 Hello everyone today. I'm going to talk about constant round MPC with fairness and guarantee of output delivery I'm from Hollywood from Florida Atlantic University and This is my co-authors are dope from George Mason and Elaine from Cornell and this work was done Well, all of us were affiliated with University of Maryland or partially affiliated and then afterwards we we all moved But we thank UMD for a generous support Okay, so Basically multi-party computation allows different parties to jointly compute on their private input without revealing them and There are several basic properties like correctness and the privacy which we are all familiar with and Additionally, there are some properties about output Delivery such as fairness and guarantee of output delivery and security with a board which capture different levels of security we want and Intuitively fairness means The adversary can learn the output only if the honest parties do so if he learns the output that implies the honest parties learn the output and Guarantee of output delivery is Stronger in the sense that the adversary cannot prevent the honest parties from learning the output So no no matter what he does the honest parties receive the output and security with a board is a Relaxed notion where it's possible that that the adversary learns the output But the honest parties do not So in this work, we ask what's the wrong complexity? So wrong complexity is a very simple measure of efficiency of a protocol so There are many many models of like to count how many rounds and in this work We count how many broadcast does each party need assuming there is a simultaneous broadcast channel so Everyone can broadcast something and then we count this as round one and then everyone broadcasts another and this is round two and we assume like you either Send something or you abort. So this is very pretty simple. So there is no like scheduling or whatever so to just make the question like simple, okay Previously so what do we know about round complexity? So for security with a board, we know this like quite well. So for any threshold AJWLTV previously showed there is a three-round protocol based on LWE and Garg at all showed like There we can reduce one round Assuming I owe and very very recently Predier and Daniel showed how to Design a two-round protocol based on LWE and this is concurrent to this work but for fairness and guarantee of output delivery, so things are a little bit Tricky and the work Was rather Less studied so previously Cleaves showed it is impossible if there is no honest majority and BGW showed fairness and guarantee of output delivery both are achievable regardless of runs and AJWLTV showed their protocol can be extended to five run Achieving guarantee of output delivery So one interesting question was can we further reduce the run say using the Garg at all their compiler and in their paper they should they said yes in one sentence So this motivated us to study like to delve into the question of how and in fact a Genaro is shy Kushelevic and Robin showed it's impossible for to run a Protocol against rushing fail-stop adversary or malicious adversary But before when we wrote this paper, we were not aware of this work So anyway, so we showed another way to prove impossibility results saying two round is Impossible even against fail stop adversaries in this CRS model So fail stop adversaries is very similar to the semi honest Adversary so who basically follows the the prescribed strategy, but he can Except he can just abort so The only thing a malicious thing he can do is to abort So our impossibility result is slightly the the proof is completely different and The quality is slightly different and I won't discuss here, but like I will show you a little bit how Okay, and for feasibility result we construct a three-round Protocol for general functionalities in the CRS model. So first we work on The fail stop model and then we can up upgrade the protocol to the malicious model and Additionally, we showed the compiler of God Garg all Only requires witness encryption for general MP statement, which is a weaker assumption than I offer general circuits in this talk, I will focus on the impossibility result and the feasibility result so Our impossibility result for two-round protocol is based on the impossibility result of VBB obfuscation So basically we show suppose there exists a two-round fair protocol And then there exists a VBB obfuscator for general circuits, which was shown impossible by Barak at all. So let's take a look at some intuition about like this proof So suppose the first party doesn't send the second message here so suppose he holds this message and Here he already by the correctness of the protocol he learned the output So by fairness the other parties should learn the output Because the the adversary like the first party who didn't send the output already learned the output So this is by fairness and this implies the second message of Sheldon Sheldon is the first party is redundant So we will use this fact to show the impossibility to construct a VBB obfuscation as follows So consider a functionality F on input C X and Z output C of X where C is a circuit So the obfuscator just simulates the first party's message So this I claim this is an obfuscation of C and security here is easy because by the multi-party the protocols security so Intuitively all the other parties should not learn about the input C But the tricky part here is how to evaluate the circuit because if you encrypt something Yeah, usually typically we don't claim this as an obfuscator because you cannot evaluate it So here you you are given the first message. So how do we evaluate this circuit? So the evaluation Takes input X. He can just simulate the other two parties Where the second party holding the input X? So why can he the evaluator learns the output? This is because The protocol is fair. So by the previous argument saying like Sheldon's second message is redundant so if If you are given all the transcript here, you can derive the output. So this is why How the evaluator works? so so by this argument we can formulate formalize this argument like and Prove that this is indeed a VVB obfuscator So so we showed to run protocol is impossible Okay, so to run is impossible. So the next question is whether we can construct a three-round protocol, which is like Yeah, pretty natural. So We observe that fair if you want to construct a three-round fair protocol It's fairly simple because you can convert any T run protocol From security with a board to fair NPC in the honest majority setting So the idea is very simple so let f little f be the function that we want to compute and Let the big F be the functionality that outputs a secret share of the output so in the first T runs you run the Security with a board protocol and in the last round you just broadcast the the shares so if the attacker attacks the First T runs and he learns nothing and the party just a board and if he attacks the last run and that's too late because honest majority can already recover the message that the output so this like So as a corollary We show that three-round fair protocol is possible So if you use the IO Protocol from guard at all and then you get a three-round fair and PC based on IO and similarly you can construct from LWE So the next question is how about guarantee of output delivery, which is it's a stronger property than fair fairness So previously Cohen and Lindell showed a fairness implies guarantee of output delivery regardless of runs So the idea is basically you just run the protocol and you kick out the aborting parties because and gradually and then you will like Eventually you will receive the output and but as I said this Increases the round complexity. So can we get Round optimal solutions So before doing before presenting our construction I want to like take a look at a previous approach by AJW LTV So in the security with a board because I will use this structure as my protocol So basically Their approach is in the first round They do a like they use a distributed version of fully homomorphic encryption So in the first round, they generate a common public key Which is can be viewed as a secret additively a secret share of their PK one PK two and the PK three and PK is a fully homomorphic key and In the second round, they just encrypt and in the third round They evale and then do a threshold decryption Okay, so to make this a scheme guarantee of output delivery, they also do a secret sharing They secret share everything in the first round and if the attacker Aborts at some point and everyone The honest party reconstructs His message and then resume So this requires a two extra rounds in the worst case because there are two places that the honest parties might need to reconstruct and This seems inherent because everything is with respect to the common PK and Which is as I said is additively shared among all parties. So in order to Proceed to the end you kind of need The information from all parties. So if someone aborts you need to reconstruct him So our intuition is to avoid this Common PK in the first place because people have already committed to the common PK too early So this is like why their scheme needs Two extra rounds So we take another approach. So we define a new threshold fully homomorphic encryption and in particular that our scheme has flexible cipher tags in the following sense a party can generate a Flexible cipher tags I call C flex with respect to all the pk's and later on Anyone can transform a flexible cipher tags into a homomorphic cipher tags with respect to a set T So this set T is a subset of N So and this C homomorphic is with respect to PK sub T. So which says like all the public key in this set T and then C homomorphic is Is just a FHE cipher tags and it can be computed homomorphically and Also, we need a to design and and Half and out of n threshold decryption where a majority Can decryp in one run previously It's n minus 1 sorry n out of n threshold decryption. So we need to modify like the decryption process a little bit Okay, so with this new our new threshold FHE What can we do? So instead to establish a common pk We just ignore the common pk because that was like established too early and then Parties encrypt flexible cipher tags So those cipher tags are not committed to a particular pk yet So in the third round people parties should Transform first with respect to the set of non aborting parties and then evale and then do a threshold decryption So let's see what if the attacker attacks So if the attacker Aborts in the second round Then he is simply kick out because his cipher tags is useless and the other So the other parties can just transform the cipher tags with respect to the non aborting set and if the attacker Aborts in the last round. That's already too late because We have an n n half n out of n threshold decryption So so that if he aborts there and that will be too late Okay, so now We are going to present our new threshold FHE basically, this is a variant of the brilliant scheme of GSW by gentry as the high and the waters so our CRS common reference string is basically a random matrix and each party outputs pki sub isl and LwE sample so basically is si a plus some noise ei and we define the matrix bi as this a Conquering it with this vi. So to encrypt we just output and a GSW cipher tags, so this is from for party i so it's bi times Small matrix r and plus x i Times g so we think of x i as a bit, but like yeah, you can it can be generalized Yeah, so this is just GSW and additionally we output some helper So additional information this vj for j not equal to i and vj equals vj times r bj is like the public key of party j So to transform It's also very easy. So basically given the GSW cipher tags and we do a sub there some of the helper so and this T you we just think of this T as the non aborting parties and just by unfolding the equation and we get this and then very very luckily we find it like the it results in a another GSW cipher tags, so Because it it is off the GSW cipher tags the form of GSW cipher tags. It can be homomorphic Evaluated Okay, so So the last bit is to design a threshold decryption so Now I'm only presenting the intuition and so the intuition is basically the decryption is Just computing inner product of the cipher tags and the summation of skj where j in T so we can just use a Similar technique the traditional bgw technique and we just secret share this these x secret keys using the Shamir secret share and we can easily design a like computing inner product without Interaction so One additional thing I want to mention is we need to deal with the noise Very very carefully because this is very similar to the previous work AJW LTV Yeah, so in order to prove security if you want to try like you need to play with the noise carefully Okay, so yeah, this concludes my talk