 and so our second talk will be the exact round complexity of secure computation with Antigone Policerniado, Sanjam Gark, Pratay Mukherjee and Omkan Pandy and Antigone will give the talk. Thanks for the introduction. So I'm going to talk about the exact round complexity of secure computation which is a join world with Sanjam Pratay and Omkan. So this talk is about MPC where like a set of mutual disaster parties try to securely compute a joint function on their inputs in such a way that the honest party received the correct output and the only new information leak is just the output and we want this to hold in the presence of an adversary who can corrupt any arbitrary number of parties and for this talk the adversary will be polynomially bounded, malicious and static and we follow the ideal real paradigm. Okay so in this talk I'm going to address two questions so the first one is what is the lower bound on the round complexity of secure multi-party computation protocols and once we establish this lower bound the question is if we can achieve such optimal round solutions. Okay so Ivan talked a lot about the information theoretic setting and we have a bound but actually it's we if we want to like construct protocols in the information theoretic setting that they're actually constant round we have to find a completely new approach or as Ivan said actually build something analogous to FHC of the information theoretic setting. Okay but if we go to the computational setting actually we do have constant round protocols. Okay so I'm gonna split two cases the two-party case and the multi-party case. Okay so in the two-party case where two parties participate we have a lower bound of five rounds by Katzan Ostrowski but in the multi-party case we actually have only product we don't have a bound and we only know protocols that they run in constant number of rounds and a rough estimate is that the current protocols run in 20 to 30 rounds. Okay so I'm gonna ask the question what is the exact run complexity and if we can have a bound and also moreover in the multi-party setting the standard communication model is that in each round every party can simultaneously send a message. Okay so both parties send a message in the same round and this will hold in the presence of a rushing adversary. So what is the power of a rushing adversary so he can for example first corrupt Alice and he can wait for the message from Bob and then he decides his measures and likewise he can corrupt Bob wait for the message from Alice and then send his message. Okay and this comes in sharp contrast to the setting that we consider in the two-party case where there we have that Alice sends a message but the message of Bob depends on the message of Alice so first he has to receive the message and then compute his message. So there are mutual dependencies in this model and of course this counts as two rounds. Okay so now I'm going to ask then the question is really the bound five rounds in the two-piece setting if we have simultaneous message transmission even in the two-party case. Okay so here are our results so suppose that we have a K round on mullable commitment then we saw that in the two-party case we can have a protocol of max 4 comma K plus one rounds for any general functionality in the two-party setting and actually the fact that we have non-mullable commitment here is not a coincidence and actually the multi-party setting the protocols that we know in the multi-party setting actually they are connected to non-mullable commitments I don't want to say inherently but they are highly connected and then what we also saw for the MPC case we saw that for the coin flipping functionality we can also have max of 4 comma K plus one rounds. Okay and we both saw that four rounds are both necessary as a fifth and we give a construction and if we have a three rounds parallel on mullable commitment we can instantiate it and there's this paper from Panthea, Pasen and Van Guttanathan where they have a non-mullable commitment based on adaptive one-way functions and now we have this recent paper from Carbi Ostrowski series and Visconti they kind of resolve the question of parallel non-mullable commitments based on injective one-way function and using complexity leveraging. Okay so using this instantiation we can actually construct its protocols for coin flipping and two-party circuit computation. So I will start giving you a sketch of the lower bound for coin tossing and then I will give you the four round 2PC protocol. So here is our theorem so we prove that we cannot have a three round protocol for the two-party case for causing this number of coins with black box simulation and of course in the simultaneous message exchange model. Okay so Katz Ostrowski they thought that we cannot have a four round protocol. Okay so now actually in the simultaneous message model we're able to save a round. Okay so let's see how we get this bound so I'm gonna give you only the sense of the proof. So suppose for contradiction that we do have such a three round protocol. Okay so now what I'm going to do is so this protocol is on the right actually your left and I'm gonna reschedule this protocol to a four round protocol which is not in the simultaneous message model but we know that Katz Ostrowski proved that this is impossible. They proved it's impossible to have a four round protocol in the two-party setting. Okay so this will lead to the contradiction in our proof. Okay so let's see now how we can do this rescheduling. So we want to prove that the protocol on the right side yeah on the right side is secure so we have to prove the existence of the simulator. So suppose that in this case Alice is corrupted. Okay so what I'm going to do so since I assume that the protocol on the left is secured that means that there exists a simulator for that protocol I'm gonna call it the inner simulator. So what I'm going to do so my simulator for the right protocol is going to call the inner simulator of this protocol and that will allow me to prove that the right protocol is secure. Okay let me see how let me show you how we're going to do that. So at the beginning our simulator calls the inner simulator and then simulator actually can give us the the first message of Bob and actually he can do that because the protocol is secure in the simultaneous message model so he doesn't need to know the message of Alice. Okay so he can send he can create this message. So once we have this message we can call the adversary he sends the first message and once we have the first message of our protocol that we tried to prove that it's secure we can actually call again the inner simulator given M1 and actually now the inner simulator can give us M2. Okay so now I have M1 tilde and M2 tilde that means that I just reconstructed the first message of Bob in my protocol right and I didn't violate any mutual dependencies. Then I can keep going so now since I reconstructed also these two messages on the right execution I can also run the adversary and take M2 and M3 then I can call again the inner simulator with M2 take M3 tilde and then also send M3 tilde for Bob. Okay so I rescheduled the messages. Sorry without violating any dependencies between the messages okay and that proves that I did the protocol which is four round but we know that this is impossible to achieve. Okay so that really proves my theorem that there does not exist a three round protocol for coin tossing. Okay so I hope I gave you the sense of the proof. So now wake up if you didn't follow. So we also saw something that I told you that we cannot have in three rounds protocol but so that means we can have four rounds if possible but we prove that you cannot have like at least one unit direction and round. Okay you need to have messages everybody should send a message in its round okay and that's important. So let's see why it is important so it would be more clear now. So let's see what is our approach to construct the R2BC protocol so we start with the protocol of Katzostrowski and let's see they give a five round protocol where two parts get the output but the question is if we can make it four where both parts get the output now because we proved an improved lower bound. Okay so this is the scheduling of the protocol of Katzostrowski and if I want also both to get the output then there's also a last message at the end so this is a five round protocol. So now I can ask the natural question why I cannot since I can I want to prove this in the simultaneous message model why I cannot move the last message together with the fourth round message okay but this actually I just told you before that you cannot have messages you cannot have only unit directional rounds you need messages in every round so this is impossible due to our theorem that I told you before. So we must do something while we have messages in both in its round from all parties okay so what we're going to do so I can take a four round protocol for example the Katzostrowski protocol and run it in two different directions so that each party will take an output in its direction okay but there's some issues if I want to do that first is that we need to make sure that everybody uses the same input in both executions that you run like this and also there are also this my ability issue that the adversary can mull with the messages and he can make the messages dependent on the input of the honest party. He can for example simple replay back the messages of the honest party okay so we need to solve these issues and this discussion actually brings me to like our approach so the two main ingredients that I want you to remember is that we need to write two simultaneous executions of the same protocol and then we have to use a non-mullable commitment plus some other stuff but I want you to remember the first two ingredients and then we can build our four-round to BC protocol okay so here is our theorem so assuming the existence of protractor permutations plus a K-round parallel commitment then we can give a protocol with max 4 comma K plus 1 rounds okay with black box simulation with malicious adversaries and in the simultaneous message exchange model okay so here are the tools of our protocol don't be scared so we need the the non-mullable commitments we need actually some proof systems like zero-knowledge argument of knowledge and witnessing distinguishable proofs and we also need the garbled circuits and the semi honest OT actually to compute the function and now I'm gonna show you how we can do semi honest three-round computation and then I will show you how we can make it malicious to reach to our protocol okay so for garbled circuits so we can see garbled circuit as a randomized functionality which takes as input a Boolean circuit and outputs a garbled circuit GC and with with pairs of keys Paris input B of C but for this talk like we don't care how the garbled circuit looks like so I'm just gonna hide it and also the security the guarantee is that for any secret X if I give you the garbled circuit and the labels corresponding to the input in this case the input is 0 1 1 0 then you can compute C of X and like nothing else okay and now I'm gonna show you how using garbled circuits and OT we can build the three round to BC protocol which is semi honest and then also you how to make it maliciously secure so in the first round Bob sends the the labels of the garbled circuit the garbled circuit and he also picks a permutation F okay and actually during the talk I will range from it will be depending the security parameter and big will be either 0 1 because I assume input bits okay and he sends us the garbled circuit and the permutation okay then actually so the the choice of the permutation was the first message of the OT so we are building this protocol using a three round to OT okay so now in the second round Alice is gonna generate the second round of the OT which is actually see picks some random element Z prime and for the for the bit B he applies F on this bit and actually for the bit 1 minus B he just assigns see just assigns the random element okay she sends over Z and then in third round in the third message of the OT the Bob just computes he gets the labels for the bit B extort with hardcore bit of the inverse of the permutation to the Z and then in the last round you can see that if Alice does the sure she can get actually the correct labels for her corresponding inputs okay so if you are familiar with the three round OT it's like I hope it looks better and then Alice since she has the input labels on the garbled secret she can run and then take the output okay and this is the semi honest protocol so now let me get to the malicious protocol I'm gonna use these three messages in my later protocol I'm called S1 S2 and S3 so I told you that in our protocol we run two executions like this but I'm going to show you only the execution where Alice gets the output okay the other execution will be the opposite so we need this I told you to proof system so the first we need is a three round witness indistinguishable proof of knowledge which proof statements of the form ST1 and ST2 where ST2 is decided at the last round of the of the proof system and we also need the four round zero knowledge argument of knowledge and here there's a change so we want this argument to be based on unmanable commitments and let me tell you what we are doing here exactly so if you're familiar with the zero knowledge argument of knowledge it runs to a witness indistinguishable proofs in the opposite directions okay that's the standard zero knowledge argument so in the first one the verifier picks some some one-way function F and computes T1 and T2 on W1 and W2 which are the witness and proves the knowledge of one of the of the two T1 or T2 okay and in the second proof actually the prover proves knowledge of the witness like the theorem like or T1 or T2 okay that's the setting but what we are going to do now it's a simple change but it's very crucial for the proof so we are going actually to commit to S1 and S2 with a non-manable commitment so my notation NM means a non-manable commitment of S1 and actually S1 and S2 will be the simulation trapdoors and this in this way we actually get into effect like the simulation soundness of the zero knowledge okay and the use of the non-manable commitments is very important for our protocol okay so that's the change to the proof system and I'm gonna give you the protocol one more thing so also it's important that in both proof systems the statement that we want to prove is decided in the last round this is very important because important in terms of round complexity because in this way we can save rounds because we were to start to prove our argument our statement in the last round and then we will need extra rounds later so it's very crucial that we need this input delayed proof systems okay so here is the sketch of our protocol so first we need this proof system the zero knowledge proof of knowledge I'm gonna call it FS1 it's a four round protocol okay so I'm gonna like it goes like this and actually this this is important also to prove consistency but also to actually achieve simulation to force the output okay that's the goal of this then we run the witness in distinction proof of knowledge it's a three round protocol okay and actually we need we need this because we need to achieve simulation extractability so from this we are going to extract the input of the parties and then actually we need a non-manable commitment but big but what's the difference here that it's not on the input it's on a random element okay I'll tell you why it's on a random element and not on the actual input and I assume for simplicity but that we have a three round on mobile commitment so you can see the messages and then one and two and three so then what also Bob is doing so he also picks a random element I will call it our prime he sends it over and now actually I'm going to invoke the semi honest protocol that I showed you before as one is from there and if you remember it was the garble circuit together with the permutation but actually what I'm going to do I send again at the permutation but I send the commitment to the garble circuit not the clear garble circuit and also commitments to the labels okay so I send them over then here is the second message of the semi honest protocol but it's changed so what we're doing here so here is the connection between the randomness that we committed in the first round and the input so we also need to do some coin flipping we need to make sure that parties are using coin flips that they are committed to the other party so we have to embed somehow a coin flipping actually this is a half coin flipping because we only need to ensure that Alice is using the right coins because Bob doesn't gain anything if he uses like coins that they are not consistent because he just sends over a garble circuit okay so here we say if x x if the input is one then z i1 we pass it from the trap to permutation and then for the z0 we actually ensure the two randomnesses that we generate in the first and in the second round okay this is actually kind of the coin flip okay and I remind you where this randomness comes from and if x i equals zero then we do exactly the opposite thing okay so this is the second message the s2 actually which is in the third round and then here we have the last message of the semi-nose protocol and where we also remember we send the garble circuit and here we also send the opening of the commitment that we had there and that's actually the protocol and I told you that I'm gonna tell you also what are the statements that we're approving so I told you that the statements are decided at the end so for the VPOC we prove that the first party knows one of the decommitment values to the normal commitment or st3 is that he generated the second step actually not the second step the s2 prime correctly if he constructed it correctly and for the FL for the FS0 knowledge we're proving a statement st2 and st4 so st2 is the statement that he corrected he correctly constructed his second message with the garble circuit the OTs and all these things and also that he also constructed the last oblivious transfers correctly in the fourth round okay so these are the statements and you can imagine that in the in the proof that we get the simulation from the FS extractability from the VPOC but you have to be very careful where you are winding and also it was very crucial that we had the normal commitment to the randomness that allows us in the simulation to get rid of the inputs of the honest parties to prove simulation okay that was just a sketch if you want more details you can ask me offline or see the paper of course and for the coin flipping to finish the talk I don't have time to talk about it but one can think that's okay maybe you can remove the garble circuit and the OT and then have coin flipping right it's not really like this you have to actually change some other things to achieve it but they don't have time to talk about it so let me conclude so actually we revisited the round complexity of two party computation and we saw that we can actually indeed have four round protocols and also for the MPC we established a bound for the multi-party coin flipping functionality which is max of 4 comma k plus one and we also prove that four rounds are both necessary and sufficient so that was for the multi-party coin flipping functionality okay so for general multi-party computation here I have a table where I start from the minimal assumption which is a myonist OT to the stronger one which is IO so you see for the MPC the best that I can give you is only six rounds because what I can do I can use my four-round coin flipping protocol and then I can invoke the two-round protocol of Mukherjee and Daniel Weeks which is a two-round protocol and if you add the rounds this is six rounds okay and the question I'm going to ask is like if we can actually achieve optimal round complexity for MPC and of course get the weaker assumption is possible okay and also you can see for I didn't mention that in the serious model which is a stronger model the bound there is two okay so you can see also that based on the minimal assumption we don't get the best which is two we get only four rounds even in the serious model okay and that concludes my talk thanks questions and so that concludes the session and the next session is actually a joint session that's going to be happening upstairs I believe