 This is an efficient scale of constant run MPC via GAPL 3 cores. By anneal and airplane, you can obtain anneal or anneal. Anneal will give us a talk. So, my name is Anneal and I am going to talk about efficient scale of constant run multi-party computation via network circuits. This is a joint work with the Kudalindel and the Vanoway. This is my talk plan. First, we have a little bit of motivation. Then I'll go over the basics of GAPL circuits. We also protocol a kind of multi-party problem. After that, I'll talk about keyomorphic several random functions and show how they are used in a new method for multi-party labeling and I'll conclude with some experimental results and then open question. So, what is a key multi-party computation? Well, basically the idea is that the set of parties wants to compute a function of their inputs without revealing all the output. However, some of the parties might be corrupt. For example, you can think of an option where each bidder is supposed to give only one bid and the option he wants to sell an artifact to the highest bid. So, there are some desirable properties that we might want. For example, we want correctness. We want the highest bidder to receive the artifact. We want privacy. We don't want the bidders to reveal their bids unless they end up making bid. We want independence of inputs. We don't want the bidders to place their bid according to the bids of others. We want fairness. What this means in secure computation is basically we don't want the corrupt parties to receive the output first and then maybe abort the protocol. We might also want guaranteed output delivery and, of course, we want everything to be efficient. So, in this work, we focus on the efficiency part of the protocol. So, most multi-party computation protocols basically first encode the function as a boolean or a semantic circuit and then compute input and secure computation as a circuit. So, if the inputs are known, revealed, it's fairly simple but in secure computation, we, of course, don't want to reveal the inputs so the parties somehow have to mask their inputs and then in each gate, using these mask inputs of the gate compute mask outputs of the gate and go forward in the circuit until only the outputs of the circuit are revealed. So, basically, the question is how to mask these inputs and how to compute at each gate the mask output using the mask inputs. And there are two approaches to this. The first approach is the garbled circuit approach such as in Yao and the bigger Macaulay-Ramoy protocols in which basically the entire circuit is garbled or encrypted and in parallel and sent. So, this has a constant number of rounds of communication between big rounds. And the second approach is the secret sharing approach such as in GMW, BGW and speed. The parties secret share their inputs and then in each layer of the circuit they compute, they interact in order to compute shares of the next layer. Okay, so this doesn't have constant number of rounds but it does have lower values. Okay, so there are somewhat incomparable approaches and in this work we focus on the garbled circuit approach. So, there are two main types of adversarial behavior, how we model the corrupt behavior. So, there is the semi-honest behavior in which the adversary follows the protocol but might not try to learn some private information and there is the more realistic model which is the malicious model which the adversary can deviate from the protocol architecture. So, this model is more realistic. The malicious model is more realistic and it's harder to achieve. It's also sometimes interesting to focus on the semi-honest model as we do here. One reason to do so is a two-step method is first to generate, to show that we can improve in the semi-honest model and then maybe in the second step, improving the malicious model and this has been a good strategy in the past that I'll show in the next slide. So, some implementations of multi-party garbled circuits that are based on the B-Vermicolor-Garbled Protocols. So, the first implementation, which is actually the first secure multi-party implementation just less than a decade ago, was fair play in IP. Last year, we did an optimized implementation that implements the free source by the political guideline which was secured as M-1 parties and the malicious model there was a work by the combined BMR speeds but this was a little bit slower but the state of the art shows actually that there's almost no overhead going from semi-honest to malicious. The state of the art, basically, the work which you saw yesterday by Haldai et al. which extended that work and worked by William et al. Okay, so basically, they showed that going from semi-honest to malicious gives almost no overhead. So, BMR is great and it has a lot of advantages. It's constant rounds, circuits are free. There's a lot of encryption, so that's very fast. It can be secured to M-1 parties. So, it's extremely fast for small to medium number of parties but there's one caveat. Each party has to encrypt the keys of all parties. Okay, to illustrate this, let's first go over the output. Basically, the output key is somehow encrypted using the input keys. Okay, and this would be the government key. Just a traffic, think about it. So, when we go to the multi-party case of BMR, instead of one key, basically each party is going to have a key, so we're going to have M keys. And when we want to encrypt it, each party is going to encrypt the keys of all the parties. So, this shows that there is some quadratic blow-up. Okay, and the small data comes big fairly quickly when the number of parties increases. Okay, and you might think that maybe we can distribute the computation, but when we think about it in the online phase, the evaluating parties actually perform all the computation locally. Okay, so, that basically means that the online time grows quadratic in the number of parties. And so, for a very large number of parties, the amount protocol is going to be impacted. Okay, this is actually a good one. The previous one, it just shows that when the number of parties increases, the running time does indeed grow further. Okay, the online-riding time does indeed grow further. Okay, so, our results. We show our new way to extend the output of our resetting based on key-on-morphic standard functions. The keys are summed instead of being concatenated. I'll explain this later. What this means is that the key-right does not grow, and so the online computation does not grow in the number of parties. Okay, so, this was suggested before, but it wasn't based on key-on-morphic PRFs. And the problem with that is that you have to compute in the offline phase the entire encryption. Okay, that's impractical. Here, because we're using key-on-morphic PRFs, the offline is only going to be computing a very simple arithmetic circuit in multi-party computation. And we did two instantiations, one based on DDH, the other based on WD, we implemented, we did some optimizations, and we have experimentation and showed that it does not perform a highly-optimized BMR for a large number of parties. But we have some automation. Let's go over the basics of governance. We have two parties. One is the garbler, one is the evaluator. So the garbler is going to somehow encrypt or garble or encrypt all the gates in parallel. So all we need to understand is how to encrypt a single loop. I think that we have a gate, for example, a hand gate, and it has a truth table. And now the garbler picks for each wire of the circuit two keys, one corresponding to the zero value and one corresponding to the one not. And the garbler is going to encrypt the keys of the output wire using the keys of the input wires according to the truth table. So for example, the output key zero will be encrypted under the pair of keys zero, zero, zero, one, one, zero, and the output key one will be encrypted under the pair of keys one, one. Okay, now the evaluator in the online phase, if you receive the keys corresponding to one and zero, you can encrypt and receive the key corresponding to zero. This is completely unsecure because the evaluator should not know that the values on the wires should not know that you receive the keys one and zero corresponding to the value on the wire one and zero. So what it's done is called the key that the evaluator sees in the online phase doesn't correspond to the real value but it corresponds to some external value which is independent of the real value. Okay. And when we go from the two-party setting the difference is that parties actually have to perform the governing collaboratively and some MPC sub-protocol. Okay, this is to protect that the garbage won't collude with an evaluator and we will secure it. So the multi-party computation. The evaluator is basically in two phases, the offline phase in which the party is used and MPC sub-protocol to compute the government circuit and then in the online phase the parties exchange the garbage inputs and cost-party keys each party or an evaluating party locally computes the output circuit. Okay, so the previous solution is the BMR government circuit. The idea of course is to increase the amount of my older party to choose its own key and the keys are somewhat connected. Okay, this was how it was spent in the original BMR work. And now each party chooses two random keys instead of just one government party and for each gate and each row each party encrypts the keys of all the parties. Okay, so we have total number of decryptions is over and squared per gate. Because each party is encrypting the keys of each other part. When we go to the evaluation we have first the two communication nodes to exchange the government keys and then each party has to do or each party or any party has to do all the decryptions by itself so basically it has to do over and squared decryptions per gate. This shows the quadratic complexity, so now that we understand the problem, let's see how we can process all of it. So what are key homomorphic seven random functions? Well basically it's a seven random function which has in which the domain of the input keys and the domain of the output of the functions have group structures which have this nice homomorphic property fk1 of x times fk2 of x and equal to fk1 plus k2 of x. So let's see an example. The first key homomorphic seven random function was based on the deviation around the monocle, by now I think as an angle because the function is very simple fk of x equals to x to the power of k, this is not a seven random function, just a weaved seven random function. It's indistinguishable if we take random inputs and we see that it has this nice homomorphic property which fk1 of x times fk2 of x that is equal to fk1 plus k2 of x and they use a random homomorphic to go from a group qrf to a group qrf. Bonnettal and Bonnettian I deduced a few homomorphic seven random functions also was now a random homomorph based on lwe and bring them up. So the new method for multi-paragarding they give to some the keys instead of concatenating them so this means that we're only going to have a single decryption at each gate and the key light is not going to grow and it results in some sort of yaw-like argument. So the idea as I said was that it was suggested in the past but the difference was it wasn't based on the homomorphic prfs so there was a problem we need to compute the entire encryption in multi-paragard computation this would mean a very huge on-flying computation and it's not really practical so of course the solution is to use the prfs. Now the prfs themselves are locally computed by the party each party computes its own prfs and all the parties need to do in order to compute the garbled circuit is compute the homomorphic property so this big circuit that we had sort of shrinks and we get this small but circuit in which the sum of the output keys are encrypted using the sum of the output keys at the party now when we decrypt the parties are going to receive the sum of the output keys but they don't actually need to know the individual keys because they're going to use the sum of the output keys in order to decrypt the next key. This is the overview so some experimental results new random experimentation we increased the number of parties up to 500. Notice this is only online computation time so this is run locally and on machine without the communication the circuit was generated locally and this is just the online computation time so the blue line of course is the VMR which grows programmatically at the right time and the dashed lines are the dashed lines are based on VH so the first one was VDM authorized and the second one is with optimizations for example you can pick up some of the experiments then these are based on the speed log with short extra what this means is that the keys are short so but this is not known to me if the keys are sufficiently long for example 256 bits this is not known to me more of a weakness but if we go to 160 bits this only gives us for example 80 bits of security because there are no squares and here we have for example the current point is around 75 parties and as I said this gives us only about 80 bits of security and also it's a prime which is only 124 bits long so it's not very secure I guess the ring of WDM division leads to all these so let's see when we want to increase security we probably use the key size of the base 256 so we get 128 bits of security and then the question is which kind of which side of the prime we want so I think today it's just 2048 approximately 128 bits and so here the current point is approximately 185 and so an open question the main problem with the non-institutions they're not in characteristic two these kilomorphic are not in characteristic two this has a lot of problems first of all there's no fluid soar there are a lot more off-line arms and it's hard to compute that with this transfer and overall it's just efficient so I think for me the most interesting of the question is if my instantiation and what I need my instantiation is not only just but also kilomorphic PRS that can be used in our product what does that work efficiently so maybe DDH over elliptic curves in which we know there are kilomorphic PRS or maybe ring LPN which I don't know if it can work but could be super fast if it does or maybe some other suggestions thank you very much comment do you want another one? no okay I noticed that you mentioned that a protocol by cats is different from your protocol you can just give some questions I actually asked I don't know myself I know that it's different I asked yesterday I understood that the main difference is that it's somewhat asymmetric they not this one it's somewhat asymmetric so one party does the evaluation so only the other parties do the normally and also because of that they don't have the key so they also have to generate its external value and put it in so it's slightly different as I understand it I don't really know more questions? okay very good questions let's start with Andy