 Okay, I'll be discussing one way functions imply secure computation in a quantum world, which is joint work with Andrea docks you to me. Okay, so this talk is about secure multi party computation, which I will not define. We consider multiple parties each with a private input Xi that wish to compute some public circuit see over their private inputs. Okay, so they'll do this by communicating and eventually all learning the output. And for security, we want to ensure that an adversary that corrupts any subset of these parties so here parties two and three won't learn anything about the honest party inputs x one x four except for what it learns from the output of the functionality. Okay, and this is a classic problem in crypto going back to dating back to the 80s. Okay, so yeah to give a little bit of background on on what's known about NPC and in a classical worlds in which you know all parties are classical functionalities are classical. We'll really have to look at the simple primitive of OT, right, which is a two party functionality between center and receiver. What's known is, is that actually OT a protocol for OT implies a protocol for multi party computation of general functionalities arbitrary functionalities among arbitrary number of parties. Okay, so if you're interested in obtaining feasibility results about NPC. You know you can really focus in on this very simple functionality of OT. Indeed, you know there's been many works that studied OT and it's known from various standard cryptographic assumptions such as if you helmet style assumptions learning with hairs etc. However, a major goal in cryptography is to base your primitives or constructions on as weak or as simple as assumptions as possible and one way functions the existence of one way functions is kind of the weakest possible assumption that's currently known to apply apply crypto. Right. It's a very generic assumption just saying that some some one way function exists right. In fact, particularly in in 89 in power glass and rooted show that you provably cannot construct OT from black box usage of one way functions that's showing like a black box separation between these. And even to this day some 30 years later that there are no really non black box techniques known. So, you know current state of affairs is that it's not known. And there are barriers to constructing OT from one way functions. Okay. So let's ask about, you know, what happens in a quantum world when you know parties and adversaries or quantum and they have potentially quantum inputs. So, it is still true that OT implies NPC and indeed it even implies multi party quantum computation as shown by these works of DNS and DJ MS. But quite interestingly. So, Paul and Kylian in 88 showed a template for pretend for constructing OT based on bit commitments. They kind of just gave this template. Okay. Which is, which is interesting because such a template is not known in the classical setting, right. And what really differentiates their protocols that it makes inherent usage of quantum communication during the protocol. Okay. So, like, you know, it wasn't until like many years later that that DFL assess actually like instantiated this template from a concrete assumption and particularly they built a particular type of bit commitment from LWE that then allowed to prove the security of this OT protocol following this CK 88 approach. However, still there's nothing, you know, it's the end result is not new right because it was already known that LWE implied OT implies PC. Another interesting work over BF 10 showed that following this template, you could actually obtain some weak form of OT, which like indistinguish really based OT as opposed to simulation based OT, just from one way functions. Okay. And so this is super interesting and not known in the classical setting. However, this week, like in based OT is not known to imply full fledged NPC. Okay, so there's still this gap, right. At least prior to our work it was not known whether one way functions were sufficient for, you know, full fledged NPC. And so kind of to recap what I have just said and, you know, in the classical worlds we have this separation this black box separation between OT and one way functions in a quantum world at, you know, the relationship was a little bit less clear. And so our work shows that actually, you know, simulation secure OT that is sufficient for NPC can be built, even from just black box usage of one way functions. And again, this result is in a quantum world and uses quantum communication. But this establishes, you know, that you can actually build full fledged NPC for one way functions in a quantum. Okay. So, so this is the results. And I, you know, before getting into techniques, I'm going to have to share some background about how this carpentry and OT protocol works. Okay. So we have, you know, we have our sender with two strings receiver with a bit B. At the end of the protocol we want the receiver to output S of B. Okay, but not learn anything about S one minus B. Right. So the protocol begins, you know, I guess, similar to like a key exchange a quantum key exchange protocol and that one party sends a bunch of so called BB 84 states over, over to the other party so the sender samples random BB 84 states which are basically consists of sampling two bits per per per state. One bit determining what basis, the state is going to be in the other bit determining, you know, which are the two possibilities of the state is in. So, you know, you have the head of our basis, plus and minus and the standard basis zero and one. Okay, any, and the sender just basically sends. Random BB 84 states to the receiver. Okay. So the receiver at this point doesn't know what these states are. What it's going to do is sample its own random sequence of bases and measure these qubits in its own bases data prime. Okay, and so roughly half the time it'll guess the right basis roughly half the time it'll guess the wrong basis and so in the positions where it gets drawn less X prime. So they're just going to be uniformly random bits, but in the positions that I guess right it will obtain the correct. Or, you know, the values that get will match the values that the sender sampled so basically this is kind of establishing some channel where the sender is sending some classical information in the form of quantum states, and the receiver is obtaining some random sort of this information. Okay, so it's so some of this information essentially gets erased by the measurements that the receiver is performing. Okay. And, you know, the sender doesn't know what the receiver got correctly and what it got incorrectly so it's kind of this eraser channel is happening here. So, you know, we can obtain an OT protocol eventually from this by by next having the sender, you know, announce like okay these are actually the bases that my qubits are in which, which gives the receiver the information about which parts of the string x primary correct in which were, which were random. Okay, so the receiver is then going to partition the indices into these two sets, one in which it was correct and one in which it was incorrect, and send over this partition back to Okay. You know, and so what this, you know, the sender then partitions x, according to these indices and so what this is really setting up is a situation where the receiver knows exactly x B. But doesn't know anything about x one minus B. And so the center can then encrypt their, you know, their zero string under x zero and their one string under x one. Okay. Right, so this, this gives like a correct protocol and seems pretty secure if the receiver is like, you know, exactly following this this template right, but there's a very easy attack that are receiving a cheating receiver can mount, which is just to simply wait until the sender announces the bases to measure. Right. So, you know, imagine the receiver just doesn't measure these qubits, and then it eventually gets the sender is bases now it can measure all of these qubits in the correct basis and learn, you know, the entire correct string x, which allows it to break security. Right. So in order to fix this, you know, the idea from coupon killing was to insert this measurement check some protocol which is basically there to for the sender to check that the receiver is honestly measuring the qubits that it sent in the first right. So what we're going to do now is after the receiver messes they're actually going to send commitments so these these locked boxes represent cryptographic commitments to all of their basis choices and measurement results. Okay. And then the sender will ask the receiver to open some random subset of them, which it will do. And the sender will will make sure that like, like all of the positions where the receiver guest the basis right, then it must have obtained the correct bit. So on this, you know, on this fourth position in the receiver guest right therefore it must have obtained the bit and if the receiver is, you know, correctly, you know, correctly obtaining all of the, all of the bits, then the sender can be reasonably convinced that the receiver was, you know, honestly performing these measurements. Okay. So this kind of like this kind of so then they're going to have to discard some of the qubits that they use to test and then they proceed it with the rest with the rest of the protocol on the on the non tested qubits. And again, this is called this measurement Jackson protocol. Okay. So, so right this is kind of the idea that was put forth by Cripple and Killian. And as I mentioned, it was not until a while later at DFL assess that kind of security at least simulation security of this OT protocol was formally analyzed. And what they showed in this paper is that if your bit commitment scheme satisfies certain special properties then you can indeed prove that this protocol simulation secure. In particular if your commitment scheme is extractable, then you can obtain security against the malicious receiver. If your commitment scheme is equivocal you can obtain security against the malicious sender. And so to see like intuitively why that is. Let's say you want security against a malicious receiver. And in particular what that means is that the simulator is going to have to interact with this receiver and extract their effective choice bit B. Right. And so what the simulator is going to do is, you know, first extract from the receivers commitments, which they can do assuming the commitment is extractable. You know, now that they know all of, you know, theta prime X prime, when the receiver sends over the indices as your I one. They know exactly which one, which one's the receiver guest right which one's the receiver guest wrong and which exactly indicates what the receivers choice bit was. Okay. So this is how, how to perform extraction. Right. So, on the other hand, if we want security against the malicious sender. It's the same deal we're going to have to at least extract the senders effective inputs from it, which, you know, our S zero and S one. So, the strategy that the simulator is going to perform to do this is to basically carry out the receive malicious receivers attack I mentioned earlier, which was basically to delay measurement of these qubits. And the simulator is going to be able to do this because we require these commitments to be equivocal. Right. So what's going to happen is the simulator interacting with a malicious sender is not going to measure initially. It's first going to send some dummy commitments, equivocal commitments. And then once it receives the, you know, the challenge from the sender it will then only measure the qubits that it has to so two and four in this case. It will then pass this check. And then later when the malicious sender sends over like their bases. Now, now the simulator can measure all the rest of the qubits and learn all the information about X, allowing it to, you know, learn both of these. So, we saw that, you know, if this commitment is extractable then you can extract the receivers input if this is equivocal you can extract the senders input and this can be leveraged to obtain full simulation security of this protocol. Okay. So this was what was, you know, shown by DFL assess. This is the starting point of our work. So our goal now, if we actually want the results, OT from one way functions is to build an extractable and equivocal bit commitment from one way functions. Right. And so this is what what we do. And we basically have two technical contributions in order to do this. One of them is a black box equivocality compiler, which basically takes any like any commitment scheme and turns it equivocal in a black box manner. Okay. And also in a post quantum manner, right, all of this has to be post quantum. And the second thing is just is taking any extractable or any equivocal commitment, along with quantum communication and making it an extractable equipment. Okay, so, you know, we have these two ingredients. And in order to eventually obtain an extractable and equivocal commitment from them we proceed in three steps so basically start with a, a regular commitment with no extra properties that's known from one way functions so for example now is commitment. So our equivocality compiler to that's to turn it equivocal apply our, you know, our second step here to turn that equivocal commitment into an extractable commitment. But now it's no longer equivocal so we actually have to apply our first step again to kind of in a black box way make this extractable commitment equivocal. And this preserves the extractability and and in the end we get what we wanted which is an extractable and equivocal bit. So, yeah, let me now say a few words about each of these steps I'll actually start with the second one because it's, it's a little bit more immediate based on what I've already discussed. And in fact it uses this like CK template, it, which is a template for OT and turns it into basically in a template for an extractable commit. Okay, so what I mean is that, you know, let's look at this OT protocol that I just had up a couple slides ago, and recall that if this, what I argued was that if this commitment is equivocal then there existed a simulator that could extract the sender's inputs from the center ss one. So we're going to take the same strategy in order to, you know, come up with an equip with an extractable commitment. Right, so let's view this sender no longer as being like an OT sender but actually a committer that would like to commit to a bit B. Okay, so we're going to do the same very similar protocol, except that you know this committed no longer has two strings it just has a single string that it's going to encrypt with X. Okay. Or really a single bit B that is going to encrypt with X. And in order to extract this bit B we can equivocate these receiver commitments and extract in the same manner as I as I described in OT protocol. Okay. So this gives this kind of like second result is that, you know, again this is crucially using quantum communication right so if we have quantum communication, and we have an equivocal bit commitment, we can obtain like post quantum extractable commitment. Right, so this is this the second step and now I can talk about this first step which is this black box equivocality compiler. So again we're taking any commitment scheme calm and turning it into an equivocal commitment scheme, a quick calm. Okay. And this proceeds as follows so in order to equivocally connect to a bit B. So we're going to have the committer first send for commitments. Okay. So it's going to sample two bits and like commit to each bit twice. Okay. And the receiver is wants to be convinced basically that the committer was acting honestly by committing to like, like, wants to know that the commit is really committing to the same bit in each of these in each of these rows. So it's going to check this by sampling a random bit C. And for the purpose of the slide will seem C is equal to zero and asking the committer to open to like the zero with row. Okay. So the committer will indeed give openings to this to this row, the receiver will check that indeed they both commit to the same bit. Okay. And then the committer will also hide the bit that it wants to commit to by exerting it with with you one, which is the bit committed in the other row. Okay. So, yeah. So now how is the committer going to open. Well, it'll simply give one of the commitment keys for, you know, one of these two bottom commitments right and then the receiver can obtain you one and strip you one off of this bit to obtain the bit B committed to by the committee. Right. So, yeah, so why is this equivocal first. Well, what can a like, you know, equivocator do is it can basically cheat in how it forms these four commitments. So in particular can choose one of the two rows to lie in and basically commit to different bits. Okay. But of course for this committed to not be caught. We need the receivers challenge to be, you know, a particular bit like in this case we're going to need the receivers challenge to be zero in order to ensure that this equivocal is right. And so what you can do as a simulator right is basically rewind the receiver until you get the challenge that you want, which in this case is zero. And then yeah the equivocal committer can like open the receiver will be happy, and, and they can just send like a random bit in place of a bit the bit they want to commit to. And so this is equivocal because now in the open phase, this committer can either open this first commitment or the second commitment and depending on which one they open determines like which bit they're actually opening. So it's not even until this open phase that the committer really has to decide which bit to open to. Okay, so, right, so if, if we're, if we're simulating a receiver, and we have the ability to rewind them then basically we're, we're able to equivocate this commitment. And, and again we're in the post quantum setting where rewinding is not necessarily straightforward and in fact runs into many issues and many settings. Although we show that in this setting, we can actually use watches is rewinding lemma to successfully rewind simulate a receiver. So in the paper right to establish, you know binding of this protocol against against a committer. We're going to have to like basically repeat this whole phase like multiple times and, and so I will let you look at the paper for those details, but this is kind of the basic idea of how we, you know from any, from any note that we didn't use any like special properties of this commitment scheme and we use it in a black box manner, we can construct an equivocal commitment from it. And so this kind of completes the technical contributions of our paper. So for the core ending I did want to mention that there is a, a concurrent and independent work, GLS fee that was at your crypt this year. That also have has the same core result that one way functions and quantum communication implies it. Okay, I'll just mention a couple of differences. I guess the main advantage of our of our work is that we actually use the one way functions in a black box way which establishes like a clear separation between the classical and quantum settings, and could be useful, you know, for, you know, maybe we obtain, you know, commitments, commitment schemes from like various other assumptions, perhaps and you could just plug those into our black box compilers and, and get the protocol to work. Whereas GLS V like use the one way functions in a non black box way. Okay. But they also, you know, they also study the OT and the CRS model and give a cost around protocol. And a couple of other differences is actually our protocol has one sided statistical security so we get, you know, we get computational security against malicious sender statistical security against malicious receiver whereas GLS V is both sides computational. Although one of their building blocks, they show how to obtain a statistically binding extractable commitment. And this is not something that we use as or that we construct as a building block. So, yeah, I just wanted to say there's this concurrent work with the same main result and a few differences along the way. So, and yeah, that's it so so thank you.