 So, I'm going to talk about secure computation, high-resonance setting. This is a joint work with Alexander Brock and Professor Hema Tamazi. So, let me start with the notion of correlated private dynamics in short, correlations. Rather speaking, correlations are a fundamental cryptographic resource that helps practice to compute securely over the private data. In a people-setsing phase, a trusted dealer samples IRB from a joint distribution, and then provides IRB to Alice, RB to Bob. In an online phase, Alice and Bob use their secret sets in an interactive protocol to securely compute the intended functionality. So note that the people-setsing phase is independent of the functionality or the input factor of functionality by the parties. And the secret sets IRB are vulnerable to leakage attacks. For example, a malicious Bob can get some additional information about Alice's secret sets and fibro-sets in malicious Alice can obtain some additional information about Bob's secret sets, RB. And in the case of leakage happen, the correlations IRB is called leakage correlations. So a well-studied correlation is a random off-reverse transfer. But before that, let me quickly go over the notion of one-out-two off-reverse transfer. So an OT protocol, an interactive protocol between Alice and Bob, if I can input two bits X0X1 from Alice and a single bit B from Bob, at the end of the protocol Bob learns XB, but nothing about the other bit. And Alice does not know the choice of bit B. So a random off-reverse transfer is a randomized version of OT. It samples to bit X0X1, bit independently and uniformly at random. It provides secret sets X0X1 to Alice and bit XB to Bob. And as I mentioned earlier, the secret sets IRB are vulnerable to leakage attacks. So to address this problem, Isai, Kusilevis, Ochozki, and Sahai introduced the notion of correlation extractors in 2009. So rather speaking, correlation extractors take leakage correlations at input. And it produces secure independent copies of OT. More formally, a NMT epsilon correlation extractor for a correlation IRB, a two-but-T interactive protocol. It takes NB secret sets IRB, which it draws from the correlation. And it produces M independent secure OTs. It allows TBW leakage on the secret sets IRB. And finally, it is secure against semi-honest adversary with a simulation error epsilon. So with that in mind, let me briefly summarize prior work and our contributions. And in this table, N is the size of the secret set, and M is the box in red, T is the leakage resilience, and epsilon is a simulation error. And the last column is the number of rows for the correlation extractor protocol. So the first research about this is from ICOS-L9. They use N by 2, independent copy of ROT. And they are able to get linear input in red, linear leakage resilience, exponential high in security, and the protocol has four rows. And note that the constant alpha, beta, and gamma are very small. And the subsequent work by Ruta, Isai, Masi, and Sahai in 2015 is the same correlation. They improve the leakage resilience to N by 4, but check off the security. So consequently, the security is legible. And the protocol had two rows. They also consider a new correlation, namely the inner product correlations. In general, the inner product correlations over a vector space, F2C by N, EI correlation in which the party gets a vector in FN, so that they are out of order. So using the inner product correlations, they are able to get N by 2 in leakage resilience. Equivalent to high security, two-row protocols, but one out of these. So the question is, can we get the best in all four columns? In other words, can we get linear input in red, linear leakage resilience, equal to high security, and two-row protocol? So our work, so that using the inner product correlations over a suitable lack field, it admits a correlation detector that has high processing rate, N2C by 1 minus small 1, resilience to N by 2 beta leakage, has equaling so high security, and finally, two-row protocol. I can go over the construction of our correlation detector in the next few slides. Let me state our results more formally. So the first main results we saw that for any constant delta in the range, 0.5, there exists a correlation end, there's a two-row correlation detector for that correlation. So that if the number of leakage with T equal to half minus Z times N, then the simulation error is equally small. And in fact, we choose the correlations to be the inner product correlations over a suitable lack field F, where the side of F equal to 2G bath delta N. So our correlation detector is resilient to N by 2 base leakage. The question is that does there exist a correlation detector for the inner product correlations that achieves over N by 2 beta leakage? More generally, can we meaningful about the maximum leakage resilience of any correlation? And our second result answers the questions. We saw that there exists a universal constant epsilon star greater than 0, so that for any arbitrary field F, any N, 1, N by 2 epsilon correlation detector for the inner product correlations has a simulation error epsilon at least epsilon star, where the secret side N equal to K times log side of F. So basically this theorem says that for the inner product correlations with secret side of side N, if we leak N by 2 base from the secret side, it is impossible to eject even one OT. So note that this results both the optimality of the leakage resilience achieved by our detector and the ZIMS 15 detector. So next, let me go over some high level construction overview of our correlation detector. But before that, let me introduce an important concept that needed for the construction. Then is the previous linear function evaluations. Instead of producing OT, our correlations produces linear function evaluations. So an obvious linear function evaluations over a field F, represented as only F, it takes two field elements, A, B, from Alice, and a single field element, X, from both. And it provides Z equal to AX plus B to both. So note that some privacy requirements for the only is that Alice gains no additional advantage in predicting X, and Bob gains no additional advantage in predicting A. And also note that the OT is functionally equivalent to only over ZF2. So with that in mind, let me actually go over the constructions of our correlation detector. So remember that our goal is that given leaky correlations, Alice and Bob want to securely compute M only over ZF2. So our constructions basically is a composition of two steps. So we take the inner product correlations of a log field with the base leakage from the synthesis, and you get one only over the field F. And from one only over the field F, we get M copies of only over ZF2. So note that the first step is a natural generalization of the ZIMS-15 protocol over IP over ZF2, to IP over log fields. I won't go over the detail of the protocol. If anyone interested in the protocol, please see our paper. And in the second step, the main idea is that we embed M copies of only over ZF2 into one only over field F, where F is a log field of characteristic two. And this is one of our main technical contributions. And I want to emphasize that before this, we know how to get multiple copies of only over ZF2 from multiple copies of only over a big field. But we don't know how to do that from one only over a big field. And the efficiency of the embedding depends on the value of M, and the lesser the value of M, the better processing rate. And also this embedding relies on finding solutions to the tricolor sum-free-set problem. And the tricolor sum-free-set problem also has applications in magic multiplications. Now let me state the tricolor sum-free-set problem. We want to find two orders S, S and T, each have M non-negative elements, so that the only solution to the equation S i plus T i equal to S a plus T k is achievable solutions. In other words, i equal to z equal to k. And we want to maximize the size of S and T. So this problem is generalizations of the well-known tricolor sum-free-set problem. And under the constant S i equal to T i, this problem is identical to the tricolor sum-free-set problem. And using existing explicit construction of the tricolor sum-free-set, we achieve M equal to n-tipa 1 minus small 1. And in an ongoing work, we saw that M equal to theta n is impossible. And I want to emphasize that using the solutions to this problem, we can get an embedding. But I won't go over the detail of the embedding. If anyone interested in, you can find it in our paper. And for the rest of the talk, I will talk about the other size, about the maximum liquid resilience. So the question is that, which techniques can be used to about the maximum liquid resilience of any correlation? An existing approach is a partition argument. But z approach have a bottleneck. It applies only to multiple independent samples of small correlations. For instance, we can use a partition argument to show that the correlation ROT is about n by 2. It is resilient to at most n by 4 bits of leakage. However, this technique does not extend to secret sets with a sample from globally correlated correlations. For example, z in the product correlations. So to overcome the bottleneck, we introduce a new measure, namely the symbol partition number. But first, let me introduce the notion of symbol graph. A symbol graph, a bipartite graph, such that each of it created a component, you backlink. And if I click, you come up with a bipartite graph. And the symbol partition number of a bipartite graph is a minimal number of symbol graphs that needed to partition, it exists. For example, this graph is not a symbol graph, but it can be decomposed into two symbol graphs, like this. The same color acts mean the same connected component. So why do we care about z graph? Correlations can be alternatively represented as graphs. And a correlation is a weighted bipartite graph, g, where the left bipartite side, right bipartite graph, is a set of over-symbol private sets, IRB for Alice. And the right bipartite set is a set of over-symbol private set, IRB for Bob. And the weight of the X, IRB is the probability of getting IRB from the correlations. And in our paper and in this talk, we just consider the correlations in which the weights are the same. So for example, this graph represents the inner product correlations over ZF2, ZB2. We can see that 0, 0 is connected to every node on the right, because 0, 0 is orthogonal to every vector on the right. And 0, 1 is connected to 0, 0, 1, 0, but not 0, 1 and 1, 1. Let me show the connection between maximum liquid resilience and symbol partition number. So suppose a graph, g, IRB correlations, and suppose there exists lambda symbol graphs, that partition, that partition, the axis of the graph, g. Then, C E node resilience to log lambda, base of leakage. So intuitively, this lemma say that an upper bound on the symbol partition number, implies an upper bound on the maximum liquid resilience. And finally, let me just give the estimation of symbol partition number for the two correlations we have seen earlier. For the correlations ROT, which you can say is of size N, the symbol partition number is 2 dB of N by 4. It means that the maximum fractional liquid resilience is 1 fourth. And note that our technique subsumes the partition argument. And for the inner product correlations, which you can say is of size S, the symbol partition number is size of F, 2 dB of N by 2. So it means the maximum fractional liquid resilience is at most half. So in summary, we mentioned two contributions. The first contribution is that there exists a correlation that generates N by 6 S. It produces N to the power of 1 minus small 0 1, CQ independent of this. And it is resilient to N by 2 bits of leakage. And the second contribution is that we introduce a graph theoretic measure, the symbol partition number, and it can be used to up about the liquid resilience of correlations. Thank you for listening.