 A previous linear fraction, a variation with concept overhead by George G. Gorsch, Jasper Nielsen, and Tobias Nigels. And Tobias is giving a talk. Thank you for the introduction. So, I'm going to talk about maliciously security. Let's start with a small motivation and introduction. Standard setting in deep-body and multi-body computations. The arithmetic computation of the functions. So we have two parties, 21 and 22, and they want to try to compute some arithmetic circuit on their inputs. And the two basic operations that you have to realize that this is a addition and a multiplication, the addition is typically very easy, especially if you look at secretarian-based multi-party computation protocols that the multiplication requires a bit of work. And usually you have this one sub-rotical for the addition and one sub-rotical for the multiplication values. So, as I said, the addition is typically easy and the multiplication requires some work. So that is what we're going to focus on. This is the secure partification of the two values. And formally you can abstract this as an oblivious linear function evaluation. So you have two parties, party 1 and party 2. Party 1 has its input, the value 8, and some random value r. And party b has its input, the value b. And they want to compute linear function a times equals r. So this ODE realizes this kind of functionality. And this gives you a shared multiplication in the sense that party 1 can send its share to b minus r, and party 2 sends its share. It's 8 times b plus r. And if you add these two shares, you get the multiplication a times b. And there are many implicit constructions of such a secure multiplication. For instance, SPEEDS uses thermo-tumor-morphic encryption. Encryption and zero-volve proofs. But this has a comparatively large computational overhead. MESC, for instance, uses Lewis transfer and AES. And the whole protocol is optimized to work with AES and IAS structures. And although the construction itself is not as importantly optimal in the sense of the number of OTs, it uses pure multiplication. The protocol is very fast in practice. And then there's the SIDES, or 90-SHI, Ramakan and Sahai paper. They actually build an ODE, a standalone ODE protocol from Lewis transfer and noisy encodings. But this is only passively secure. And their construction is asymptotically optimal, at least so they have four constructions in their paper. But the most efficient one is as a constant overhead. But this suggests to use this generic transformation of IHS08 from passive to active security to get an actively secure multiplication. That's the MESC in the ad paradigm. So you have to do a lot of bookkeeping and no one really wants to implement it. So although it might be asymptotically the best you can do, apparently no one wants to use it. And we realize that ODE as a black box is not used very often in practical MESC or two-part computation protocols. So most of the protocols like speed or MESC are used at hard construction for the modifications and to some additional tools to get active security. And there's basically no direct construction of active security over the end. What I'm now talking about is how to get it practically efficient and relevant over the sense that hopefully you will be convinced by the end of the talk that it is worthwhile to go to implement or to design an actively secure ODE protocol. So our contribution is on a practical level that's what I'm going to talk about. It's an actively secure ODE with communication complexity and a very small computation overhead. And the construction that we have has an overhead of two over the most efficient passive secure ODE construction. So we basically get active security for free. And on the technical level, that is, I will only sketch some of these points. We use the noisy encodings similar to the ICSL9 paper. We show that all noisy encodings, at the end of the other exception, are resilient against leakage. And noisy encodings are also robust against tempering. I will get to that in a bit. So let's first have a look at how to multiply with passive security. As I said, I want to focus on the noisy encoding version of the ICSL9 paper. A noisy encoding abstractly consists of three algorithms, an encoding algorithm, an evaluation, and a decoding algorithm. This encoding takes as input a value or a vector depending on which type of encoding to use. Outputs is set L. This set L is basically a secret key. And then without an encoding, there's also some public information that I didn't mention here. Then you have an evaluation algorithm that's a homomorphic algorithm that takes as input one encoding and some additional values, E and R in our setting, and outputs a modified encoding, and then there's the decoding algorithm which uses the secret key to output 80 times B plus R. So concretely, if you have this encoding algorithm that you want to encode in element 8, you basically create a chemise secret area or a resolvent encoding of this value 8. So for instance, you can store this value 8 at x equals 0 of a polynomial of between k minus 1. And then you simply evaluate this polynomial in the number of positions. In this case, 4k. So you get a vector of field elements which encodes this element. And then you pick a random error with bait 2k plus 1. And add us now the index set of the noiseless positions. And the encoding is then simply the addition of this vector 8 plus B error. It's somewhat similar to L, L, E, or L, P, N. But it's a different type of assumption. The assumption is also stated in a similar way. So we have pseudo-random assumption which states that the encoding is generated in this way, in this thing, which is from a uniformly random string. And so the evaluation algorithm now basically works the same. You set your input B to be the y to the second of the polynomial B of degree k minus 1 f of 4. Also evaluate this polynomial at 4k positions. The same for a polynomial r. But in this case, this r polynomial which serves basically as a random mask has to have degree 2k minus 2k B twice the degree of input of B. And then you do a point-wise multiplication. So you multiply the first element of B times the first element of the encoding that you get and then you have a random mask. And then you get a noisy encoding of the result. And if you want to decode this noisy encoding because you know the set L as the secret key, you can simply ignore all the noisy positions. And then you can interpolate the polynomial y. This noisy encoding has 2k minus more noiseless positions. The polynomial has degree 2k minus 2 so the interpolation will work. So how do we get from this noisy encoding to a multiplication? Simply we have the two parties, party 1 and party 2. Party 2 encodes its input A, sets this encoding to party 1. And now the parties use a k out of n or t. k in this case is 2k minus 1. So party 1 inputs its homomorphically evaluated encoding into this k out of n or t. And party 2 chooses the noisy positions via its index set. And then you can decode the polynomial. And in the way that I described it, it only gives you one multiplication for n elements that you don't have a constant overhead. Oh, I forgot. So you also get the same shared multiplication as I mentioned before. So if you do the way that I described, you only get one multiplication for n elements. But if you use peck's secret sharing or for resolve encode for the input encoding of this A and B polynomial, then you get constant fraction of inputs into this encoding. You have a constant overhead for a multiplication. So this is the passive secure protocol. And now I'm going to describe how to get to an active secure variant of this. So let's have another look at this passively secure protocol. So what can go wrong? The first problem that we have is that if we want to replace the k out of n or t by a maliciously secure variant, this requires a lot more communication. So at least n of n of t plus some additional assumptions and a lot of work. So that would already destroy the constant communication overhead that we want to achieve. And then obviously, party one and party two might achieve in the generation of this encoding or in the homomorphic evaluation. So to solve the first problem, we build a leaky k out of n of t, leaky in the sense that at most the number of bits of this input set L are leaked. And this leaky k out of n of t requires only n maliciously secure one out of two at ease. And this doesn't work as a generic k out of n of t. It only works if k and n are in the linear size of the security parameter. So we use these n maliciously secure one out of two at ease. And then a roll n, roll remember was the weight of the error vector. We use a roll n secret sharing to enforce that the most size of set L elements of this encoding can be learned. So the protocol is very simple. Party one now has this modified encoding w, party two has this set L, and party one picks one uniformly random value field element e, creates a secret sharing and computes a hash on this value. So this basically serves as a commitment since the commitment on this value e to party two. And then for each of the n, one out of two at ease, party one sends one element of the encoding and one share of the secret sharing. And depending on whether this element is noiseless or not, party two will either pick the encoding or the share of the secret sharing. And now party two, if it's honest, it will be able to reconstruct this value e from the secret sharing. And at the same time, be able to decode. So what we want to prevent is that the party two learns more than two k minus one values of this encoding w because otherwise, as we will see later, it might learn some information about the input. So this, because of the reconstruction threshold, you can be sure that if party two is able to reconstruct this value e prime, then party two learned at most two k minus one elements of this encoding w. And yeah, this hash, as I said, serves basically as a verification so that party two knows that party one didn't select some strange input for the secret sharing, which might be some information about the set l. And party two then has to announce this value e so party one knows that party two was actually able to reconstruct the value e. So that's the first problem. And the second problem is to make sure that the operations are actually carried out correctly. And our main idea is we want to reuse the polynomials that we have to generate for the encodings. So we get this a polynomial for the input of party two, b and r for the inputs of party a one, and then we get the resulting polynomial. And the main trick now is we just pick one random field element. Each party picks a random field element, sends it to the other party. Each party evaluates this random field element. Each party evaluates its inputs on this random field element and sends the result to the other party. And then both parties can locally verify that this relation a times b plus r equals y is actually true. And if anyone cheated during the protocol, then this relation will not hold any kind of negligible probability because we're in a large field. So that's basically the second problem. Let's have a look at the complete protocol. So first of all, we have to slightly change the inputs. We use it for the league k of n of t. We use a random mask instead of directly using the encoding because otherwise, if party two gets dishonest, might actually learn the complete encoding. Then party p one will realize that and import, but the input is deleted. So we have to do it in two steps. So first we use this random mask. After this execution party one is sure that only 2k minus 1 must arrive at party two. Then we do basically the passive secure protocol to the evaluation on this encoding and then lines the encoding by this random mask. And then send this line back to party two which can then decode the noise positions because it has the red mask on it. And then in the end we do the check. So there's two remaining problems. The first is the extraction of the inputs and the second is leakage. So I mentioned before that there's some leakage in the protocol depending on the inputs of party two. The extraction, in the sense we built the whole protocol in the OT hybrid model so we would like to get UC security and it's not really clear. If you look at this protocol here it's not clear if you can actually extract E and R from this encoding W at least it's not directly clear. So the extraction against party one is the protocol, if the protocol succeeds the simulator will get the correct encoding of the result, A times equals R. And it also gets the complete encoding that party one enters into the OT. And then it can simply subtract the noisy version with the non-noise version. So for each noisy position you have two values. And this allows you to basically remove this random mask here and then the simulator is able to compute the value B and once the simulation has the value B it can also compute the value R. So that's the extraction idea against party one and against party two because we simulate the care of energy we simply learn the complete set L and then encode the encoding. So there's one additional problem here this extraction only works if party one doesn't manage to add errors only in noisy positions so if there's an error in the noisy position the check with the polynomials will always lead to an abort of the protocol but we could imagine this scenario where party one manages to add errors in noisy positions and this is not checked by the polynomial because the obvious party will never see any noisy position. So one main result of our paper is that if adversary manages to add more than a number of errors in the noisy positions then it can already break the assumption of the encoding and that is the leakage problem basically if party the same problem in party one chooses inputs that are not checked by the check it can ruin the subset of this set L and we show that if the adversary manages to extinguish the encoding from pseudo-random given this leakage it can already distinguish without the leakage. Okay so I want to highlight some other applications for this we have in the paper the construction of an efficient of this polynomial variation protocol efficient in the sense that we have order of the degree of the polynomial of communication that is probably optimal in the sense that if then in the UC setting then recently we had a CCS paper which uses this OLED as a black box and we go as only constant number of these modifications per authenticated multiplication and also it's statistically secure so the communication overhead of this paper instantiated with the OLED that I just presented is lower than the current but the previous best and quite recently we put a private set intersection protocol which also makes use of this OLED also statistically secure and has an asymptotically optimal communication overhead so there's a lot of possible applications for this OLED and the additional actively secure OLEDs might lead to the efficiency improvements in a lot of different areas thank you so the security assumption that we use is as I said this this noisy resolvment encoding that this is actually pseudo-rad that is right now we don't know a way around this because if you so there was a recent paper at crypto where they built a noisy encoding from LPN from an LPN type assumption but this doesn't give you this multiplication property that we need so if you use an LPN for instance if you use an LPN noisy encoding we don't know how to get this constant overhead for full multiplication so they only get a vector OLED basically where you have one one party has a vector as an input and the other party only has a scaled up and we want to multiply two vectors so that's why we we actually rely on this retall encoding so it's a it's not as good as LWEL or LPN my question is do you think this could complete with a math problem we believe yes so from a computational point of view we have only log n basic field operations per multiplication and we already know that from a communication point of view the overhead would be less than a basket so typically communication is the bottleneck in these two party computation protocols other questions? ok thanks the speaker again