0:00:13so for of a let's oil they and so is yes we can do what to but the computation of
0:00:18uh every for you can compute everything in the group the domain
0:00:21the question is our fusion
0:00:22so that me start by saying what the what is more D the computation
0:00:27so uh went to day now there's you go online line in to play park or what happens is that
0:00:30you are here with your friends and a on a
0:00:33online server
0:00:34you connect to some central that service that is the for you
0:00:37and then gives to the card and then you can play pocket
0:00:39but course what happens if uh
0:00:41uh you playing with power what happens if the central server is ga a controlled by a it and there
0:00:46is one of the play is also part
0:00:48well than they can easily like a a low together right and then the the part of controlling the survey
0:00:53can give very good cards to is the this find then but as everyone it
0:00:58so might about the computation uh at about the combination is uh all the sets of the cryptographic techniques that
0:01:03allow you to instead of having the central server
0:01:06the second to split the the to in the service i'm among the players so everybody has run a piece
0:01:11of software on their machines
0:01:12that um rates the that simulates the presence of this that serve
0:01:16oh oh do these you know way that even if everyone else is a pilot uh then you can sleep
0:01:20play poker
0:01:21uh very
0:01:23because we don't wanna as mine
0:01:26this is gonna be a
0:01:28how a technical talk up not
0:01:29and i is something about the the application of and P C and uh are the been using the real
0:01:35i'm gonna to find a security model because a market at are for so i like security definitions
0:01:39and then i'm gonna present just to of the results of that think you should be aware of
0:01:43uh one because it's very important and other one is because i done it so i think if you know
0:01:49so let's start from the beginning
0:01:51so not about the computation of been introduce uh a more than a almost thirty years ago by and the
0:01:55we out
0:01:56uh but you have to wait until at to the the yet two thousand to that seeing the first efficient
0:02:03the that
0:02:04can be using in practice uh
0:02:05so that from two thousand you see a lot of uh
0:02:08but the types an implementation of uh
0:02:10but the goes from about the computation
0:02:12and that because some of them P C a a
0:02:15by you so
0:02:16in that wording electronic action privacy was every
0:02:19privacy preserving operation see "'cause" you know processing so basically every time you want to compute on something and you
0:02:24can about the privacy of your input
0:02:26and the correctness of a result
0:02:28you want to come in not cut the mpc dot
0:02:31so for instance a a a a this is a a start from a then use paper
0:02:36uh uh then is people are uh ensure the they have had insurance and then when the get seek a
0:02:40uh they they have
0:02:42big problem them man you like the six uh are they have to a about the signal and the get
0:02:46to to the insurance and ask for their money
0:02:48this a problem because the see people could enjoy this is mine and
0:02:51could that them to to do with their problem
0:02:53and uh so on is a solution of this could be that i be that's an insurance company could perform
0:02:58form uh the intersection of the database base once you know i to check
0:03:01we should get some mine
0:03:02of course this is a privacy present these is a privacy sensitive
0:03:05uh kind of computation because
0:03:07you don't want the medical records of
0:03:10the patient to be square as or the in for insurance data
0:03:13and we can solve this problem using a C
0:03:15oh example was the from a from then mike
0:03:18uh these the is the a base the first the time that and P C has been used to move
0:03:22real money
0:03:24in this case the so
0:03:26should should this missing then mike the they you have a should that contract is a bit contract so they
0:03:30are be you know that's them
0:03:32a many should is they can grow i mean you get be they can set
0:03:35and uh the can exchange is these objects these objects are like or C and the wanted to that are
0:03:39mean you know the the price of
0:03:40with for exchanging this kind of comedy
0:03:43so you can do a an option i everyone is i want to buy a this price i want to
0:03:47buy so much of this price and
0:03:49then that it can
0:03:50make is nice by find the equally equilibrium point
0:03:52but the farmers as don't want to tell each other are much they were willing to buy and sell for
0:03:56because that to be as information about their own farm
0:03:58and uh then is is a very technological advances so they use mpc P C
0:04:03to to to the mean this price
0:04:04uh the problem the computation last on thirty minutes
0:04:07and that's uh is that back call is that not
0:04:09well if it's a task that have to do only once a maybe is good
0:04:13and for that's a motion are probably a kind a we kind of security so passive security and uh it
0:04:18assumed that the magic of the party to be honest
0:04:21and that i don't like uh
0:04:24being the mean value of don't believe that the harness is the that a much as of people are honest
0:04:29so i another example that that are the from last week a is that the there is an L on
0:04:33tongue and group of people that
0:04:35more less to the same they have a nice website we a nice logo
0:04:39and uh so i C to company scene is tongue the wanted to benchmark a i guess each that they
0:04:43want to do a whether for
0:04:45i'm do we by are employ use so much revenue you we get four
0:04:49money we spend and they want to to compare information with each other the one i stack statistics
0:04:53uh uh of course these this
0:04:55all season for the uh these data is the
0:04:58to be get it so that using uh and P C to do this
0:05:02but as a nice solution was the share mine
0:05:03only gives you this kind of weak secure
0:05:07so what is the security model i keep saying security T but what do i mean when i a secure
0:05:11so a first of all can this computation to me computation is just a quit
0:05:15well we have a
0:05:16from now on um only gonna talk about two five is but you can generalise to more so the have
0:05:20and your bob that have some input
0:05:22let's say that beats right we can do everything the bit
0:05:25and the want to some with made a multiplication addition on this bits
0:05:29so that is computation from
0:05:31so computation means that every all the input i get by it that's why there is a a the log
0:05:35that to show that these
0:05:37uh input that product and that's all the gates are encrypted because all these the internal values should be
0:05:42uh a get by but also a of the it should be encrypted that in the sense that they
0:05:46a the should produce that i with they should be sick you L the get to be sick
0:05:51in particular it a is crap it she's up by she should be able to do things like a all
0:05:55i want to learn
0:05:56this intermediate audio or or maybe
0:05:58i one the output to be these beat that i design
0:06:01yeah does that
0:06:02uh problem problem in terms of privacy and correctness
0:06:06so do the mean wanna say secure
0:06:08uh this is kind of a card last year because they come from the could start a few what most
0:06:12of you come from the
0:06:13signal processing work
0:06:15intuitively we are agree that a locally secure if no one can a it if not not back again
0:06:21learn an information
0:06:22unfortunately approach security is
0:06:25a a a a a lot X
0:06:27uh uh isn't a list of a tax there isn't a book that you can buy where you read a
0:06:30lot X and then you
0:06:32reasons uh any such a thing maybe you make your system C Q against that kind of a tax and
0:06:35then to more they come up with the
0:06:37another kind of attack and then what do you do
0:06:39so in cryptography
0:06:41uh we believe that security is not a probably they can be checked empirically
0:06:44so what we do we want to prosecute
0:06:47so but it not for the case of multi body computation the stand the model of a for probably security
0:06:52is the i don't work i real work by like
0:06:57the top or the or what they called the i word is what you want
0:07:00so you want you have a T symbol
0:07:02you want what you really like is that the magical about where you can put a input and get the
0:07:07the medical box
0:07:08uh computes the function as it's the supposed to do and the and never really that being
0:07:14a four it is no such my scale but box and what to do in fact is you do some
0:07:18kind of the got be brother but what part six exchange
0:07:21so um the message right
0:07:27yeah that the world is secure by definition right there is no way of attacking able
0:07:31but in the uh dulles could be applied since you could cheat in the problem
0:07:34and many i what does it mean that you think that this
0:07:37information does not reveal
0:07:39uh anything about the inputs
0:07:42the to formalise these is to say that uh to create that ideal adversary adversity what because a later
0:07:48but leaves in the i don't word
0:07:50and the goal of the similar as or is that by only seeing the input and output of the computation
0:07:57by doing but is supposed to do in other word
0:07:59so be able to produce some kind of trust pretty transcript of the problem of that looks the same
0:08:04at these one you
0:08:05and then if you can prove that is uh transcript the are in this transcript the are indistinguishable
0:08:10then say a probabilistic
0:08:12with for problem or T we say that if a have adverse that is a similar in that a word
0:08:17uh such that this uh the output of that were send up output of the symbol with are indistinguishable
0:08:21then we can lower protocol sick Q
0:08:23and need to db does means because the children saying distinguishable and the i don't were the secure but the
0:08:28thing is and then also the real what is secure
0:08:32so there are many uh a kind of a that one can can see
0:08:37in the paper in the preceding that are there is much more than this but
0:08:40i think the most important got session is uh about the level of corruption and that you allow
0:08:44so we can can see the passive adversaries that try that that of the brother exactly as it had them
0:08:49but then try to the crypt
0:08:51the what they get
0:08:53then you of active adversary that the do whatever they want and that's the one i'm more calm i most
0:08:57concerned with
0:08:58and then there's summing somewhere in between
0:09:00also the number of corruption option is very important
0:09:02so you can have an honest majority and in this case you can even get perfect security information-theoretic security
0:09:08and then and this problem was a really really efficient
0:09:11in that case is a you can can the as much a key that by the ways the only meaningful
0:09:16uh the and if you look at the but the case right if you into to if two but these
0:09:20are both a on is then
0:09:21there is no need for target
0:09:24so i'm concerned with the design of majority
0:09:26i think about that
0:09:31in this C use cryptographic primitives so a but each a is much higher there two
0:09:36to two we dishonest majority
0:09:38then we don't as much
0:09:41so that i was that's are uh
0:09:44security more the let's look at some of the techniques that we have
0:09:50i assume that you're of for that with the concept of a an encryption
0:09:54so a public encryption the is a system or where you have a public in a secret key you have
0:09:58an encryption function
0:09:59that takes uh message put into a separate text
0:10:01and are the caption function that with that of the secret key can retrieve the message from the group is
0:10:07and what you want this for the encryption to be meaningful look at you want the the decryption to be
0:10:11correct so if you in something a decree the you get the same
0:10:14and also you want been think we should but
0:10:16basically this is that this is a we are
0:10:20this is a version that feeding one line but but signal them saying is that even if you a link
0:10:24point beat i do zero one
0:10:26that was say shouldn't be able to tell you
0:10:28a if and you these encryption of a beat that is you one one give it to that at and
0:10:32just the a you what is this
0:10:33well that was they shouldn't be able to get we'd much more than one out probability
0:10:37so is best are those used to guess
0:10:39so that's what we want from secure
0:10:41but now want to compute on the data right
0:10:43so that would like to have
0:10:45some kind of uh uh we to compute on the data
0:10:49that's homomorphic norfolk encryption so if you start from two cipher text
0:10:52C one and C two C one is an encryption of fixed one in C two is of is two
0:10:56you would like to have some way of computing on the data
0:11:00you can have an addition you could you but what might want to on addition so you take that use
0:11:04cipher for text
0:11:05you combine them together in some way
0:11:07and then you get then you separate text and now you want then use i've text two
0:11:11to be an encryption of the sum
0:11:13of the original plain text
0:11:15and this is important and that this these addition function is not using the secret key
0:11:18is not the creating summing and encrypting again
0:11:21the addition function is combining the cipher text in the group that the domain
0:11:24to get the
0:11:26to get an use separate text that in the that this um
0:11:29in the where you can define a
0:11:31a multiplication requirement okay
0:11:34is there anything like that can can something like do exist yeah actually
0:11:38even the
0:11:40we'll build the gum scheme is uh the more we could expect a multiplication
0:11:45and if you want to T scheme uh you have a scheme we have a have a scheme
0:11:49it too
0:11:49uh more time to get to be but we have also them
0:11:52and more recently a people that that uh this covering some creep the system that are
0:11:57additionally digitally on a of peak then you can do one would be vacation
0:12:00so that light to compute a bit more
0:12:03you and could the system is based on padding so G is that be with the lot is
0:12:07and now a couple of years ago a this uh you to break through that is they put "'em" more
0:12:10peak encryption scheme by gender
0:12:13the a bit would think allows use compute on uh everything
0:12:17for what we can keep she's beautiful it allows you compute everything every function on your
0:12:22on your input i single encryption decryption of those some that and then you can some the data are more
0:12:26divided it you can be any function
0:12:28and the we and this was the map it was good that it seem to be uh absolutely impractical but
0:12:34at or that
0:12:35i don't think at nine but the this uh
0:12:38ragged get the for the put a pick encryption is based on lattices is is
0:12:41so i that this is just a a real the points
0:12:43is a S is that discrete creates group of a a vector space
0:12:48uh and you can have a basis of these the of this space so we can have this model on
0:12:52of these long one
0:12:53and the might one is a good one because it allows you to compute the all the points we a
0:12:57big one it's either they're to to to solve some problem
0:13:00so one of the problem that is at to solve in uh in these this if you only about a
0:13:04long base
0:13:05is to find the "'cause" is that the problem so if i give it is red point
0:13:08and ask you which point is close you are not able to do that
0:13:12and you can make an encryption all of these so you take a lot this point X and you are
0:13:15down or vector
0:13:17and this is a good encryption if you have a secret key so if you have a good luck is
0:13:20days you can
0:13:21recover big big point and find their or
0:13:24if you have a only the public you can not do that
0:13:27and now you can in
0:13:28in this error vector you can encode or beat so you can uh the find is that are back to
0:13:33to be two times some
0:13:35random random that and then you put the a bit in one of the position of the vector i
0:13:40now if you have to back to of this power men some them together
0:13:43that you at this point and you like this point
0:13:46there are some to gather and also of this to be uh good pitching comes there and then basically you
0:13:50have an addition model
0:13:52so this system is the additive T or more
0:13:56is a problem that that are blows so you can only do a limited amount of operation you can't keep
0:14:00adding a a a uh for a
0:14:03and and other thing to i'm is is that these vectors
0:14:06and not only that those you know that this but you can also look at them as polynomials
0:14:09well no male small or the
0:14:12we just in on it
0:14:13and then you seven a multiplication operation
0:14:15that no less in the same way it gives you that if you multiply to to cipher text to get
0:14:20uh uh and the recreational also in the in the thing thing
0:14:25uh so as this though do that so we can only do a limited number of a patient
0:14:29but for uh these gentry found is a great way of uh
0:14:34using them a mapping properties
0:14:35black too uh the query
0:14:38a a for a text
0:14:39in to the crypt of them are typically inside the cipher text
0:14:42so we can the crypt the i a separate X to of the better and get that new cipher for
0:14:48with uh with a smaller
0:14:50and not gonna tell you more about these all good
0:14:53and then you have that the uh so last week at you okay of that all that that act that
0:14:56this scheme is the implemented it
0:14:58and it doesn't take as long as we would have like that so this is a a reasonable level of
0:15:03and the can uh compute in a of degrees to hundred
0:15:06and the every multiplication cost the zero point one second
0:15:09is not as bad as we thought
0:15:11a of that these if you want to do the for them more pick one
0:15:14then we takes much more and then every multiplication takes three mean used to do
0:15:19uh is that is an you technology but it's
0:15:22it's that and uh someone is actually by think of the for that so
0:15:27but i think i want to talk about this to but the computation
0:15:30uh so the more uh a stand up about
0:15:33and i'm looking at a job at P with active the corruption
0:15:37we that one of the parties crap
0:15:39so the first but because solution was from two years ago and they could evaluate that the gets a segment
0:15:43in a recent work of me with some of my quarters
0:15:46we but that to twenty thousand gates a second
0:15:48but it doesn't gets the second is uh a more try
0:15:53so i'll do we do these uh
0:15:55very briefly it's an T base probable
0:15:57and the a be this task but then each have believed to be really expensive because they quite public key
0:16:03uh uh C a target piece fast because it only uses a symmetric
0:16:08but as you know the results are or something "'cause" i bit encryption right if you want to send a
0:16:12a a a when you open a necessary connection what to do is that you send
0:16:15and he S it key using a say because i say is bad and then uh a S is good
0:16:20in the same way we can do the same with the or be that's that
0:16:22so we can do a a a a a little bit of real a to has but using public key
0:16:27and then you can extend them using only the symmetric key operation
0:16:32and that for all based on but a cheap because they only basically only but asymptotically they only require
0:16:37a symmetric uh cryptography
0:16:38and that's very P
0:16:40so and a bin is task good an object of this way a where you have a
0:16:43uh a a the which two messages is the time one
0:16:46and i with the receiver that to this uh think matt and that's and signal
0:16:50well that's and than anything about sigma and that is that's and and other message
0:16:54this is the same as a very small computation so on a that's is actually a a a uh one
0:16:58bit computation
0:17:00and if and combine them get together to get a big computation
0:17:04we need in these the work was to find a way to uh preserve the security also when
0:17:09uh uh the the the these crap that but i'm not gonna do anything about that
0:17:13because is looking about of me so really gonna you about the uh uh i one good i wanna leave
0:17:18space for question
0:17:19the message of these is the following techniques for a P C are getting faster and faster genetic techniques for
0:17:24N P C
0:17:25so don't be afraid of using a a you know of writing your
0:17:28uh signal processing out if you know
0:17:30uh as a sec with because we can compute a circuits it's fast and fast
0:17:35so twenty thousand that will and gates per second the that we can do now maybe few years we will
0:17:39be able to emulate late that one mhz secure process
0:17:43a it's going fast
0:17:45and the maybe to was uh to the for a signal processing but then that's what one of the challenge
0:17:50i think is the most interesting for a processing is that
0:17:53uh in cryptography we want everybody to be every bit to be protected because we can about the privacy of
0:17:57every bit
0:17:57but a signal processing have a lot of data maybe not that of this need to be protected uh
0:18:03the same way
0:18:04and that a it could be interesting to find some reasonable security to model
0:18:08to actually model this fact that the you know not all of the signal should be protecting the same way
0:18:13steve we can F's
0:18:14some reasonable sick using the finish on
0:18:16to capture this problem
0:18:17thank you to much
0:18:24time for a couple of questions
0:18:37thank very much for this very nice
0:18:41i i have a small question about your lost more
0:18:45um we we are dealing with
0:18:49so many of
0:18:50like it
0:18:51so yeah image
0:18:52you that that maybe not every bit is
0:18:54really important
0:18:56so for example if we want to in the this system using a i
0:18:59crypto the system
0:19:00we always use at thousand bits
0:19:05so do you think that maybe if we use a hundreds
0:19:09but you okay
0:19:10or or how can be apply
0:19:13it's not so for us
0:19:15to i will eat the security because we are application orient people what your a over
0:19:19so what you thing about that
0:19:21so actually
0:19:23is is a is gonna be some worse because as you you can not use the so
0:19:28when it would but you can do multiplication in with a lot of bits five you have you have this
0:19:31big secure the model and that this be one thousand bits
0:19:35they you can pack all them information inside the
0:19:37in on seven X and then you can do operation would big the
0:19:42a not of the at the same time
0:19:43uh used so you only care about on the be so you make the keys is smaller of course you
0:19:47can do that because of of i think is not secure anymore
0:19:52the problem and that is that and that's not gonna be a to uh uh with when the time goes
0:19:56because in ten years from now you still gonna be looking at maybe image job you know maybe is they
0:20:00want to the computation on
0:20:01thirty it's
0:20:02but in ten is from now but a keys should be eight thousand bits
0:20:06so this your security requirements is going well the computation is not going so yeah
0:20:11the the fact the now we can pick other information in yeah and that's meaningful
0:20:14it's kind of an not the fact that of the the the the the fact that you know right now
0:20:17it's more or less the same
0:20:19but it's uh but is not gonna scowl we well in the future
0:20:22so mm
0:20:24so think that actually
0:20:26you know a just where
0:20:27this security to by means there and the we should be couple of the security by me that
0:20:31and the computation so from once in from one hand you have the the size of a computation maybe be
0:20:36to to it is enough
0:20:37from the other hand of the C parameter is going uh
0:20:40uh fast
0:20:41that you think should be the couple and that's i think but
0:20:45are other process at doing not not only
0:20:54we'll to but that's
0:20:56you can explain as in layman's terms what the gender group she
0:20:59does how why does it
0:21:01so i to me
0:21:03the problem was a talking about it's of a is a but up is a V and then to be
0:21:07from this you have to a choose lies that i was i but from them
0:21:11so i should
0:21:11thank that
0:21:12uh uh this paper is spend so it's a score the implementing gentry E the system and it's a a
0:21:18you you can understand that
0:21:20i think a it's a is not too hard
0:21:22so i well it's a problem of fig
0:21:25at the P Z the
0:21:28so it's a it's basically doing
0:21:30uh multiplication polynomials
0:21:32well i that's a key or that some of the study
0:21:34uh and then you have to understand that this what action back i think the signal processing community
0:21:39uh understands
0:21:40but and the sense that this is but then
0:21:42many other the committees is because you use and lot is this and the coding data
0:21:47some because of that the problem is not
0:21:49two five i i way from you know the coding problem
0:21:53i would recommend it to me that paper
0:21:56very quick question
0:22:01high uh just reminding in the first question usually in signal processing we are basically doing operation on
0:22:09samples that's
0:22:10can be let's say and can you on eight bits
0:22:13yeah excel is and kind in a bit
0:22:16that's it's using you new
0:22:18crypt the system how many be i need to presents that simple now
0:22:22so uh
0:22:24in a in just to map in in in my work
0:22:27you know not for my work uh basically have a bit that's an expansion factor of
0:22:32well and bits that's say like that
0:22:33so uh the security is uh
0:22:35i every a bit for able to so the was are
0:22:41so i of it is presented as one bit
0:22:44and then we have a make an information to mac
0:22:46so i from a synthetic make uh
0:22:48if T be it's one and that twenty bits
0:22:50so that an expansion factor that is not the lot about i the will this uh problem of X a
0:22:55uh the
0:22:57we can take it is applying but the it's it's even big
0:23:00it's in but then than this but yeah you have a the the the the that
0:23:04yeah that's a C at beats wonder bit
0:23:07but that's is that the minimum the security uh use the one beats become one hundred bits yeah such set
0:23:11and that yeah that's a huge overhead for us are there any can of
0:23:16research in trying to regroup
0:23:18for as
0:23:19it would be re groping samples together a but being able to do operation on
0:23:24parts of the be uh on segments of the beats
0:23:27with is in the encrypted so you can do that that really it is not this work is another piece
0:23:31of work well i do i have the computation
0:23:33well i have the mac and where i uh okay we'd numbers model not be well the number so maybe
0:23:38arithmetic computation of but number of one hundred twenty bits it's for the sense and the mac is the same
0:23:43size in that case have an a of factor of two
0:23:45i guess but uh the and uh uh then you need to use a if we can keep some basic
0:23:49you but it too
0:23:51yeah we've think it up right
0:23:55thank you