so for of a let's oil they and so is yes we can do what to but the computation of uh every for you can compute everything in the group the domain the question is our fusion so that me start by saying what the what is more D the computation so uh went to day now there's you go online line in to play park or what happens is that you are here with your friends and a on a online server you connect to some central that service that is the for you and then gives to the card and then you can play pocket but course what happens if uh uh you playing with power what happens if the central server is ga a controlled by a it and there is one of the play is also part well than they can easily like a a low together right and then the the part of controlling the survey can give very good cards to is the this find then but as everyone it so might about the computation uh at about the combination is uh all the sets of the cryptographic techniques that allow you to instead of having the central server the second to split the the to in the service i'm among the players so everybody has run a piece of software on their machines that um rates the that simulates the presence of this that serve oh oh do these you know way that even if everyone else is a pilot uh then you can sleep play poker uh very because we don't wanna as mine so this is gonna be a how a technical talk up not and i is something about the the application of and P C and uh are the been using the real word i'm gonna to find a security model because a market at are for so i like security definitions and then i'm gonna present just to of the results of that think you should be aware of uh one because it's very important and other one is because i done it so i think if you know about um so let's start from the beginning so not about the computation of been introduce uh a more than a almost thirty years ago by and the we out uh but you have to wait until at to the the yet two thousand to that seeing the first efficient solution the that can be using in practice uh so that from two thousand you see a lot of uh but the types an implementation of uh but the goes from about the computation and that because some of them P C a a by you so in that wording electronic action privacy was every privacy preserving operation see "'cause" you know processing so basically every time you want to compute on something and you can about the privacy of your input and the correctness of a result you want to come in not cut the mpc dot so for instance a a a a this is a a start from a then use paper uh uh then is people are uh ensure the they have had insurance and then when the get seek a uh they they have big problem them man you like the six uh are they have to a about the signal and the get to to the insurance and ask for their money this a problem because the see people could enjoy this is mine and could that them to to do with their problem and uh so on is a solution of this could be that i be that's an insurance company could perform form uh the intersection of the database base once you know i to check we should get some mine of course this is a privacy present these is a privacy sensitive uh kind of computation because you don't want the medical records of the patient to be square as or the in for insurance data and we can solve this problem using a C oh example was the from a from then mike uh these the is the a base the first the time that and P C has been used to move real money in this case the so should should this missing then mike the they you have a should that contract is a bit contract so they are be you know that's them a many should is they can grow i mean you get be they can set and uh the can exchange is these objects these objects are like or C and the wanted to that are mean you know the the price of with for exchanging this kind of comedy so you can do a an option i everyone is i want to buy a this price i want to buy so much of this price and then that it can make is nice by find the equally equilibrium point but the farmers as don't want to tell each other are much they were willing to buy and sell for because that to be as information about their own farm and uh then is is a very technological advances so they use mpc P C to to to the mean this price uh the problem the computation last on thirty minutes and that's uh is that back call is that not well if it's a task that have to do only once a maybe is good and for that's a motion are probably a kind a we kind of security so passive security and uh it assumed that the magic of the party to be honest and that i don't like uh i being the mean value of don't believe that the harness is the that a much as of people are honest so i another example that that are the from last week a is that the there is an L on tongue and group of people that more less to the same they have a nice website we a nice logo and uh so i C to company scene is tongue the wanted to benchmark a i guess each that they want to do a whether for i'm do we by are employ use so much revenue you we get four money we spend and they want to to compare information with each other the one i stack statistics uh uh of course these this all season for the uh these data is the to be get it so that using uh and P C to do this but as a nice solution was the share mine only gives you this kind of weak secure so what is the security model i keep saying security T but what do i mean when i a secure so a first of all can this computation to me computation is just a quit well we have a from now on um only gonna talk about two five is but you can generalise to more so the have and your bob that have some input let's say that beats right we can do everything the bit and the want to some with made a multiplication addition on this bits so that is computation from so computation means that every all the input i get by it that's why there is a a the log that to show that these uh input that product and that's all the gates are encrypted because all these the internal values should be uh a get by but also a of the it should be encrypted that in the sense that they a the should produce that i with they should be sick you L the get to be sick in particular it a is crap it she's up by she should be able to do things like a all i want to learn this intermediate audio or or maybe i one the output to be these beat that i design yeah does that uh problem problem in terms of privacy and correctness so do the mean wanna say secure uh this is kind of a card last year because they come from the could start a few what most of you come from the signal processing work so intuitively we are agree that a locally secure if no one can a it if not not back again learn an information unfortunately approach security is a a a a a lot X uh uh isn't a list of a tax there isn't a book that you can buy where you read a lot X and then you reasons uh any such a thing maybe you make your system C Q against that kind of a tax and then to more they come up with the another kind of attack and then what do you do so in cryptography uh we believe that security is not a probably they can be checked empirically so what we do we want to prosecute so but it not for the case of multi body computation the stand the model of a for probably security is the i don't work i real work by like so the top or the or what they called the i word is what you want so you want you have a T symbol you want what you really like is that the magical about where you can put a input and get the now the medical box uh computes the function as it's the supposed to do and the and never really that being right a four it is no such my scale but box and what to do in fact is you do some kind of the got be brother but what part six exchange so um the message right so yeah that the world is secure by definition right there is no way of attacking able but in the uh dulles could be applied since you could cheat in the problem and many i what does it mean that you think that this information does not reveal uh anything about the inputs the to formalise these is to say that uh to create that ideal adversary adversity what because a later but leaves in the i don't word and the goal of the similar as or is that by only seeing the input and output of the computation so the by doing but is supposed to do in other word so be able to produce some kind of trust pretty transcript of the problem of that looks the same at these one you and then if you can prove that is uh transcript the are in this transcript the are indistinguishable then say a probabilistic with for problem or T we say that if a have adverse that is a similar in that a word uh such that this uh the output of that were send up output of the symbol with are indistinguishable then we can lower protocol sick Q and need to db does means because the children saying distinguishable and the i don't were the secure but the thing is and then also the real what is secure so there are many uh a kind of a that one can can see uh in the paper in the preceding that are there is much more than this but i think the most important got session is uh about the level of corruption and that you allow so we can can see the passive adversaries that try that that of the brother exactly as it had them but then try to the crypt the what they get then you of active adversary that the do whatever they want and that's the one i'm more calm i most concerned with and then there's summing somewhere in between also the number of corruption option is very important so you can have an honest majority and in this case you can even get perfect security information-theoretic security and then and this problem was a really really efficient in that case is a you can can the as much a key that by the ways the only meaningful uh the and if you look at the but the case right if you into to if two but these are both a on is then there is no need for target so i'm concerned with the design of majority i think about that oh uh and in this C use cryptographic primitives so a but each a is much higher there two to two we dishonest majority then we don't as much okay so that i was that's are uh security more the let's look at some of the techniques that we have so i assume that you're of for that with the concept of a an encryption so a public encryption the is a system or where you have a public in a secret key you have an encryption function that takes uh message put into a separate text and are the caption function that with that of the secret key can retrieve the message from the group is used and what you want this for the encryption to be meaningful look at you want the the decryption to be correct so if you in something a decree the you get the same and also you want been think we should but basically this is that this is a we are this is a version that feeding one line but but signal them saying is that even if you a link point beat i do zero one that was say shouldn't be able to tell you a if and you these encryption of a beat that is you one one give it to that at and just the a you what is this well that was they shouldn't be able to get we'd much more than one out probability so is best are those used to guess so that's what we want from secure but now want to compute on the data right so that would like to have some kind of uh uh we to compute on the data so that's homomorphic norfolk encryption so if you start from two cipher text C one and C two C one is an encryption of fixed one in C two is of is two you would like to have some way of computing on the data you can have an addition you could you but what might want to on addition so you take that use cipher for text you combine them together in some way and then you get then you separate text and now you want then use i've text two to be an encryption of the sum of the original plain text and this is important and that this these addition function is not using the secret key is not the creating summing and encrypting again the addition function is combining the cipher text in the group that the domain to get the to get an use separate text that in the that this um in the where you can define a a multiplication requirement okay so is there anything like that can can something like do exist yeah actually even the we'll build the gum scheme is uh the more we could expect a multiplication and if you want to T scheme uh you have a scheme we have a have a scheme it too uh more time to get to be but we have also them and more recently a people that that uh this covering some creep the system that are additionally digitally on a of peak then you can do one would be vacation so that light to compute a bit more you and could the system is based on padding so G is that be with the lot is and now a couple of years ago a this uh you to break through that is they put "'em" more peak encryption scheme by gender the a bit would think allows use compute on uh everything so for what we can keep she's beautiful it allows you compute everything every function on your on your input i single encryption decryption of those some that and then you can some the data are more divided it you can be any function and the we and this was the map it was good that it seem to be uh absolutely impractical but at or that i don't think at nine but the this uh ragged get the for the put a pick encryption is based on lattices is is so i that this is just a a real the points is a S is that discrete creates group of a a vector space uh and you can have a basis of these the of this space so we can have this model on of these long one and the might one is a good one because it allows you to compute the all the points we a big one it's either they're to to to solve some problem so one of the problem that is at to solve in uh in these this if you only about a long base is to find the "'cause" is that the problem so if i give it is red point and ask you which point is close you are not able to do that and you can make an encryption all of these so you take a lot this point X and you are down or vector E and this is a good encryption if you have a secret key so if you have a good luck is days you can recover big big point and find their or if you have a only the public you can not do that and now you can in in this error vector you can encode or beat so you can uh the find is that are back to to be two times some random random that and then you put the a bit in one of the position of the vector i now if you have to back to of this power men some them together well that you at this point and you like this point there are some to gather and also of this to be uh good pitching comes there and then basically you have an addition model so this system is the additive T or more is a problem that that are blows so you can only do a limited amount of operation you can't keep adding a a a uh for a and and other thing to i'm is is that these vectors and not only that those you know that this but you can also look at them as polynomials well no male small or the so we just in on it and then you seven a multiplication operation that no less in the same way it gives you that if you multiply to to cipher text to get uh uh and the recreational also in the in the thing thing uh so as this though do that so we can only do a limited number of a patient but for uh these gentry found is a great way of uh using them a mapping properties black too uh the query a a for a text in to the crypt of them are typically inside the cipher text so we can the crypt the i a separate X to of the better and get that new cipher for text with uh with a smaller and not gonna tell you more about these all good uh and then you have that the uh so last week at you okay of that all that that act that this scheme is the implemented it and it doesn't take as long as we would have like that so this is a a reasonable level of security and the can uh compute in a of degrees to hundred and the every multiplication cost the zero point one second is not as bad as we thought a of that these if you want to do the for them more pick one then we takes much more and then every multiplication takes three mean used to do uh is that is an you technology but it's it's that and uh someone is actually by think of the for that so the following but i think i want to talk about this to but the computation uh so the more uh a stand up about and i'm looking at a job at P with active the corruption we that one of the parties crap so the first but because solution was from two years ago and they could evaluate that the gets a segment in a recent work of me with some of my quarters we but that to twenty thousand gates a second but it doesn't gets the second is uh a more try so i'll do we do these uh very briefly it's an T base probable and the a be this task but then each have believed to be really expensive because they quite public key technology uh uh C a target piece fast because it only uses a symmetric but as you know the results are or something "'cause" i bit encryption right if you want to send a a a a when you open a necessary connection what to do is that you send and he S it key using a say because i say is bad and then uh a S is good in the same way we can do the same with the or be that's that so we can do a a a a a little bit of real a to has but using public key cryptography and then you can extend them using only the symmetric key operation and that for all based on but a cheap because they only basically only but asymptotically they only require a symmetric uh cryptography and that's very P so and a bin is task good an object of this way a where you have a uh a a the which two messages is the time one and i with the receiver that to this uh think matt and that's and signal well that's and than anything about sigma and that is that's and and other message this is the same as a very small computation so on a that's is actually a a a uh one bit computation and if and combine them get together to get a big computation we need in these the work was to find a way to uh preserve the security also when uh uh the the the these crap that but i'm not gonna do anything about that because is looking about of me so really gonna you about the uh uh i one good i wanna leave space for question so the message of these is the following techniques for a P C are getting faster and faster genetic techniques for N P C so don't be afraid of using a a you know of writing your uh signal processing out if you know uh as a sec with because we can compute a circuits it's fast and fast so twenty thousand that will and gates per second the that we can do now maybe few years we will be able to emulate late that one mhz secure process a it's going fast and the maybe to was uh to the for a signal processing but then that's what one of the challenge i think is the most interesting for a processing is that uh in cryptography we want everybody to be every bit to be protected because we can about the privacy of every bit but a signal processing have a lot of data maybe not that of this need to be protected uh the same way and that a it could be interesting to find some reasonable security to model two to actually model this fact that the you know not all of the signal should be protecting the same way steve we can F's some reasonable sick using the finish on to capture this problem thank you to much time for a couple of questions yes thank very much for this very nice station fast i i have a small question about your lost more really um we we are dealing with know is but so many of like like it so yeah image you that that maybe not every bit is really important so for example if we want to in the this system using a i crypto the system we always use at thousand bits key so do you think that maybe if we use a hundreds it's a but you okay or or how can be apply so it's not so for us to i will eat the security because we are application orient people what your a over so what you thing about that so actually is is a is gonna be some worse because as you you can not use the so when it would but you can do multiplication in with a lot of bits five you have you have this big secure the model and that this be one thousand bits they you can pack all them information inside the in on seven X and then you can do operation would big the a not of the at the same time uh used so you only care about on the be so you make the keys is smaller of course you can do that because of of i think is not secure anymore right so the problem and that is that and that's not gonna be a to uh uh with when the time goes because in ten years from now you still gonna be looking at maybe image job you know maybe is they want to the computation on thirty it's but in ten is from now but a keys should be eight thousand bits so this your security requirements is going well the computation is not going so yeah the the fact the now we can pick other information in yeah and that's meaningful it's kind of an not the fact that of the the the the the fact that you know right now it's more or less the same but it's uh but is not gonna scowl we well in the future so mm so think that actually you know a just where this security to by means there and the we should be couple of the security by me that and the computation so from once in from one hand you have the the size of a computation maybe be to to it is enough from the other hand of the C parameter is going uh uh fast that you think should be the couple and that's i think but uh are other process at doing not not only yeah we'll to but that's you can explain as in layman's terms what the gender group she does how why does it so i to me the problem was a talking about it's of a is a but up is a V and then to be from this you have to a choose lies that i was i but from them so i should thank that uh uh this paper is spend so it's a score the implementing gentry E the system and it's a a you you can understand that i think a it's a is not too hard so i well it's a problem of fig at the P Z the so it's a it's basically doing uh multiplication polynomials well i that's a key or that some of the study uh and then you have to understand that this what action back i think the signal processing community uh understands but and the sense that this is but then many other the committees is because you use and lot is this and the coding data some because of that the problem is not two five i i way from you know the coding problem so i would recommend it to me that paper very quick question high uh just reminding in the first question usually in signal processing we are basically doing operation on samples that's can be let's say and can you on eight bits yeah excel is and kind in a bit that's it's using you new crypt the system how many be i need to presents that simple now so uh in a in just to map in in in my work you know not for my work uh basically have a bit that's an expansion factor of uh well and bits that's say like that so uh the security is uh i every a bit for able to so the was are so i of it is presented as one bit and then we have a make an information to mac so i from a synthetic make uh if T be it's one and that twenty bits so that an expansion factor that is not the lot about i the will this uh problem of X a uh the well we can take it is applying but the it's it's even big it's in but then than this but yeah you have a the the the the that but yeah that's a C at beats wonder bit but that's is that the minimum the security uh use the one beats become one hundred bits yeah such set and that yeah that's a huge overhead for us are there any can of research in trying to regroup for as it would be re groping samples together a but being able to do operation on parts of the be uh on segments of the beats with is in the encrypted so you can do that that really it is not this work is another piece of work well i do i have the computation well i have the mac and where i uh okay we'd numbers model not be well the number so maybe arithmetic computation of but number of one hundred twenty bits it's for the sense and the mac is the same size in that case have an a of factor of two i guess but uh the and uh uh then you need to use a if we can keep some basic you but it too yeah we've think it up right alright thank you