 כן, אני שואל את זה. אז תודה רבה for the introduction. This work was done with Adia Kavya and Dan Feldman all from Haifa University. So I think this work is interesting for infinitely many number of reasons, but I will point out two. One is that we show a useful building block that can be used by other applications or other MPC applications. And the other one it shows a link between Corset and Secure Computation, which are two different areas. So let me explain what I mean. So many algorithms follow more or less these lines. They have n input some things, let's call it d1 to dn, and we want to find a subset of these some things by a filter given by the user, maybe by query, and then we want to report something that we found. So for example the input can be the list of all children in the world and we want to report all those who are good this year. Or the input can be all your email in your email box and we want to report all the emails that are not spam. Or the input can be all the restaurants in the world and we want to report all the bigger restaurants that are less than one mile away from you. So in this talk we are going to assume that there is some e-match functionality that can tell us if an input item is relevant or not, should be reported or not. We are going to assume that an e-match function exists. It gets two parameters, di, the input item, and q, the query. And it returns xi, a binary, either one if the input item should be reported or zero if it should not reported. We are going to assume this exists. We are not going to consider this in Auto. Instead we are going to focus on the last step how to report these items efficiently. And efficiently of course with respect to communication. We don't want to report the entire database. So let us consider a slightly easier problem. Instead of reporting the input item, we are going to report the indices of the items that have passed the filter. So two notes. One, once we have solved the easier question, solving the other question is easy. It can be extended easily. We are not going to discuss how it can be extended. The details are in the paper. And the second note is that the problem becomes not interesting if there are too many indices to report. Because if there are almost any indices to report, then just report. You can just report everything with the same, simplatically, time. So we are going to assume that there are at most s indices to report and s is going to be significantly smaller than n. Ideally we would like the communication complexity to be a function of s. So spoiler alert, it's going to be a function of s and log n. You can't escape the log n. So as the title suggested, we are going to use homomorphic encryption. So we are going to show how our algorithm lives in a homomorphically encrypted scenario. We are not going to discuss how homomorphic encryption works, what is the internal. We are going to treat homomorphic encryption as a black box. So still just some notations and quick overview of what homomorphic encryption is. So it's a public key encryption scheme. So that means that we have an encryption function that given a message x, we can encrypt it and get a cycle text of x. The cycle text we denote with x in brackets. And we have a function called decrypt that gets a cycle text and returns the message inside. In homomorphic encryption, in fully homomorphic encryption we have two more functions. We have ed that gets x and y and returns a cycle text such that when we decrypt it we get x plus y and the function mul that gets to cycle text x and y and returns a cycle text that when decrypted gives us x times y. So just for short notation we are going to denote x in brackets plus y in brackets that is going to mean calling the ed function with x and y, the cycle text x and y and x in brackets plus y, not in brackets that is going to mean encoding or encrypting y and then calling ed with x the cycle text and the cycle text of y. Similarly we have mul, so x in brackets times y in brackets that mean calling the multiplier function with x and y and x in brackets times y not in brackets well that is not a multiplication actually because we can treat it as x plus x plus xy times so this is basically an addition, addition operations. So as you can clearly see with addition and multiplication we can actually evaluate any polynomial on cycle text and we already know that every algorithm can be implemented, can be expressed as a polynomial of its inputs so that leads to an easy conclusion that any algorithm can be evaluated using FHE. The only problem is that the efficiency, the running time deteriorates as the degree of the polynomial gets higher. So we want to keep the degree of the polynomial as small as possible. So let's just brief over our results before we explain how we did it. So the direct approach what was previously known on how to report a sparse vector was a degree of proportional to d times n where we reduce the degree of the polynomial to d. Here d is the degree of the ease match functionality. So we have to have d, we cannot escape d if we want to apply the ease match functionality. In our solution the communication complexity is a little worse s squared times log squared n as opposed to s log n and the client needs to work a little bit harder to decode the output. So let's have an example in mind, suppose that Dunkin Donuts wants to have a service where you give them your location and they report to you what are the restaurant, Dunkin Donuts restaurants that are less than one mile away from you but of course we want to keep our privacy so we don't want to tell Dunkin Donuts where we are but we still want to know where the nearest restaurants are. Obviously downloading the entire Dunkin Donuts database is not feasible especially not when you are in another country and data is very expensive. So here in this example the input is going to be location of all the Dunkin Donuts restaurants in the world that is going to be d1 to dn hdi is the location given as a pair of gps coordinates we will also have a query which is our location encrypted so Dunkin Donuts does not know where we are what is our location it is kept encrypted during the entire protocol the ease match function in this case is going to compute the distance between a gps coordinate of a Dunkin Donuts restaurant and our location and of course this computation is done homomorphically the distance is computed homomorphically and then it is compared to one mile again homomorphically which gives us a binary value xy such that xi equals 1 if the i restaurant is closer than 1 mile to where we are 0 otherwise and we are left with the problem of reporting all the i's such that xi equals 1 so clearly in this example n is very large so I checked yesterday Dunkin Donuts have gazillion restaurants but still in a radius of 1 mile there are not too many restaurants 10 restaurants so here the input is going to be a binary x1 to xn after we have applied ease match and we know that there are at most s ones so the output is going to be s numbers s let's say a vector of dimension s where the first slot in the vector is going to indicate the index of the first one in xi the second slot is going to indicate the index of the second one etc each of these slots is going to be given by a different polynomial so this is the direct approach what was known before our work so let's see what is such a polynomial for the teeth slot in the output vector so it's not super important to understand why this is the polynomial for completeness I will just breeze over it it's not super important so it's a sum for j goes from 1 to n multiplying j by xj by ease equal where ease equal a and b is actually an equality test it returns 1 if a equals 1 and if a equals b sorry and 0 otherwise so the last term in this product ease equal actually tests if there are occurrences of 1 in x1 to xj-1 and if xj is also 1 then that means that j is the index of the teeth occurrence of 1 in the vector so actually this sum actually is eliminated into j star where j star is the occurrence of the j1 so how is equal implemented it can be implemented for example using so ease equal a and b is 1-a-b to the power of p-1 so this leads to and since p is more than n it leads to a degree that is at least n so we are going to borrow a concept from computational geometry which is corset so corset is we say c is a corset of p if c has a shorter representation than p and you can get p from c by decoding c in an efficient way and what we are going to do we are going to compute a corset of x1 to xn the corset is going to be computed more morphically so it is going to be a ciphertext an encrypted corset we are going to send this encrypted corset to the user the user is going to decrypt it with his secret key and then the corset to get back the x1 to the xn so the corset we are going to use is a sketch by Indyk Nego and Rudra they show that there is a sketch matrix an sn sketch matrix that can transform a long vector an n-dimensional vector into a shorter vector we will say what k is in a minute such that x the original vector can be decoded from y the sketch so the sketch is y the s multiplied by x and we can get x back from y by some decoding algorithm so here is an example of a 17 sketch matrix you can see that each column here decodes the binary representation of the index of the column and why is this a 17 sketch matrix because if we multiply it by a seven-dimensional vector that has at most one occurrence of one then all the columns are going to be eliminated and the only column that is going to survive is the column that is multiplied by the one of the vector and that will give us a three-dimensional vector that encodes the index of the one in the seven-dimensional vector the decoding here is easy just parse the binary representation into a number so indignago and rudra extended this idea and they showed that for any s and n there exists an sn sketch matrix of size k times n where k equals an order of s squared log n and the decoding time is polynomial in k so just to wrap it up what our approach is we have the x vector which is the result of applying the isMatch functionality we are going to multiply it by a sketch matrix x we are going to get a core set an encrypted core set we are going to send the core set we know what are the indices of the restaurants that are near him or here so what is the degree analysis so since we multiply x an encrypted vector by s a sketch matrix that is in clear text then the degree of our polynomial is actually one this is actually a linear polynomial that means that for this step of the bigger algorithm for this step we can even do with additive or morphic encryption so we implemented our our algorithm and compared it to the direct approach so not surprisingly our algorithm is linear our algorithm is given by the blue line and the direct approach is given by the red line our algorithm is linear and the direct approach is not linear still we are slower than the direct approach for small vectors that is because of the overhead produced by the sketch so to conclude we saw that we can use core sets to improve performance of MPC multi-party computation protocols and FHE more specifically we saw that we can report an s sparse vector of size n using only additive morphic encryption and I would like to see more applications using core sets to improve MPC or other protocols and specifically for this application we want to improve the constants that is already work in progress we suspect that we can improve the constants by using a better sketch and by having a tighter analysis of the algorithm thank you any question for Saoul? since you used the asian lib I wonder is the open source library you have available sometime I couldn't find it yes you can email us we will send it to you we are not on github yet but we are planning for this also about the security parameters you are using in the asian lib yes we chose the security parameter to be 80 which is standard about the morphic parameters like a ring degree modular size are those in the full paper? you can see all the details in the full paper yes so when you compare so the modular size that depends for example for the direct approach the modular size should be at least n because you are generating a number that might be n so you have to use a modular size at least n for our case the modular size should be at least s because the number that are generated are almost s smaller okay we can talk about it we can talk about it in detail later yes it's more than thank you other questions for Saul? I do have one quick question we are speaking about more application do you have already the next application in mind or is just a generic more application? so we are we are we are fans of corsets we think that corsets should be everywhere we we do have some ideas there are no more questions let's thank Saul and all the speakers of the session