 Hello everyone, my name is Mohammed Harris and today I am going to talk on statistical security in two-party computation. This is a joint work with Dakshitar Gharana. As I said, this work studies the RAM complexity of secure two-party computation with black box simulation and one-sided statistical security. This is the best security by any non-trivial two-party protocol in a plain model. So let's begin by looking at what is secure two-party computation. As names suggest, it is a protocol between two parties, each have their secret inputs and they would like to evaluate a function on these inputs. This function may generate outputs for both of the parties. Suppose if in an ideal world, if these parties have access to a trusted third-party, then this problem will become trivial because even if one of the parties is adversarial, they will learn nothing about the input of the other party. But in the real world, since such trusted third-party does not exist, and therefore the parties emulate the trusted third-party through a protocol. In this presentation, the party that gets the output is called a receiver and the other party is called a sender. For protocols in which both parties get the output, the party that obtains the output first is a receiver and the party that gets the output second is called the sender. If you look deeper, then proving the security of the protocol requires establishing the existence of a simulator that interacts with the ideal functionality and with the adversary to output the adversarial view that is indistinguishable from the adversary's view in the real world where the adversary interacts with the honest party. While round complexity is important, suppose if the parties have a very long distance between them or the network link between them is very slow, then if the round complexity of the protocol is high, then the network latency itself could become the bottleneck for the protocol. Also this means that the parties may have to stay online for a longer duration. Let's first look at some of the known results. For interactive proofs, Polaria et al. has shown that statistical zero-knowledge argument for NP languages are achievable in four rounds with black box simulation. Similarly, Koldrick et al. has shown that computational zero-knowledge proofs for NP languages are achievable in five rounds with black box simulation. In the case of two-party computation against computationally bounded adversaries, Katz and Otowski has provided four-round protocol when one party gets the output and a five-round protocol when both parties get the output. However, the round complexity of two-party computation that is secure against statistical adversaries in the standard setting of polynomial simulation is not well understood. In this work, we address this question by settling the round complexity of two-party secure computation with black box simulation and one-sided statistical security. We do that by providing following two theorems. Specifically, we prove that assuming TDH quadratic residue or learning with error assumption, there exists a four-round two-party secure protocol for general functionalities with black box simulation and with statistical security against an adversarial receiver and computational security against adversarial sender. Similarly, we prove that assuming TDH quadratic residue or learning with error assumption, there exists a five-round two-party secure protocol for general functionalities with black box simulation and with statistical security against adversarial sender and computational security against adversarial receiver. Note that in theorem one, the receiver is statistically secure and in theorem two, the sender is statistically secure. I would like to emphasize that this is the best possible security that can be achieved by any non-trivial two-party protocol in a plain model. I will explain in few slides why this is the best possible security that we could hope for. We prove these theorems by providing a single five-round protocol for symmetric functionalities where the receiver obtains the output at the end of fourth round and the sender obtains the output at the end of fifth round. This protocol is unconditionally secure against the malicious receiver. However, for the sake of this presentation, I will only discuss four-round protocol where the unbounded receiver gets the output by round four. We will start with a protocol that is secure against semi-honest adversaries. However, due to a technical barrier, we will not directly transform this protocol into the one secure against malicious adversaries. I would like you to invite you to check the paper for the details of this technical barrier. Instead, we will first compile this protocol into the one secure against explainable adversaries and then into maliciously secure protocol. Again, for this presentation, I am only going to present the protocol that is secure against explainable adversaries. For maliciously secure protocol, I would again like to invite you to check the paper. Specifically, we have used an interesting conditional disclosure of Secrets protocol to overcome the technical barrier. A simple way to obtain a round optimal secure computation for general functionalities in a semi-honest setting is to rely on a joust garbling technique. In this technique, one party, which is referred to as a garbler, computes the garbler circuit and labors for the evaluation of a circuit. The garbler sends the resulting circuit to the other party, the evaluator, and both parties rely on a two-choose-one oblivious transfer to transfer the right labors corresponding to the input of the evaluator. The evaluator then uses the labels to evaluate the garbler circuit and recovers the output of the circuit. Correctness requires that the output of the eval is equal to the output of the original circuit. Similarly, security requires that there exists a simulator that simulates the view of a malicious evaluator given the output only. Note that in order to simulate this view, the simulator needs to extract the output of the adversary. As we discussed, parties transfer the label through oblivious transfer protocol. Let's look at this protocol a little deeper. It is a two-party protocol between the sender and the receiver. The sender has the input messages and the receiver has choice bits which helps him to choose one of the sender's input. Security guarantees that the receiver does not learn anything about the other input of the sender and sender does not learn anything about the receiver's input. Note that in order to build four-on two-party protocol, we require a three-round oblivious transfer protocol that is also statistically secure against a malicious OT sender. Note that using the garbage circuits, we can already obtain a round optimal semi-honest protocol that is secure against bounded adversaries. However, for unbounded case, the garbage circuit protocol that is secure against unbounded evaluator only exists for NC1 circuit. In fact, constant round two-party semi-honest protocol that is secure against unbounded sender and receiver in the OT hybrid model is still an open problem. Therefore, best we could hope is a protocol in which only one party is unbounded. Specifically, due to the garbage circuit limitation I just discussed, we first fix the evaluator to be bounded and the garbler to be unbounded, which in turn means that two-party protocol has an unbounded receiver and a bounded sender. Now, if we use the right OT protocol, we can already obtain the round optimal two-party protocol that is secure against unbounded garbler and bounded evaluator. Let's see what I mean by right OT. Recall, our four-round protocol requires three-round oblivious transfer protocol, which is statistically secure against malicious OT receiver. Unfortunately, no OT protocol achieving Malaysia's security with black box simulation are known to exist in three rounds. Therefore, we look at the weaker forms of OT protocol that are achievable in three rounds. First, there exists an OT protocol with super polynomial simulation. This is commonly called SPS security. Very roughly, this requires the existence of super polynomial simulator that simulates the view of a malicious sender or a receiver, and only given an access to an ideal functionality. Since we also desire a statistical security against an adversarial receiver, which is an OT sender, achieving this property requires at least three rounds. Jen et al obtained three-round OT with SPS security based on polynomial hardness of ddh learning with error, quadratic rhododium and aneth rhododiosity. Another notion of weaker OT that exists in three rounds is distinguishing dependent security against malicious receiver. At a high level, the simulator is allowed to depend upon the distinguisher that is attempting to distinguish the real and ideal experiment. In other words, the simulator is only guaranteed to extract receiver's input if it has access to a distinguisher. Jen et al obtained a three-round OT with distinguisher dependent security based on polynomial hardness of ddh learning with error, quadratic rhododium and aneth rhododiosity. From distinguisher dependent security to full-fledged malicious security. Note that OT simulator is distinguisher dependent. On the other hand, two-party simulator requires a standard simulation security. Therefore, two-party simulator cannot rely on OT simulator. Looking forward, our two-party simulator is not going to explicitly rely on OT simulator. I want to re-emphasize that we are using OT that does not satisfy the standard notion of security, but using it, we will still obtain a four-round two-PC protocol that does satisfy standard security. And to do that, we develop a new technique that allows us to use OT with a weaker form of security. So far, we have decided on security against one unbounded party. We have fixed that the receiver is unbounded and act as a coupler. Sender is bounded and act as a evaluator. We are also going to use three-round OT protocol with distinguisher dependent security. Note that this already gives us four-round semi-honest secure protocol that is statistically secure against adversarial receiver and computationally secure against adversarial sender. Let's now look at how we can go from semi-honest secure protocol to the protocol secure against explainable adversaries. Recall that proving security of two-PC protocol requires construction of a simulator that interacts with the ideal functionality and generates the view of the adversary. However, in order to generate the view, the simulator must have adversarial parties input and then reminisce. Note, from semi-honest secure protocol, we want to obtain a protocol that is secure against explainable adversaries. Let's try to look deeper how these explainable adversaries behave in comparison with the semi-honest adversaries. First, semi-honest adversaries follow the protocol. In other words, the simulator samples the adversary input and randomness uniform randomly. However, explainable adversaries generate message in the support of messages generated by honest parties. Therefore, the simulator does not have access to adversarial input and randomness and must do the work of extracting them from adversarial messages. To enable extraction, we modify the protocol that requires the receiver and sender to send extractable commitments to their inputs and randomness in parallel with the rest of the protocol. Let's have a look at a commitment scheme. A commitment scheme is a two-party protocol between a committer and a receiver, such that the committer has an input message M. At a high level, the committer interacts with the receiver to generate a commitment of his message, such that during the decommitment phase, the committer can reveal the message and randomness. Usually, these schemes have hiding and binding properties. However, recall, we want to give the simulator a chance to extract explainable adversaries input. Therefore, we also require extractability property from commitment scheme, which means that there exists a probabilistic polynomial time extractor that can extract adversaries input from the commitment with overwhelming probability. Babarkan et al. obtained a three-round statistical binding and computational hiding extractable commitment protocol and a four-round computational binding statistical hiding extractable commitment protocol by simply modifying their three-round protocol. This is our four-round protocol that is secure against explainable adversaries Recall that in this protocol, the receiver is unbounded while the sender is bounded. Note that on the top of Garble circuit, the protocol uses three-round distinguisher dependent OT, three-round statistical binding and computational hiding commitment scheme, and four-round computational binding and statistical hiding commitment scheme. For the sake of simplicity, we have not shown randomness used by each party. I would like to point out that instead of the circuit corresponding to function F, the receiver garbles the circuit that computes the encryption of output of the function. In the next slide, we will see why this is the case. Zooming into the detail of our protocol, what ends up happening is that adversarial sender evaluates the Garble circuit before the simulator gets the chance to extract its input. Specifically, the simulator against adversarial sender will only get adversaries input by wrong for using sender's commitment. However, adversaries will evaluate the circuit by round three. Therefore, the simulator will not get a chance to program the Garble circuit earlier. Note that the simulator could not even call Garble circuit simulator because that will also require adversarial input. This is a key technical bottleneck in our protocol, and in order to resolve this, instead of garbling the circuit corresponding to the function F, the receiver samples the keys for public key encryption scheme and garbles the circuit that computes the encryption of the output of the function. And the randomness used for encryption is hardwired by the receiver into the circuit. As a result, the sender on evaluating the Garble circuit obtains the ciphertext that encrypts the output of the function under receiver's public key. It must then forward this ciphertext to the receiver who will use the corresponding secret key to decrypt the ciphertext and recover the output of the function. In particular, in our proof, we built a careful sequence of hybrids where we first extract adversaries input to the OT protocol in a distinguisher-dependent manner and use the extracted input to replace the actual Garble circuit with the simulated one. Next, we changed the output of the Garble circuit from the encryption of right output to the encryption of all zero strings. And finally, we replaced the simulated Garble circuit with a real circuit that always outputs the encryption of all zero strings. All the intermediate hybrids in this sequence are distinguisher-dependent. That's all I could say about the explainable secure protocol today. And next time, the next step is maliciously secure protocol. Here, I am only going to say a few lines about it. But for the details of this protocol, I would like to invite you to look at the paper. Note that oblivious transfer and Garble circuits alone do not provide security against malicious adversaries. For example, a malicious garbler could generate a Garble circuit and labels to alter the output of honest evaluated. Therefore, by round three, the receiver should convince the sender that it is safe to evaluate the Garble circuit. For this purpose, we rely on a special conditional disclosure of secrets protocol that the tail of this protocol is in the paper. Our work has obtained feasibility results for round optimal two-party secure computation with one-sided statistical security. This is the best possible security that one could hope for in two-party protocols in the plain model. A natural next question could be, can statistical security be obtained against at least one of the participants in more general multi-party settings? Similarly, another interesting feature question could be, what is the minimal assumptions required to obtain two-party computation with one-sided statistical security in a round optimal manner? Finally, yet another potential question could be, are four rounds necessary to obtain specialized statistical secure protocols, such as statistical zaps from polynomial hardness? This is it for my talk today. And I am looking forward to the questions.