 That's yeah, that's me excellent. Thank you. So indeed. I'm going to talk about the speeds to k Okay, excellent. No problem. Thank you Okay, and Before I get started I would like to introduce what a multi-party computation is because it's the first talk on the multi-party computation is session So very quickly imagine a setting where you have four parties Alice both Charlie and Dave and each one of them has a secret x1 up to x4 so One way and they want to complete a function on this on this input So one way to do this is everyone sends their input to a trusted party who promises not to reveal anything else But the actual output of this function see so what we want to multi-party computation is to achieve like the same sort of security but involving only a communication between the parties and There are several ways to achieve this it all depends on how you model the circuit and what is the security model that you Want to achieve so for example if you model the circuit as a circuit over f2 So that's a binary circuit that you can have different approaches like garbled circuits or VMR Which is a generalization for a multiple number of parties GNW and so on now if you want to model the circuit over a finite field of any Characteristic you can have bgw You can have a protocol like the dosa or speeds or mascot that work in the dishonest majority setting Or you can also have another sort of protocols that work in the honest majority setting based on Shamir's secret shared However, all these protocols work in the setting of field because fields have many nice properties They are very nice when it comes to invertible elements when it comes to a properties about random elements and Few works actually at with the case of computation of a ring like C2k the integers model of to decay with Arctic security Why do we think this is an important case of a study well the first from the practical point of view It's very natural because it's closer to what a standard CPU that do so it's very Natural to think that if you do computation model or two today for example 64 or 32 you're going to get an efficiency improvement Because you don't need to reduce model of P for example 2 to the 64 plus 13, which is a prime You don't need to do this every time hey that you run your computation also It allows you if you already have a program ready in C or in C plus plus for example That a allows you to do some computation on data types that are a model of 2 to the 32 or 2 to the 64 It should be easier to compile this type of program into a circuit if the is the modulus is exactly the same And finally there are some functions that are very natural to implement A model of 2 to the some power like beat the composition beat comparison and so on if there are functions that work at a level of bits So if you have a protocol that works in this setting it will be very natural to shift these functions to a secure implementation Also from the theoretical point of view is a very interesting problem to study So there is a gap in the theory of MPC We know that we can compute absolutely everything because we have like every circuit if it's a over a field It's complete But if you are trying to emulate like a circuit model of 2 to the k using a circuit model of prime You will always have this overhead of taking model all the time So what we like to avoid is that we like to show is it's a protocol that achieves this without this overhead And of course just for fun is like an interesting problem to take a look at these rings are very strange compared to the fields So it's like a lot of interesting properties arises in this work And there are some works in this direction We're not the first in taking a look at this so a cramming at all in Europe 2003 They show a feasibility result that this is possible in the setting of an S majority They develop a protocol using only black box operations of the ring or so only addition and multiplication We have also booked an overall in sRx 2008 and actually it all in CCS 2016 We use replicated secret sharing which is not dependent on the off a field of structure to get computation over this field However, it doesn't scale to well because it precisely is replicated secret sharing and it only has except one corruption finally, there is a work that will be presented after mine, which is a Compiler that takes a passively secure protocol that works over any ring and compiles into an active one So that is suits perfectly in this setting the problem is that the number of corruptions gets lower down by like a square root Sort of so it's not like a very complete result in that sense So Why is it so difficult to develop a protocol in this setting with many practical solutions of this honest majority MPC? require the use of message authentication codes to make sure that everything is correct and These things work very nicely over fields But when you take them to this ring setting you have a lot of issues because you have like zero devices So numbers that multiply together gives you zero even though each number is non-zero You have non invertible elements, which is a very Knowing issue and you also have this interesting property Which is that taking the dots product is not a two universal hash function, which is something that is very standard over fields And we use all the time though It's been an open problem due to these kind of issues of working over this ring to develop an efficient homomorphic authentication scheme That is homomorphic over this setting What do we achieve in this work? Well, it's precisely this question I just named so a we develop a new additively homomorphic authentication scheme Over this ring The solution is actually very simple when it comes to number theoretic tricks So we use very elementary number theory and also it's quite efficient Which is like a good feature and we also perform a fine-grained analysis of the batch mach checking as I'm going to show later on the slides We also show how to generate triples Our computation will be in the preprocessing model So we will triples where to handle the multiplication gates we show how to generate those and It's roughly twice it involves probably twice the communication of mascot if you're familiar with the mascot protocol for this honest majority And with these two tools and also another like the small tools that we need to use We can develop a protocol for this honest majority NPC over this ring Our protocol is quite efficient It involves asymptotically the same operations that the parties will do if they are competing the circuit on the clear so that's a nice feature and It's also a it's also expected to be quite efficient because we are doing our competition a competition's modular to this 32 or 2 to the 64 Just to cite an example Okay, so that's a roughly the introduction of what we achieve I'm going to show how we did it but before that I need to start with speeds Which is the protocol where we base our protocol on top of so this protocol is a protocol for this honest majority And he works over fields and basically it goes as follows So the key ingredient of the speeds protocol is something that we call a Secret sharing so to secret share a value X where X is an element of a field What we do is that each party will have a share Xi such that the sum of these Xi's gives you X So this is an additive sharing of X. So if they no more than n minus one part is get together They won't learn anything about X only they actually have all the shares But on top of this we also have an authentication mechanism by means of this key alpha So we have alpha which is a random global key And they have also additive shares of this random global key And finally they have also additive shares of the tag of X the tag is alpha times X This will allow the parties to make sure that when something is open this value is indeed correct Something important about this scheme is that is linear in the sense that if you have secret share of X You have secret share of Y and you want to compute secret shares of X plus Y It's just a matter of adding things locally except the Mac key because the Mac key is global But you add the shares of the tag and the shares of the value and that will give you a shares of the sum The same with multiplication by constants and the same with a addition by constant You can do these operations locally, which is already a nice feature of the secret share Now once you have these two getting a computation in the preprocessing model is not so hard So the input phase you need to preprocess some values So for the input phase you use random values are I such that party I knows the value are I and our I is secret shared And you open the value so party I will open the value X I minus our I which is okay because our I is random So it in so it masks the input X I and then they do this a local operation because of the properties of the secret sharing scheme To get shares of X I so that secret shares the inputs of each party Then you run through the circuit computing gate by gate addition gates are for free because the scheme is linear And multiplication gates are handled by mean by means of this nice trick They be able to put a trick which is if you open X minus if you have a triple which is preprocessed and we secret shared ABC where C is equal to N times D you can just open X minus a open Y minus B This doesn't reveal anything about X and about Y and then you can you you can perform this affine operation For free using the properties of the linear scheme of the linear secret sharing scheme Finally you need to open things you as I say be here You have to open X I minus our I you need to open X minus I and and at the end you want to open the output also because you Want to get the output of the computation so what you do is that essentially each party announced their share This is x1. This is x2. This is x3. This is x4 And then they just take the sum and that's X because that's how X was constructed by something from the shares Now the problem is that Alice can just choose to lie about about a bit share You can say my share is not x1, but it's one plus one So that additive error is going to be reflected that in the output at the very end and we don't want that so to avoid this kind of attacks We actually show we actually use the tax that were done directly that were used at the beginning so Part 1 is going to compute C1 equal to the share of the tag minus the share of the Mac key times the value That was opened the same with C2 the same with C3 the same with C4 And they're going to announce these values Okay, I didn't mention this in the x they'll commit before opening so that we know that all the shares are unrelated and then Once they open this value they check that the addition gives you zero This should be the case because if you think about it the sum of the mice is alpha times x by construction And the sums of the alphas gives you alpha is the same mix in all the operations So it should be alpha times x minus alpha times x and that should give you zero Now what happens if the adversary actually tries to cheat we can show the following So if an adversary tries to open an x prime that is not x so x plus delta into this is an error And also tries to lie about this Commitment in about the max z Then we can show that the adversary knows a big delta and a small delta such that delta times alpha gives you equal It gives you a big delta this can be seen as a forgery to the actually Mac in the line max key And then you can solve for alpha You can take the inverse of delta and this gives you that alpha is equal to delta inverse times big delta so the adversary knows alpha because the adversary knows everything on the right side and Since alpha was chosen an informal random the probability of this happening is one divided by the size of the field And if the field is large enough then we can show that this is negligible Which is essentially the security argument speeds and mascot and all the protocols of similar nature. I Want you to notice that this doesn't translate directly on the setting of modulo 2 to the k of integers modulo 2 to the k Simply because we cannot take the inverse of delta Delta may not be invertible in fact We cannot argue that this equation is satisfied with low probability because it can be satisfied with high probability A small delta for example is 2 to the k minus 1 What is the probability that something times 2 to the k minus 1 gives you 0 if big delta is 0 That's something that alpha only needs to be even so it's one half probability of this equation being satisfied So the adversary can cheat with high probability So what do we do in speeds to k to overcome this issue? This sentence hopefully a summarizes it all So the computation is going to be done in a larger ring in z 2 to the k plus s for specific parameters Think so think of k as 64 and nest as another 64 So we're going to do the computation modulo 2 to the 128 However, the correctness is not going to be to be guaranteed on this model It's going to be guaranteed in a smaller modulus say modulo 2 to the 64 So that's the whole approach that we take More precisely so to share a value that is In c 2 to the k what we do is that we have just like before additive shares But additive shares not of x but of x prime So we had additive shares of a value x prime these shares are modulo 2 to the k plus s But we actually care only about the lower k bits So we know that x prime is going to be congruent to x modulo 2 to the k not 2 to the k plus s Other than that is essentially the same So we have shares of the Mac key alpha and notice that alpha is in 2 to the s not to the k plus s we as we will show in a minute, this is enough for purposes and Also, we have shares of the tag just like before so essentially everything is the same But we are just considering the size of the shared value as being smaller as being 2 to the k not 2 to the k plus Why is that this sorry, this is the intuition about what is going on So we have shares of x prime this is x 1 x 2 up to x n, but we only care about the lower k bits Or only care in the final output, but the whole computation is done modulo to the k plus s So why is this actually why is that this actually help? So let's say perform the analysis that we did before in the field case But now in the ring case so suppose that there is an error So the adversary opens an x prime that is not x, but it's x x plus delta So for it to be considered there an error for it to be wrong Delta has to be non-zero, but not only non-zero. It has to be non-zero modulo 2 to the k Because if it's zero modulo 2 to the k, then maybe the adversary cheated in the upper s bits But we don't carry the adversary cheats there. We only carry the adversary cheats in the lower k bits So this error is non-zero modulo 2 to the k now if the check passes this equation is satisfied just like before Now I'm going to try to convince you that if with these two conditions Actually the probability that this equation is satisfied is low Which is what we didn't have before because before Delta was large Delta was a Sorry Delta was no zero modulo k plus s, but here is non-zero modulo k 2 to the k Which is an additional property we have So how does the analysis goes so we have alpha times Delta equal to big Delta modulo 2 to the k plus s What we know about these guys is that alpha is not all of it is random, but the first s bits are random I'm taking k to be equal to s here for simplicity So we know this is the blue region and what we also know about small Delta is that small Delta has some zeros on the less significant Bits, but it doesn't have so many zeros It has to face it has to encounter one at some point below this line here Because it's non-zero modulo 2 to the k otherwise it will be zero modulo 2 to the k So these red region as a property that the less significant bit is one and it's easy to see that big Delta also has the exactly the same shape Then what we can do with this equation is just shifted down Divided by 2 to the v where v is the number of zeros that we had in this lower region So when you shift it down everything goes down the left side goes down the right side goes down and also the modulo goes down by v bits and the cool thing about this equation is now that Delta divided by 2 to the b is invertible because the Less significant bit is one so it's it's an odd number and not numbers are invertible modulo any power of two So we can now take the inverse of it just like we did in the field case so this is what we do we take the inverse of it modulo 2 to the k plus s minus b and You can see that alpha is equal to something that the adversary knows this is known by the adversary so it means that the adversary has guessed alpha and Since if we take s to be large enough this only happens with probability to the minuses which is negligible This is really the argument that we take in our approach I'm just going to write it very formally here or at least a little bit more formally So you take and divide the equation by 2 to the v I will be the largest integer that divides a small delta Now delta divided by 2 to the v is invertible You can send it to the other side and then alpha was guessed essentially that's does the argument You know work and this trick we apply it over and over again to achieve all the security checks to make it to make them work So we have this is the overview of the protocol once we have this trick So we have two phases an offline phase and an online phase in the offline phase You have to preprocess some data You have to generate some random authenticated values in order to be able to share the input as I show initially with speeds You also need to preprocess some multiplication triples which are necessary for the multiplication gates and you also need to generate shares of the Mac key alpha and also you need to implement some functionality that allows you to authenticate values as you need them and For the only phase you need to actually make use of this Preprocessing you need to distribute the input using the values that were constructed in the step one of offline phase You need to compute shares of the values of the circuit going gate by gate again addition gates are for free multiplication gates require the multiplication triples Finally when you check correctness of the you need to check correctness of every open value that You partially reconstructed on the circuit You can do this by checking every individual Mac or by performing a batch Mac checking which I will show in a minute So this is the overview of the protocol But from this point of the talk and we're just going to focus on two main parts of it I'm going to focus in the multiplication triples and I'm going to focus in the batch Mac checking And I'm going to begin right now with a batch Mac checking So what is the batch Mac checking as I said you have to open many many values for the input You have to open values for the multiplication gates you have to open values also for the output itself You have to open values and it's time to open it involves some interaction it involves some communication that a At some point that if you do this every time it's going to be not so So efficient to do it Moreover, there is something that I haven't mentioned which is a every time that you open a value that you check correctness You have to mask the top a spits just to be able to realize the functionality that we have in mind So this mask involves some authenticated random value and this also takes some communication So we want to avoid checking each value each time that is open This is a standard technique when you have to check a values in MPC The typical solution of our fields to avoid checking every single value is just you have t values to check x1 up to exceed You don't know if they are correct Then you apply the principle defer result and you say okay, then if there is at least one of them But it's not correct I just take a linear combination of them and with high probability this linear combination is not going to be correct either So I can just check this linear combination instead of checking each one of them So this is what you do over fields and the argument of our fields is very straightforward You say okay if one of them so delta i's are the errors of each xi and the errors also get aggregated Using the same linear combination as delta equal to the the combination of the delta i's now first argument is delta is non-zero with high probability and This is very straightforward to prove over fields. It's a very simple argument just involving a The it's just involves the fact that taking the dot product is a two universal hash function The second argument is if delta is non-zero then the check passes with low probability, but that this we already showed before so This argument is very straightforward over fields. What do we want to do in spits the case essentially do the same? But the problem is that the analysis gets trickier because Now in this setting we cannot just simply argue that taking that product is a universal hash function because it's not so We have to apply like a different set of tricks to achieve this Basically, there are two ways of doing this in our setting So let's even the event in which the check passes so this equation is satisfied So one way to do it just like we added another register of s bits to our numbers to ensure security We can add another s bits and this will allow us to to to prove That the function is a two universal hash function sort of and this should be fine enough for our purposes And you can do this indeed, but if you do this you get a probability of 2 to the minus s half Not by adding twice the s by dividing s as s half plus s half So you get a probability of 2 to the minus half Which means that if you want an error probability of 2 to the minus 80 you need to set s to be 160 which is something that which is very large because you already have all to the K So K 64 is 160 this will give you a value that is that's a very large for application So what we do instead we do a more fine-grained analysis We get this probability which is much better So 2 to the minus s and 2 to the minus s plus log s So you still have some loss of security beats It's not exactly if you set s to be 80 it's not 80 bits of security you get you have to subtract the log of s But still not so bad you need to subtract 6 or 7 So you set it to be a little bit larger if you want a security of 80 bits Okay for the details of this analysis, I would like to refer you to the paper But the analysis is really straightforward. You just need to apply this trick like in a more clever way And finally, I would like to talk a little bit about the multiplication triples It's going very fast through them I'm just going to keep the slide and going directly to this one. So the way that they There we take them the approach that we take for the multiplication triples is the mascot approach in which we use of tea So we have basically four steps in the first step We run out to get shares of C equal to 8 m speed to get additive shares Where the bold symbols are vectors So C is a vector a is a vector and B is a number. So essentially we get many many triples But using the same B for all these triples. So this is what to say. This is the first step and you do it We use you do it using a bit of transfer The second step is that you don't want vectors. You actually want numbers So to get numbers you collapse them down taking a random linear combination Just one remark here is that in mass because you can do this just by taking numbers and this is okay But if you use numbers you cannot use the leftover hash lemma to actually argue a randomness Because it doesn't hold like that in this setting of c2 to the k instead You have to take a to be a vector of bits so that taking a random linear combination Corresponds to taking a random subset sum which is indeed random. So there you can actually apply the same analysis So you collapse them down taking a linear combination and then you authenticate them using this a Mac functionality I mentioned at the beginning you need to authenticate values and then you sacrifice to sacrifice You also need to apply the same trick of going over a larger ring and so on to make sure that things are correct Sacrifices just a step in which you take one triple to check the correctness of another triple and then the first triple discard Okay, then I would like to conclude now So a it is what we have developed a protocol for efficient by multi-party computation in the dishonored majority setting Modulo 2 to the any power in fact modulo any prime to any power We just focus on the case of 2 but this extends to any part any prime we introduce a number of a set of number theoretic tricks to Overcome the issues of working over this ring and we have given the first efficient a homomorphic authentication scheme over this setting Which may be also of independent interest? Now some future work which is important to mention so we didn't give an implementation So it's important to give an implementation and to actually give some performance numbers Our online phase is expected to be fast because we are doing operations in native data types like a 2 to the 32 or 2 to the 64 But the preprocessing is theoretically slower by mask than mascot by the simple Reason that our data types are larger. So you want to do some commutation side You need to always add this additional register We also have developed a it's important to develop soft protocols for basic primitives You want to use MPC in any meaningful in in any meaningful way You need to have like a set of primitives for a quality testing or comparison or beat the composition or shifting and so on There is a huge line of research in this direction But most of it only works over fields because you need for example the simple reason that you need to divide by 2 Which is not something that we can do very easily over the setting So this is another line of research that is very interesting in the setting and finally This is all in the setting of this honest majority So it's a very natural question whether or not this can be extended to the set of it to the setting of honest Majority or T less than and thirds where you have to use Shamir secret sharing which doesn't extend directly to the setting of Rings And with that I would like to conclude. Thank you so much