so for of a let's oil they and so is yes we can do what to but the computation of

uh every for you can compute everything in the group the domain

the question is our fusion

so that me start by saying what the what is more D the computation

so uh went to day now there's you go online line in to play park or what happens is that

you are here with your friends and a on a

online server

you connect to some central that service that is the for you

and then gives to the card and then you can play pocket

but course what happens if uh

uh you playing with power what happens if the central server is ga a controlled by a it and there

is one of the play is also part

well than they can easily like a a low together right and then the the part of controlling the survey

can give very good cards to is the this find then but as everyone it

so might about the computation uh at about the combination is uh all the sets of the cryptographic techniques that

allow you to instead of having the central server

the second to split the the to in the service i'm among the players so everybody has run a piece

of software on their machines

that um rates the that simulates the presence of this that serve

oh oh do these you know way that even if everyone else is a pilot uh then you can sleep

play poker

uh very

because we don't wanna as mine

so

this is gonna be a

how a technical talk up not

and i is something about the the application of and P C and uh are the been using the real

word

i'm gonna to find a security model because a market at are for so i like security definitions

and then i'm gonna present just to of the results of that think you should be aware of

uh one because it's very important and other one is because i done it so i think if you know

about

um

so let's start from the beginning

so not about the computation of been introduce uh a more than a almost thirty years ago by and the

we out

uh but you have to wait until at to the the yet two thousand to that seeing the first efficient

solution

the that

can be using in practice uh

so that from two thousand you see a lot of uh

but the types an implementation of uh

but the goes from about the computation

and that because some of them P C a a

by you so

in that wording electronic action privacy was every

privacy preserving operation see "'cause" you know processing so basically every time you want to compute on something and you

can about the privacy of your input

and the correctness of a result

you want to come in not cut the mpc dot

so for instance a a a a this is a a start from a then use paper

uh uh then is people are uh ensure the they have had insurance and then when the get seek a

uh they they have

big problem them man you like the six uh are they have to a about the signal and the get

to to the insurance and ask for their money

this a problem because the see people could enjoy this is mine and

could that them to to do with their problem

and uh so on is a solution of this could be that i be that's an insurance company could perform

form uh the intersection of the database base once you know i to check

we should get some mine

of course this is a privacy present these is a privacy sensitive

uh kind of computation because

you don't want the medical records of

the patient to be square as or the in for insurance data

and we can solve this problem using a C

oh example was the from a from then mike

uh these the is the a base the first the time that and P C has been used to move

real money

in this case the so

should should this missing then mike the they you have a should that contract is a bit contract so they

are be you know that's them

a many should is they can grow i mean you get be they can set

and uh the can exchange is these objects these objects are like or C and the wanted to that are

mean you know the the price of

with for exchanging this kind of comedy

so you can do a an option i everyone is i want to buy a this price i want to

buy so much of this price and

then that it can

make is nice by find the equally equilibrium point

but the farmers as don't want to tell each other are much they were willing to buy and sell for

because that to be as information about their own farm

and uh then is is a very technological advances so they use mpc P C

to to to the mean this price

uh the problem the computation last on thirty minutes

and that's uh is that back call is that not

well if it's a task that have to do only once a maybe is good

and for that's a motion are probably a kind a we kind of security so passive security and uh it

assumed that the magic of the party to be honest

and that i don't like uh

i

being the mean value of don't believe that the harness is the that a much as of people are honest

so i another example that that are the from last week a is that the there is an L on

tongue and group of people that

more less to the same they have a nice website we a nice logo

and uh so i C to company scene is tongue the wanted to benchmark a i guess each that they

want to do a whether for

i'm do we by are employ use so much revenue you we get four

money we spend and they want to to compare information with each other the one i stack statistics

uh uh of course these this

all season for the uh these data is the

to be get it so that using uh and P C to do this

but as a nice solution was the share mine

only gives you this kind of weak secure

so what is the security model i keep saying security T but what do i mean when i a secure

so a first of all can this computation to me computation is just a quit

well we have a

from now on um only gonna talk about two five is but you can generalise to more so the have

and your bob that have some input

let's say that beats right we can do everything the bit

and the want to some with made a multiplication addition on this bits

so that is computation from

so computation means that every all the input i get by it that's why there is a a the log

that to show that these

uh input that product and that's all the gates are encrypted because all these the internal values should be

uh a get by but also a of the it should be encrypted that in the sense that they

a the should produce that i with they should be sick you L the get to be sick

in particular it a is crap it she's up by she should be able to do things like a all

i want to learn

this intermediate audio or or maybe

i one the output to be these beat that i design

yeah does that

uh problem problem in terms of privacy and correctness

so do the mean wanna say secure

uh this is kind of a card last year because they come from the could start a few what most

of you come from the

signal processing work

so

intuitively we are agree that a locally secure if no one can a it if not not back again

learn an information

unfortunately approach security is

a a a a a lot X

uh uh isn't a list of a tax there isn't a book that you can buy where you read a

lot X and then you

reasons uh any such a thing maybe you make your system C Q against that kind of a tax and

then to more they come up with the

another kind of attack and then what do you do

so in cryptography

uh we believe that security is not a probably they can be checked empirically

so what we do we want to prosecute

so but it not for the case of multi body computation the stand the model of a for probably security

is the i don't work i real work by like

so

the top or the or what they called the i word is what you want

so you want you have a T symbol

you want what you really like is that the magical about where you can put a input and get the

now

the medical box

uh computes the function as it's the supposed to do and the and never really that being

right

a four it is no such my scale but box and what to do in fact is you do some

kind of the got be brother but what part six exchange

so um the message right

so

yeah that the world is secure by definition right there is no way of attacking able

but in the uh dulles could be applied since you could cheat in the problem

and many i what does it mean that you think that this

information does not reveal

uh anything about the inputs

the to formalise these is to say that uh to create that ideal adversary adversity what because a later

but leaves in the i don't word

and the goal of the similar as or is that by only seeing the input and output of the computation

so

the

by doing but is supposed to do in other word

so be able to produce some kind of trust pretty transcript of the problem of that looks the same

at these one you

and then if you can prove that is uh transcript the are in this transcript the are indistinguishable

then say a probabilistic

with for problem or T we say that if a have adverse that is a similar in that a word

uh such that this uh the output of that were send up output of the symbol with are indistinguishable

then we can lower protocol sick Q

and need to db does means because the children saying distinguishable and the i don't were the secure but the

thing is and then also the real what is secure

so there are many uh a kind of a that one can can see

uh

in the paper in the preceding that are there is much more than this but

i think the most important got session is uh about the level of corruption and that you allow

so we can can see the passive adversaries that try that that of the brother exactly as it had them

but then try to the crypt

the what they get

then you of active adversary that the do whatever they want and that's the one i'm more calm i most

concerned with

and then there's summing somewhere in between

also the number of corruption option is very important

so you can have an honest majority and in this case you can even get perfect security information-theoretic security

and then and this problem was a really really efficient

in that case is a you can can the as much a key that by the ways the only meaningful

uh the and if you look at the but the case right if you into to if two but these

are both a on is then

there is no need for target

so i'm concerned with the design of majority

i think about that

oh

uh

and

in this C use cryptographic primitives so a but each a is much higher there two

to two we dishonest majority

then we don't as much

okay

so that i was that's are uh

security more the let's look at some of the techniques that we have

so

i assume that you're of for that with the concept of a an encryption

so a public encryption the is a system or where you have a public in a secret key you have

an encryption function

that takes uh message put into a separate text

and are the caption function that with that of the secret key can retrieve the message from the group is

used

and what you want this for the encryption to be meaningful look at you want the the decryption to be

correct so if you in something a decree the you get the same

and also you want been think we should but

basically this is that this is a we are

this is a version that feeding one line but but signal them saying is that even if you a link

point beat i do zero one

that was say shouldn't be able to tell you

a if and you these encryption of a beat that is you one one give it to that at and

just the a you what is this

well that was they shouldn't be able to get we'd much more than one out probability

so is best are those used to guess

so that's what we want from secure

but now want to compute on the data right

so that would like to have

some kind of uh uh we to compute on the data

so

that's homomorphic norfolk encryption so if you start from two cipher text

C one and C two C one is an encryption of fixed one in C two is of is two

you would like to have some way of computing on the data

you can have an addition you could you but what might want to on addition so you take that use

cipher for text

you combine them together in some way

and then you get then you separate text and now you want then use i've text two

to be an encryption of the sum

of the original plain text

and this is important and that this these addition function is not using the secret key

is not the creating summing and encrypting again

the addition function is combining the cipher text in the group that the domain

to get the

to get an use separate text that in the that this um

in the where you can define a

a multiplication requirement okay

so

is there anything like that can can something like do exist yeah actually

even the

we'll build the gum scheme is uh the more we could expect a multiplication

and if you want to T scheme uh you have a scheme we have a have a scheme

it too

uh more time to get to be but we have also them

and more recently a people that that uh this covering some creep the system that are

additionally digitally on a of peak then you can do one would be vacation

so that light to compute a bit more

you and could the system is based on padding so G is that be with the lot is

and now a couple of years ago a this uh you to break through that is they put "'em" more

peak encryption scheme by gender

the a bit would think allows use compute on uh everything

so

for what we can keep she's beautiful it allows you compute everything every function on your

on your input i single encryption decryption of those some that and then you can some the data are more

divided it you can be any function

and the we and this was the map it was good that it seem to be uh absolutely impractical but

at or that

i don't think at nine but the this uh

ragged get the for the put a pick encryption is based on lattices is is

so i that this is just a a real the points

is a S is that discrete creates group of a a vector space

uh and you can have a basis of these the of this space so we can have this model on

of these long one

and the might one is a good one because it allows you to compute the all the points we a

big one it's either they're to to to solve some problem

so one of the problem that is at to solve in uh in these this if you only about a

long base

is to find the "'cause" is that the problem so if i give it is red point

and ask you which point is close you are not able to do that

and you can make an encryption all of these so you take a lot this point X and you are

down or vector

E

and this is a good encryption if you have a secret key so if you have a good luck is

days you can

recover big big point and find their or

if you have a only the public you can not do that

and now you can in

in this error vector you can encode or beat so you can uh the find is that are back to

to be two times some

random random that and then you put the a bit in one of the position of the vector i

now if you have to back to of this power men some them together

well

that you at this point and you like this point

there are some to gather and also of this to be uh good pitching comes there and then basically you

have an addition model

so this system is the additive T or more

is a problem that that are blows so you can only do a limited amount of operation you can't keep

adding a a a uh for a

and and other thing to i'm is is that these vectors

and not only that those you know that this but you can also look at them as polynomials

well no male small or the

so

we just in on it

and then you seven a multiplication operation

that no less in the same way it gives you that if you multiply to to cipher text to get

uh uh and the recreational also in the in the thing thing

uh so as this though do that so we can only do a limited number of a patient

but for uh these gentry found is a great way of uh

using them a mapping properties

black too uh the query

a a for a text

in to the crypt of them are typically inside the cipher text

so we can the crypt the i a separate X to of the better and get that new cipher for

text

with uh with a smaller

and not gonna tell you more about these all good

uh

and then you have that the uh so last week at you okay of that all that that act that

this scheme is the implemented it

and it doesn't take as long as we would have like that so this is a a reasonable level of

security

and the can uh compute in a of degrees to hundred

and the every multiplication cost the zero point one second

is not as bad as we thought

a of that these if you want to do the for them more pick one

then we takes much more and then every multiplication takes three mean used to do

uh is that is an you technology but it's

it's that and uh someone is actually by think of the for that so

the

following

but i think i want to talk about this to but the computation

uh so the more uh a stand up about

and i'm looking at a job at P with active the corruption

we that one of the parties crap

so the first but because solution was from two years ago and they could evaluate that the gets a segment

in a recent work of me with some of my quarters

we but that to twenty thousand gates a second

but it doesn't gets the second is uh a more try

so i'll do we do these uh

very briefly it's an T base probable

and the a be this task but then each have believed to be really expensive because they quite public key

technology

uh uh C a target piece fast because it only uses a symmetric

but as you know the results are or something "'cause" i bit encryption right if you want to send a

a a a when you open a necessary connection what to do is that you send

and he S it key using a say because i say is bad and then uh a S is good

in the same way we can do the same with the or be that's that

so we can do a a a a a little bit of real a to has but using public key

cryptography

and then you can extend them using only the symmetric key operation

and that for all based on but a cheap because they only basically only but asymptotically they only require

a symmetric uh cryptography

and that's very P

so and a bin is task good an object of this way a where you have a

uh a a the which two messages is the time one

and i with the receiver that to this uh think matt and that's and signal

well that's and than anything about sigma and that is that's and and other message

this is the same as a very small computation so on a that's is actually a a a uh one

bit computation

and if and combine them get together to get a big computation

we need in these the work was to find a way to uh preserve the security also when

uh uh the the the these crap that but i'm not gonna do anything about that

because is looking about of me so really gonna you about the uh uh i one good i wanna leave

space for question

so

the message of these is the following techniques for a P C are getting faster and faster genetic techniques for

N P C

so don't be afraid of using a a you know of writing your

uh signal processing out if you know

uh as a sec with because we can compute a circuits it's fast and fast

so twenty thousand that will and gates per second the that we can do now maybe few years we will

be able to emulate late that one mhz secure process

a it's going fast

and the maybe to was uh to the for a signal processing but then that's what one of the challenge

i think is the most interesting for a processing is that

uh in cryptography we want everybody to be every bit to be protected because we can about the privacy of

every bit

but a signal processing have a lot of data maybe not that of this need to be protected uh

the same way

and that a it could be interesting to find some reasonable security to model

two

to actually model this fact that the you know not all of the signal should be protecting the same way

steve we can F's

some reasonable sick using the finish on

to capture this problem

thank you to much

time for a couple of questions

yes

thank very much for this very nice

station

fast

i i have a small question about your lost more

really

um we we are dealing with

know

is

but

so many of

like

like it

so yeah image

you that that maybe not every bit is

really important

so for example if we want to in the this system using a i

crypto the system

we always use at thousand bits

key

so do you think that maybe if we use a hundreds

it's

a

but you okay

or or how can be apply

so

it's not so for us

to i will eat the security because we are application orient people what your a over

so what you thing about that

so actually

is is a is gonna be some worse because as you you can not use the so

when it would but you can do multiplication in with a lot of bits five you have you have this

big secure the model and that this be one thousand bits

they you can pack all them information inside the

in on seven X and then you can do operation would big the

a not of the at the same time

uh used so you only care about on the be so you make the keys is smaller of course you

can do that because of of i think is not secure anymore

right

so

the problem and that is that and that's not gonna be a to uh uh with when the time goes

because in ten years from now you still gonna be looking at maybe image job you know maybe is they

want to the computation on

thirty it's

but in ten is from now but a keys should be eight thousand bits

so this your security requirements is going well the computation is not going so yeah

the the fact the now we can pick other information in yeah and that's meaningful

it's kind of an not the fact that of the the the the the fact that you know right now

it's more or less the same

but it's uh but is not gonna scowl we well in the future

so mm

so think that actually

you know a just where

this security to by means there and the we should be couple of the security by me that

and the computation so from once in from one hand you have the the size of a computation maybe be

to to it is enough

from the other hand of the C parameter is going uh

uh fast

that you think should be the couple and that's i think but

uh

are other process at doing not not only

yeah

we'll to but that's

you can explain as in layman's terms what the gender group she

does how why does it

so i to me

the problem was a talking about it's of a is a but up is a V and then to be

from this you have to a choose lies that i was i but from them

so i should

thank that

uh uh this paper is spend so it's a score the implementing gentry E the system and it's a a

you you can understand that

i think a it's a is not too hard

so i well it's a problem of fig

at the P Z the

so it's a it's basically doing

uh multiplication polynomials

well i that's a key or that some of the study

uh and then you have to understand that this what action back i think the signal processing community

uh understands

but and the sense that this is but then

many other the committees is because you use and lot is this and the coding data

some because of that the problem is not

two five i i way from you know the coding problem

so

i would recommend it to me that paper

very quick question

high uh just reminding in the first question usually in signal processing we are basically doing operation on

samples that's

can be let's say and can you on eight bits

yeah excel is and kind in a bit

that's it's using you new

crypt the system how many be i need to presents that simple now

so uh

in a in just to map in in in my work

you know not for my work uh basically have a bit that's an expansion factor of

uh

well and bits that's say like that

so uh the security is uh

i every a bit for able to so the was are

so i of it is presented as one bit

and then we have a make an information to mac

so i from a synthetic make uh

if T be it's one and that twenty bits

so that an expansion factor that is not the lot about i the will this uh problem of X a

uh the

well

we can take it is applying but the it's it's even big

it's in but then than this but yeah you have a the the the the that

but

yeah that's a C at beats wonder bit

but that's is that the minimum the security uh use the one beats become one hundred bits yeah such set

and that yeah that's a huge overhead for us are there any can of

research in trying to regroup

for as

it would be re groping samples together a but being able to do operation on

parts of the be uh on segments of the beats

with is in the encrypted so you can do that that really it is not this work is another piece

of work well i do i have the computation

well i have the mac and where i uh okay we'd numbers model not be well the number so maybe

arithmetic computation of but number of one hundred twenty bits it's for the sense and the mac is the same

size in that case have an a of factor of two

i guess but uh the and uh uh then you need to use a if we can keep some basic

you but it too

yeah we've think it up right

alright

thank you