 Okay, so hello everyone. Today I'm going to talk about NPC with friends and foes and this is joint work with Ferran Omryan, the not-pass-king-cherny-asky. So I'll start with an example and specifically I'll talk about secure election and let's say that we have three parties and each of them is chosen between two candidates and Let's say that in this example the parties know that at most one of them is corrupted And let's say that during this protocol they figure out that the second party is being malicious So now the first and the third party knowing that they are honest and you this will protocol instruct them to exchange their inputs and Now each of those party can locally compute who the winner is However, now one of those party. Let's say that the third party actually realizes who the first party voted for Which is problematic. We don't want to reveal who we voted for because later on this could lead to violence All right, so why is this allowed the reason that this is allowed is because in secure multiparty computation We only care about the view of the adversary and we never ask about what the honest party sees during the interaction All right, so you might say there are no one actually construct such protocols But in fact there are actually protocols that utilize this fact and for example There's the two-on-protocol of Ishaetal that uses this fact that the honest parties can reveal information to each other And in order to minimize the run complexity of the protocol Okay, so let's say that we ignore this type of protocols because they only used it to minimize the run complexity And let's say that we were using only classical protocols like gmw or bgw And even then there is a problem with let's say secret sharing scheme And the reason is that the corrupted party can send each show to the other honest parties allowing them to recover the Original input of the other honest parties, which again later on would lead to violence Which leave me to talk about the question in this research And of whether we can extend the classical notion of security to also prevent leakage of information from one honest party to other honest parties And perhaps even colluding subsets of honest parties So let me talk about the most naive way to try and solve this question And we this would simply be to take a protocol that can handle more malicious parties than what was required and I claim that this won't do So first the first reason is that we lose efficiency Second if we still want to keep a certain guarantees like say guaranteed output delivery Then this might be impossible and later on or we show you that free party coin tossing can actually be computed with One malicious party and one semi honest party assuming that they are not colluding and Finally this doesn't even work in general and even though standard protocol like GNW you actually do satisfy this property when increasing the malicious Security threshold actually does help There are protocol where this is not true and Intuitively the reason is that even though we are dealing with stronger adversaries their simulator is also stronger which Which will be problematic in the reduction Which lead me to talk about our new security notion which aims to solve these problems And we call this notion security with friends and foes or far security for short And roughly the extra for security requires the following So again, let's say that we have three parties and we require that for any adversary Corrupting at most tea parties malicious adversary In this example, we corrupt on the one party. We want it to be able to we want to be able to simulate its view Just like in the standard security destination Now additionally we require that any semi honest adversary corrupting at most H start parties in this example again This will only be one We also want to be able to simulate its view and we want to be able to simulate the view Even if the adversary sent not prescribed messages to the semi honest party And of course, I want to stress that we don't only care about simulating this specific semi Semi honest party. We also want to simulate any other possible set of semi honest parties So even the first party to be able to be simulatable So we also introduced several results regarding this new notion The first one is we provide a characterization specifically. We show that I understand that assumption any Multi-party functionality can be computed with th star for security if and only if 2t plus h star is strictly smaller than the number of parties And we also investigate the round complexity requires to do this sort of computation Ensure that assuming pseudo random generators, we can compute any functionality with one one for security in three rounds You can in fact even increase the pressure that we can deal with in those three rounds However, if we want to run then this is already impossible even for one one for security Which give evidence as to why in the shite al protocol the honest parties had to reveal some information to other honest parties And finally we give comparisons to other definitions and show that the standard security notion of t plus h star security Doesn't imply fuff security as one would expect and we even refine this This result and show that mixed security doesn't imply fuff security where mixed security is very similar we require that We can simulate any one adversary that controls some parties maliciously and another subset semi honestly was in fuff security These are two completely different entities to adversaries that are not colluding So now let me give you a more formal definition of fuff security and how we deal with all the subtleties So the definition will follow the real versus ideal paradigm And it will be convenient to view the semi honest parties as as if they are being co-opted by an adversary And it's important to note that this adversary is not colluding with the malicious adversaries And Moreover We let the semi honest party have an output just like honest parties and the reason we do it is because this is necessary in order to protect them from the malicious adversary And finally in the real world We consider adversaries that can send non prescribed messages to the semi honest adversary and they can even do it After the protocol is already terminated So now let me show you how we define the ideal world of fuff security and I'll give you two versions One is full security was guaranteed up to delivery and later on I'll show you how we define security with a book So here we have three parties Let's say that the last one is malicious the middle one is semi honest and the right one is honest In the ideal world we have another trusted party that is always honest that will perform the computation In this ideal world in the first phase the parties will send their inputs to the trusted party or the malicious party can change its input After that the malicious the trusted party will Preform the computation and send each party its respective part of the output So far this is just the standard ideal world However, here comes the new stuff where we require that the malicious adversary will send its entire ideal world view to the semi honest party Which includes its input its auxiliary information its randomness and the output it received from the trusted party and The reason we are requiring to do this is because in the real world nothing prevents it from sending its entire view to the semi honest parties So you know that to handle those kind of adversaries we required The simulator to also send its information to the semi honest input and lastly we need to define the outputs So the malicious party will output some view the semi honest party will output a view and whatever it received from the trusted party Well, the honest party output, whatever it received from the trusted party. Okay, so now let me show you how we define security with a bolt So again, we have the same three parties and the trusted party and in the first phase again everyone just send its input After that the trusted party will perform the computation and in security with a bolt It will first send an output only to the adversary based on this information alone The adversary will later need to decide whether the other parties can receive their output or not However, in fast security Definition that we give also states that the semi honest party to also receive an output in the ideal wall and the reason is that we want to handle protocols where Some of the honest parties might learn some information on the output. However, they will not Output it as their output, but rather they will abort over in the ideal world They will learn it in order to simulate it and so from here the The definition of the ideal world follows the standard way First the malicious party will send its ideal world view to the semi honest party And then it will say to the trusted party either to continue or abort which based on that will either give the output To the honest party or tell it to abort and to the semi honest party will tell it Whatever it received from the other side, either continue or abort and based on this information Each party will output whatever it needs to output, which is either a view or whatever to see it from the trusted party Given that we can now define the security definition of our security and Here we have two flavors of security The first weaker one Requires that the view of the malicious party and the output of both the honest and the semi honest parties to be roughly the same In both the real and the ideal world And the second requirement is that the view of the semi honest party and the output of the honest party to be roughly the same Again in both the real and the ideal world And the stronger notion of security requires that the joint Distribution of all three random variables to look roughly the same in both the real and the ideal world So a natural question to ask is whether or not the weaker Security notion and the stronger security notion are actually equivalent and let me show you that this is not the case So for this example, let me consider the secure channel function We are the first party send its input to the second party without the first part third party learning anything about it And let's consider the following protocol So the first party has been input and it will first compute a commitment Which it then broadcast to both parties and then also send its input to the to the second party which it will then out So I claim that this is Weak fast secure this protocol yet, it's not strong for secure and to give you a test as to why this is weak for secure Let's assume that the bottom left party is malicious and the bottom right party is a semi honest So why why can we simulate it? So the malicious simulator will simply output a commitment of zero While the semi honest simulator will output a commitment of X and X and whatever messages it received from the malicious party, and that's it However, in order to achieve strong security We need that both simulators to output exactly the same commitments, which is impossible in the ideal world So now in the time that I have left I want to talk about in more details about one of the results that I showed you earlier Specifically, I want to talk about the characterization and let's talk with the positive direction so let's assume that 2t plus h star is strictly smaller than the number of parties and I will construct the protocol and the idea is to use player elimination which goes as follows First we show that the GMW protocol Chiefs for security with identifiable about where identifiable about is there is exactly the same as security with abort Only that if the malicious party the malicious Adversary decided to abort then it must reveal the identity of one of the corrupted parties So now the parties will compute an m minus t out of m secret sharing scheme of the output using the GMW protocol and If there was an abort then they have the identity of a corrupted party They can follow it away give it some different value as an input and restart Otherwise the honest the uncorrupted parties have enough information in order to reconstruct the output and so they would do it So why is this protocol secure? Well, notice that the joint view of the adversary and the semi honest parties is by assumptions strictly less than the number of Corrupted the number of shells required to perform the computation So what are the properties of this protocol? So notice that the reduction to security with identifiable abort actually admits strong for security However, the entire protocol achieves only weak for security the reason is that Because the GMW protocol it is With for security and that goes to back to the commitment scheme used in the GMW protocol However, this protocol actually sometimes admits for security for even higher threshold than what was stated in the theorem And this is for specific functionalities such as coin tossing with any uncorrupted majority So extra can be whatever we want but T must be strictly less than half of the parties And we can even compute with input functionalities like three-party X or with one one for security So let me talk a bit about the negative direction Specifically, I will talk about the impossibility of three parties with one one for security We'll show an example of functionality that cannot be computed in this set So let's call this three parties a b and c and we consider the following functionality So a and c each will hold a string and see respectively and be will supposedly hold a one permutation of each of all of those trim And if it does hold the one or permutation of those string Then the output of all parties will be a and c otherwise. No party will learn anything And the idea is that in the ideal world if a is malicious and it changes its input Then a semi-honest be has no information whatsoever on c other than a one or permutation of it So it will not be able to recover it And furthermore in the real world any iron for any iron protocol There is always around where one of the parties a and b or b and c can recover the output We significantly better probability than the other pair and the way to prove this is a simple averaging argument So using these two observations we can use the following we can do the following argument So first assume you're at loss of generality that a and b are the pair that can recover the output to significantly better probability So what will the attacker do it will corrupt a it will act honestly until I round I It will abort and only after the protocol it ended it will send the its entire view to be So let's compare the real and ideal world So why can't we distinguish why can we distinguish between the two worlds? So first let's be denote the probability that b and c can recover a c in the real world So by definition c will out with a and c with probability p Or what does that tells us about the ideal world? Since the only way for c to obtain this output for the honest c to obtain a and c is for the malicious a to send its original input This means that the malicious adversary that corrupts a will send its original input with probability that is roughly p However now what we can say about the semi honest party b is that by our previous observation The only way for it to recover c is for a to send its original input because otherwise it only holds the one or permutation of c So the probability that b can recover c is again a roughly p However, as we already stated in the real world b can recover the output c if probability that it's significantly higher than p Which gives us a clear way to distinguish the real world and the ideal world So if we want to extend this to more parties then we can use a standard player partitioning argument I want to stress is that this Argument actually holds up even fair computation where fair computation roughly requires that either all parties learn the output or none of them do and The reason is that because for the functionality that we consider having the malicious simulator abort is exactly the same as changing the input And furthermore the attacker that we introduced is actually independent of the adversary's view Which means that we can actually apply this attack even while assuming that the parties have access to a simultaneous both So to summarize we introduced a new security notion which we call security with friends and foes Which aims to protect honest parties from other honest parties? And we believe it to be interesting from both theoretical and practical perspective And we also brought some various results regarding these new notions which include characterization of when we can compute any functionality and when we cannot We'll also investigate around complexity showing that three power three rounds is suffices for many interesting thresholds however two runs it's impossible and We also give comparison to other standard definition That's it. Thank you for listening