thank you. Thank you.