 Thank you, Hotec. So in this talk, I'll be talking about the limits on the power of garbling techniques for public encryption. This is joint work with Sanjam Garek, Muhammad Haji Abadi, and Muhammad Mamoudi. So in this talk, we will revisit the longstanding open problem of whether we could base public encryption on one-way functions. So the seminal result of Empanadas and Roudish in 89 have shown that this is not possible in a black box way. So this still leaves open the possibility that there are non-black box methods that we might use in order to build public encryption from one-way functions. So let us first briefly define what it means to be black box and non-black box. So the standard notion of black box construction was introduced by Empanadas and Roudish, and later formalized and expanded upon in subsequent works. And basically what this means is that a black box construction of a primitive queue from another primitive P is where the construction queue only uses P as an oracle. It makes oracle calls and receives an answer back and forth. It only uses it in a black box way. So it cannot use, for example, the code or the description of P in its construction. And the security requirement says that any adversary that breaks the construction queue can be turned into an adversary that breaks the underlying primitive P. And in this talk, we'll only be considering black box security. So the adversary can only use the underlying adversary in a black box way. So then when we say that we have a non-black box construction of queue from P, the code of P is actually fed into the construction of queue. And informally speaking, we can roughly divide the common non-black box techniques into two categories. The first category, being so-called low-tech, no-black box techniques, is basically the ones that can be realized using a one-way function, such as, for example, garbling, zero-knowledge proofs, and witness indistinguishability proofs. And then we have the second category, which we call high tech. And these are basically those techniques that require stronger assumptions, such as full-year-on-morphic encryption, or even I.O. And in this talk, we will be focusing on the widely used non-black box technique of garbling, which, as we will see later on, will also imply limits on the other low-tech techniques. So let us briefly remind ourselves what a garbling scheme is. So basically, a garbling scheme consists of a subroutine, we'll call it garb, that accepts an input, a circuit, and a seed, and outputs a garbled circuit with some input labels for each bit of the input. And looking ahead, we note that since what usually makes constructions not-black box when they use garbling is the fact that this garb subroutine accepts a circuit. But I will explain what this means in more detail later on. Furthermore, we have a second subroutine that, given the garbled circuit and a sequence of input encodings representing for each bit of the input, it would evaluate C of X. And the security basically says that there is a simulator that, given C of X, would output something that's indistinguishable from the garbled circuit plus the input encodings for that input. And in this talk, we will mainly be dealing with the decomposable or projective variant of garbling, which basically states that we are allowed to encode each bit of the input one by one individually. So now, going back to our main question, we want to say, if we could get public encryption for one-way function plus garbling, can we do that? And what motivates this main question is that we know first that we can get garbling for one-way function by the result of YAL. And by the recent result of Dottling and Garg, they showed that they could get identity-based encryption from the computational detail assumption using garbling. And this is done in a non-blackbox way, due to garbling. And this circumvents the previous impossibility result that shows it cannot actually get IB from CDH. So we want to ask the same thing. Can we do the same thing? Can we use garbling and circumvent the impossibility result of Pagdas and Rudish in order to build PKE for one-way function in a non-blackbox way? We're OK with that. And our main result is that, essentially, no, you can't do that. And we will do so. We will allow such construction in a model where this model captures the known garbling-based positive constructions. And this is the same model that's used by the previous works of Burkyrsky, Katz, Sigev, Nurekimovich, and Ashraf and Sigev under a different context. But I will explain that in more detail later on. So now that we have seen what the problem and motivation is, I will go now and explain how we can model our problem so that we can be able to solve it and prove our result. So when we talk about blackbox separations, we usually use blackbox separation techniques in order to separate a primitive queue from another primitive queue that uses it in a blackbox way. And using these separations would imply that such constructions do not exist. However, we cannot simply use blackbox separations in our case. Why? Because the constructions that we want to rule out are inherently not blackbox. So anytime we use garbling in order to build our PKE scheme, we're going to use a one-way function in a non-blackbox way. So how can we possibly cast this non-blackbox construction as a blackbox construction so that we can apply the known standard blackbox separation techniques and prove our results? That's the question that we'd like to ask. So in order to do that, we're going to look at first exactly we're going to see how does garbling make constructions non-blackbox. And so the way that garbling is usually used is that if you recall, this is the garb subroutine. It takes us in with a circuit. And out with a garbled circuit plus some input labels, right? And one could potentially feed this garbled circuit and use this garbled subroutine a circuit with the circuit of the one-way function code. And this makes any construction that uses the garbling subroutine become non-blackbox in the use of the one-way function. So we're going to redefine our garbled subroutine so that it allows as input circuits with one-way function gates. We're going to reinterpret this garbled subroutine. So now instead of injecting the one-way circuit of the one-way function in our circuit, we can just plant one-way function gates in the oracle, in the circuit. And so now we're back to being blackbox in the use of the one-way function. So given that, we can now reinterpret our construction, our non-blackbox construction, into a blackbox one by saying that any pKa construction, if we could construct any pKa construction from this new primitive of one-way function plus the garbling subroutine that accepts circuit to the one-way function gates. And now we can state our main theorem more formally that there exists no blackbox construction of pKa from one-way function plus garbling that accepts one-way function gates. This is our formal theorem. Great. So the big picture of our approach is that we turn this non-blackbox construction, we remodel it as a blackbox construction of pKa from this new primitive. And our goal is to show, using the standard blackbox separation techniques, that pKa constructions do not exist from one-way function plus garbling for one-way function gates. That's our goal right now. But before that, I would like to go over some of the previous separation result that uses this method because it's quite related to ours as well. So this model that we're using wasn't the first time that's used. It was introduced back by Bikersky et al. Back when they were showing that there exists no pKa construction from one-way function plus Nizik, where the Nizik could accept statements that could have one-way function calls within them. So the difference between the result and ours is that the result only rules out perfectly complete pKa. Whereas we extend the result to rule out even imperfectly complete pKa. We do not make the assumption that we will not only perfectly complete pKa. Furthermore, there's the other result of Ashraf Hossegyev, where they show that the secret key functional encryption, if you allow the key generation subroutine of the secret key functional encryption to have one-way function or code gates, this primitive does not imply a public encryption. They also use the model that we use as well. But the difference here, the result from ours is that they would rule out non-projective but reusable garbling. By non-projective, we mean that they need to encode input all at once. Whereas in our result, we actually rule out projective garbling. If you recall, projective means we are allowed to encode bit by bit. And this projective property is often used in positive constructions, such as, say, and it's often required, say, in Yao's secure function evaluation. Or even in the recent result of the dot link and garg where they were required, this projective property in order to build identity-based encryption scheme from CDH. And it's important to understand what are the constructions that are captured in this model so that we can identify how useful this model is. So these are the constructions that use garbling to garble circuits in order to function gates, such as Beaver's OT extension protocol or the RAM garbling schemes due to Luostrovsky and Garg Luostrovsky and Scaffoldo. However, if you, say, wanted to garble a circuit that garbles the garbling subroutine in a recursive manner, then this is not captured by this model. What is, in fact, falls under something called the monolithic framework of Garg Mohamed Muhammad, which was done in last crypto, which was presented in last crypto. So now that I've described our separation model, I can now go into more detail behind the ideas of the proof of how to use this model in order to prove our result. So basically, let's recall a standard method for proving blackbox separations first so that we can use it in our work as well. So in order to prove that a blackbox separation of a primitive queue from the order to prove a blackbox separation of q from p, we need to define an oracle just that this oracle securely realizes p, meaning that there is no adversary that breaks p. But any construction of q in relative to this oracle can be broken using an adversary that asks a polynomial time number of queries. So if I show an oracle that is p secure, but any adversary could break any q under this model, then we basically saw a separation between p and q. OK, so we want to use the same technique in our work. How would we do that? So the first attempt is to show that we want to define an oracle such that it realizes this one-way function plus garbling that could have one-way function gates. So how would we do that? So the oracle O would consist of the following. First, let's just realize a one-way function. We can just use random oracle. This gives us a secure one-way function. So how do we realize the garbling part of this, the second part of our oracle? So to realize this garbling, the other part, we're going to define an ideal garbling scheme for circuits with f gates or random oracle gates which represent one-way function gates. And these are composed of two subroutines which map to the same subroutines that belong to the garbling scheme, garb and eval. Garb can be seen as a random function that maps seed circuit pairs to gobbled circuits and input labels, just a random function. And eval takes the gobbled circuit and input labels, finds the corresponding circuits and the inputs belonging to these input labels, and outputs the result C of x. Great. So we defined our oracle. This is it, which is f and garb and eval. However, the problem is that this oracle is too strong. It's actually strong enough to realize a strong form of obfuscation, which is called virtual black pocket obfuscation. And this, in fact, implies pKe. So this won't work. We need somehow to weaken this oracle so that it still gives us garbling, but it's not strong enough to give us pKe. So how would we do that? So the right version of this oracle is that we take this original oracle that we have, and we add a weakening subroutine. We'll call it a reveal subroutine, which takes as input the gobbled circuit and two different sequences of input labels, corresponding to two different inputs, and reveals the seed and these underlying circuits. This intuitively realizes the security of a gobbled scheme, where it says that if you evaluate the circuit and do it for its inputs, all bits are off, reveal the circuit. That's what it means for the reveal function. So we're fine with that, because the gobbled scheme is, anyways, a one-time use gobbled scheme. So now our oracle O is this new oracle, which is composed of the random oracle, garb, eval, and the reveal function, which is the weakening subroutine. Great. So our oracle now, going back, our goal is to show, this is our oracle, this is our construction, and our goal is to show an attacker that uses this oracle to break this pKe scheme in order to prove the black box separation. And we want to show that any pKe can be broken using only polynomial number queries to the oracle. So specifically, what we will do is that this adversary will make exclusive use of the reveal function. We won't allow the pKe scheme to query the reveal oracle. And this is still sufficient to prove a black box separation. This is similar to the techniques used by Gerdner et al and Showerazin, which defined the two oracle separation technique for separation results. Great. So our approach at a high level is as follows. We have this pKe scheme in the oracle model that we defined. And what we're going to do is we're going to compile out the evaluation queries from this pKe. And by compiling out, this means that we simulate any evaluation queries that the new pKe scheme will do. We will simulate it without asking the oracle explicitly. So what we end up with is a pKe scheme. That is, we're going to make sure that the pKe scheme is almost as correct and as secure as the original pKe scheme. And this new oracle is simply just a random oracle. If you recall, Garb is just a random oracle. And the new pKe scheme doesn't ask any eval queries. And we know that by the result of Pagdas and Rudich that there is a play query attack against this new pKe scheme. So we can reduce this attack with the help of the reveal subroutine, which we defined specifically to weaken the oracle. We will use this reveal subroutine in order to break the original pKe scheme. And this basically shows that insecurity of the original pKe scheme. So our approach in more detail is that we're going to actually remove evaluation queries one by one in order to simplify our approach. So first, we're going to compile out the evaluation queries from the key generation. Then we're going to compile them out from the encryption. Then finally, we're compiling the evaluation queries from the decryption. And in each phase, at the end, we're going to get the pKe scheme in the random oracle model. So we're going to use the attacker of the IR scheme. And we're going to reduce this attack back to the previous scheme and so on, again, back to the previous scheme until we get an attacker for the original scheme. So this is how we will do it in more detail. So let's look at first how do we compile out the evaluation queries from the key generation algorithm. So suppose we want to compile out the evaluation query from the key generation oracle, from the key generation algorithm. So we're going to use this key property of our defined garb subroutine that the size of the garbless circuit is much larger than the input circuit size. And this basically means that it's hard to find any garbless circuit without explicitly asking garb itself. So in this case, the key generation algorithm would know C1 and it doesn't need to ask eval. It could just compute C1 over x on its own. So we're done in this case. That's an easy case. So suppose now we want to compile out the evaluation queries from the encryption algorithm. In that case, let's look at this evaluation query where, in fact, encryption does not know C1 because it did not generate the corresponding garbless circuit for the circuit. So our idea is to let the key generation algorithm help the encryption. And in order to do that, we're going to modify the key generation algorithm and make it into a new key generation algorithm that sends a hint to encryption to help the encryption algorithm ask to help the encryption algorithm simulate the evaluation query on its own. So what should the hint be? How about we just include garb C1 plus the garbless circuit? That's one way to do it. But the thing is, let's break security because we can't release information that we can't get from the original scheme ourselves. So the actual solution is that we allow the new key generation algorithm to run the encryption many times, then add the answers of evaluation queries to the hint list. These are basically the highly probable evaluation queries that will be asked by the encryption algorithm. And this way, the encryption algorithm can use the hint list to simulate the evaluation answer on its own. And finally, we have this decryption algorithm. We want to remove the evaluation query from the decryption algorithm. And the way that is done is that, well, the decryption algorithm doesn't know C2. So again, let's the encryption algorithm help the decryption algorithm. So our first instinct is, again, send the hint list to the decryption algorithm and let the encryption algorithm run the decryption many times. Just the same thing we did for the encryption and add the answers of the evaluation queries to the hint list. However, here's the problem is that the encryption doesn't know secret key. So while this, at a first class, won't work, what we're going to do is something very similar. But instead of running the decryption algorithm on the real secret key, we're going to simulate a fake secret key. And this fake secret key will yield a distribution of decryption that's very close to the decryption under the real secret key. And we're going to run this many times and add the answers of the eval queries to the hint list. And this concludes the compilation process. So to summarize, our main result says that one-way function plus garbling for circuits one-way function gates are insufficient for constructing PKE in a black box way. And there are other extensions in this work that I did not discuss in the stock. That is, we extended it to link out even constant round key-agreement particles. And we also extended the work of Bacchus-Gatall to show that one-way function plus Nizik with one-way function gates are not sufficient for constructing PKE without even assuming perfect completeness. And finally, I'll leave you with some open problems, which is extension tooling out PKE even if we allow garbling of the garbling scheme itself. That's a very interesting problem. And it somehow falls under the monolithic model. And there's the extension to ruling out key exchange with polynomial number of rounds from one-way function plus garbling. So yeah, thank you.