 Okay, do you hear me? I'm going to talk about around optimal secure multi-part computation without setup. And in our setting, the adversary is going to be polynomially bounded, malicious and static. The main question we're going to address in this talk is whether we can construct around optimal NPC protocols. But what are the rules of the game? First, we don't want to assume any trusted setup. We want to accommodate malicious adversaries and also we want to build protocols and understand the polynomial time assumptions. But what is the optimal round complexity? Garg et al gave the lower bound of four rounds restricted to black book simulation. And that said, we're going to ask the question if we can construct four round NPC protocols under all these conditions. The first work in this space achieved round optimal complexity that grows with the depth of the evaluated circuit. Then the work of Beaver at all introduced the first constant round protocols for the restricted setting of honest majority. Then we had the first constant round protocols in the dishonest majority setting. And very recently we also had like the first six round protocols. And also Garg et al said that the lower bound is four. And we also have five round protocols and four round protocols. So there's the cats. So these four round protocols are not based on polynomial time assumptions. And in this talk, we're going to construct the first four round NPC protocol under all these conditions. Here are our results, assuming injective one way functions, zaps, which are two round witness indistinguishable proofs and additive homomorphic encryption. We construct four round malicious MBC protocols and we can instantiate all these primitives from enhanced trap to permutations and LWE or QR or DDH or DCR or from the single assumption of QR. Our work does not stand alone in this space. There's also the concurrent work that you just saw. And there they assume injective one way functions, then script to systems and two round OT and they can instantiate all these primitives from QR, DDH, DCR and LWE. So a common paradigm that we use to achieve malicious security is the GMW paradigm. So in this paradigm, we start with a weak variant of an MBC protocol, like a semi-malicious protocol. And then we use zero knowledge to lift this protocol to malicious security. So there are works that they follow this approach and they use the four round non-malable zero knowledge proof to achieve that. So they build four round protocols and then they saw that it's enough to prove correctness of the third and the fourth round of their protocol. So they plug in a four round zero knowledge to prove the correctness of the third round and a four round ZK to prove the correctness of the fourth round. And even if we have a two round protocol, again we need to prove the correctness of the first and the second round. So we again have a four round protocol. So can we do better than that? So there are works that in fact, they replace the four round zero knowledge proof with three round zero knowledge proofs. And then they end up with four round protocols if we have a three round zero knowledge. But the price they pay to reduce from four rounds to three rounds is complexity leveraging. And then the protocol only assumes sub-exponential assumptions. And in fact, we cannot build a three round zero knowledge proof like with Blackbook simulation. So in our approach, we're going to replace the zero knowledge proofs with the weaker tool of witness indistinguishable proofs. And even if we use this weaker tool of witness indistinguishable proofs, that provide the weaker correctness guarantees. Nothing is lost as long as we build the final protocol where we give the same level of security as the zero knowledge proof offered. This brings me to our approach. So we'll build a four round semi-malicious MPC protocol. And then we use three round WUI proofs to prove correctness of our third round. And that will bring us to a four round protocol. So following this philosophy of replacing the zero knowledge proofs with WUI proofs, there were many obstacles that arise and we used one technique after the other to overcome these difficulties. And here is like a one minute elevator pitch for our approach. Suppose I'm in an elevator with Moti and Jesper. So we first build a semi-malicious MPC protocol and to prove the correctness of this protocol, we don't use zero knowledge, we use WUI proofs. And to do that, we use the time-tested approach of our young paradigm. For those of you that you are familiar, I think Moti is familiar with it. But doing that, we need to weaken the NP statement of the WUI proofs. And to do that, like the adversary is free to launch some more attacks. And in fact, he can launch some additive attacks in the protocol. And we build some new technology to avoid these additive attacks. And finally, we build a non-malable, with this indistinguishable proofs from polynomial time assumptions, which was not known before. So in the next couple of slides, I'm gonna give you only the key insights of these puzzle pieces. So it's known that secure computation of some function reduces the secure computation of some randomized encoding. To achieve a foreign protocol, we need a randomized encoding of degree three. Because a randomized degree three encoding can be expressed as the sum of degree three terms. And for that, we can use a three-bit multiplication protocol based on two-round OT, which was recently constructed from Anant et al. And what we are going to do, so to compute our function F, we're going to securely evaluate these three-month protocols and we compute the sum of them in the fourth round. So this is going to be our base protocol in a high level. Then to make this protocol secure against malicious adversaries, we're gonna replace the WUI with zero-knowledge proofs. So the part that we have with the zero-knowledge proofs is that there's a trapdoor that the simulator knows and he can use the trapdoor to remove the honest inputs of the part as in the simulation. But with WUI proofs, like the simulator has to follow the honest strategy, he doesn't have any trapdoor. So to use WUI proofs, we're going to use then our yank paradigm, which is the following. Like if you encrypt something twice, then you prove correctness only on one of the two encryptions. And here we're going to do something similar. We're going to repeat its protocol twice and prove correctness only on one of the two protocols. But you know life is not simple. This doesn't quite work because the adversary can inject some errors in these double three multiplication protocols. And we need to cope with these errors here. So this is our approach in high level. And in the next few minutes I left, I'm gonna like, so like how these three puzzle pieces are connected to each other. So as I said, we're using this nice three round, three bit multiplication protocol, which involves three parties. They give inputs x1, x2, and x3. And to construct the protocol, we use three instances of an oblivious transfer protocol to get the result, which is x1 times x2 times x3. Okay, for this talk, it's not important how the protocol works. It's not required. So now since we want to incorporate then our yank paradigm, what we're going to do, we're going to like run each OT twice. So we're going to have like six OTs now instead of three. But as I said before, life is not simple. Like we cannot do this while achieving correctness and also the privacy. And the adversary can inject some errors because to achieve the security of this protocol we need to weaken the NP statement further. And that's why the adversary is able to introduce some error here. So what do we really want? We want a randomizing coding, which is secure against this additive attacks. So it would have been nice if we could apply these compilers from Genkin et al. So these compilers, they're very nice because they can convert the protocol to like a protocol which is secure against additive attacks. It's a generic compiler that we can use. But unfortunately these compilers are not around preserving. So if we apply these compilers on our previous protocol, then we're not gonna have four rounds. The round complexity will explode. So what we're going to do instead, we're going to pick a specific randomized encoding. We're using the BMR encoding. And we're gonna show that any additive attack on that protocol corresponds to an additive attack on the underlying circuit that we are computing. What is the underlying circuit? I mean that if this is the circuit of the function that we want to secure evaluate, I call it C. And if C prime is the secure version of the circuit, what we do, we prove that any attack reduces to an additive attack on the underlying circuit C. So what did we achieve with that? Like why is this fine? Because now we can apply the compilers of Genkin et al on the original circuit C. Okay, so what the compilers do, like they take the circuit and they transform it to a circuit which is secure against this additive attacks. So we do this with pre-compiler circuit with these compilers. And then we apply the randomized encoding. Okay, so in that way we achieve the round complexity that we want. And the high, like actually the take home message here is that we can in fact build a randomized encoding which is secure against additive attacks and maybe it can find some other applications. So to conclude, we have the first round optimal NPC protocol without setup in the presence of malicious adversaries under standard polynomial time assumptions. And these are the instantiations of our protocols. And there are many open problems, but I'll leave you with one main open problem is like to build a foreign malicious protocol actually from like minimal assumptions like foreign maliciousity. And with that, I will end the talk. Thank you.