 Hello, everyone. I'm Julian. And today I'm going to discuss my recent work, how to build a trapdoor function from an encryption scheme. And this is a joint work with Sanjim Garg, Muhammad Ajiabadi and Rafael Stroski. Before telling, telling what this work is about, I would like to revisit some concept, some basic concept in cryptography, and this will allow me to establish some notation for later. So on the left, we have the standard notion of public encryption, which consists of three algorithms, a key generation and encryption and a decryption algorithm. And they are defined naturally, namely that the key generation outputs a key pairs, the secret of public key. And together with the public key, the encryption algorithm allows anyone to encrypt a message M. And with the usage of some random coins are and the result in cyber text can be decrypted using the secret key by the decryption algorithm. On the other hand, the trapdoor function is a very related notion, but there's slightly different interfaces, and I'm going to go through them and I like the difference in a second. So the first algorithm is analogous to the key generation algorithm outputs an index key that shall be thought of as the public key of the scheme and a trapdoor TD that should be taught as the secret key of the scheme. And the index key allows everybody to evaluate the function F in the forward direction, namely given an input fx, we can compute f of x efficiently. The important property of the trapdoor function is that it's efficiently invertible awesome. Namely, we can evaluate F in the inverse direction. But for this we need the knowledge of the trapdoor. And besides having different name names for the variables. The exceptions have also slightly different syntax, namely, that in terms of correctness, the public encryption does not require the decryption algorithm to recover the random mess used during the encryption procedure. Whereas on the other hand, the inversion of the function of the trapdoor function requires one to recover the entire input x. So this is an important difference. And it's the central focus of this work. And of course, it's pretty easy to see that trapdoor functions generically imply public encryption, but the other direction of the implication is not known. And the focus of this work is to make progress on this question. So if I'm telling you what the exact results of this work are, let me tell you exactly what kind of security we want from from a trapdoor function. And the canonical security notion is that of one way. And my witness intuitively says that the function should be our twin bird. But of course, we need to define a distribution over the inputs. The easiest distribution is just when the input tax is uniformly sampled over the domain of the function. And we call this notion, just simply one way, one witness. But we can ask for something more, namely, we can require x to be from an arbitrary distribution, as long as it has enough enough enough mean entropy. And we call this requirement that deterministic security. And this is of course a strict generalization of the uniform case. And for those of you who are familiar with the concept. This is also called deterministic encryption in the literature, depending on your talking. So, here are our results. So our main result is a compiler that starts from a primitive which we call robust in team PRG which is something we define in this work. And we also provide a construction from either the learning with our assumption or the computational detail on assumption. And takes takes this building block together with a public encryption scheme and obtains the corresponding trapdoor function. Depending on the exact public key that we probably key encryption that we plug into our compiler, we obtain a slightly different flavor of the after function as an example. If you if you plug in an identity based encryption we obtain something which is called identity based trapdoor function. On the other hand, if we plug in an attribute based encryption. We obtain something which is called an attribute based trapdoor function, and the same holds for for predicate encryption. And all of this, all of this trapdoor functions they satisfy the strong notion of deterministic security. And the one caveat of this transformation is that the input public key encryption needs to have pseudorandom ciphertext over some over some group, which is doesn't have to be an obedient group. It needs to be, it needs to be well defined group operation. But natural schemes always satisfy this, this requirement. And so, right, so what does our, what does our work advance in the grand scheme of team of things. In the F, it doesn't really imply any, any results from any new assumption that we didn't know before besides giving a modular, more modular way to construct trapdoor functions. But already in terms of identity based trapdoor functions. We show the first construction from the competition or the family assumption and pairing three groups. And in terms of our work, we only knew how to construct identity based trapdoor functions from pairings or learning with ours. And in terms of attribute based on trapdoor function and predicate trapdoor functions, we are not aware of any other world to obtain a construction under any computational assumption, whereas by plugging in the appropriate. We obtain constructions from by inner pairings for NC one predicates and from LWB for all for all polynomial size circuits. So this is our main result. And as a bonus, as a bonus result, we introduce a notion which is called trapdoor garbling. And the syntax of trapdoor garbling is exactly the same as any other garbled circuit scheme. And so given a common randomness are there's a garbling garbling scheme consists of a garbling procedure that takes as input a circuit and outputs garbled version of the circuit city. And there's an alternative encoding procedure that allows one to encode prepare an input X, and using the same, the same pool of random coins. And normally, the standard syntax of garbled circuits allows one to recover covex, whereas we have slightly orthogonal requirements, namely we have a decoding algorithm that takes input both the garbled circuit and the garbled input. If the circuit evaluates one, then the decoding output just the output of the circuit, red, whereas if the circuit evaluates to zero then the decoding also outputs the entire set of randomness so in a sense we make garbled circuits and the randomness recoverable. We use this as an intermediate notion to achieve stronger security guarantees for our trapdoor functions but we believe that this is a notion of independent interest, and actually constructing it turns out to be quite non trivial. And we propose two constructions. One from the DBH assumption and one from the LW assumptions, and those use the randomness key circularity properties of the BHHO encryption scheme. And if you're curious I encourage you to use the paper there to see the paper. I believe that this primitive will find some interesting applications. Okay, so now throughout the rest of the talk, I'm just going to ignore this part. And again I encourage you to look at the paper if you're curious. We're going to focus on our main compiler. And before getting into our construction I have to define what are in team PRG is in particular what are robust in team PRG is. So, hidden PRG PRG stands for pseudo random generator by the way. In team PRG start with the sampling of a uniform seed, and the robust, the robust requirement comes from the fact that we don't limit this distribution, the distribution of the seed to be uniform but again, we consider arbitrary distribution, so long as they have enough probability mass. And well the idea is that this this Indian PRG will take this seed, which for simplicity now we consider it to be a binary string from 01 to the power of lambda, and produce lambda many L bit blocks so while setting L to be greater than L can be can be thought of as the as of the stretch of the PRG so by setting it greater than one will obtain expanding PRG. And it is useful to visualize the transformation of a hint in PRG in blocks, which will keep for for the rest of the talk. And now the important part of in team PRG is their security definition and their security definition is as follows, we wanted to to distribution visualize here are computationally distinguishable. On the right hand side, we have a distribution of lambda many L bit blocks, which are completely uniform so they're just uniformly sampled and arranged in this to buy and matrix. On the left side on the other hand. We have to buy and matrix where the for each column the row corresponding to the bit of the seed is set to be the I block of the hint in PRG, whereas the other row is set to be a uniformly sample block. And again the requirement is that these two distributions are computationally distinguishable. I think it's useful to to remark that such security does not follow immediately by a hybrid argument of a PRG. And the reason is that the position of the blocks on the left distribution depends on the big representation of the seed so there is a circularity in the argument that one cannot just wash away with a hybrid argument. So you need more structured assumptions in order to construct those. And we show in the paper how to construct these from from the computation of the problem or from the LW assumption, though our construction are heavily based on prior works and essentially account only for changing the parameter and a slightly different analysis. Okay, so with that out of the way I'm ready to present our main construction, which is a way to compile a public encryption into hint in PRG. And we call this in the paper, a universal TDIR, and it works as long as the public encryption has pseudo random ciphertext. And for the sake of this talk I'm just going to assume that they are just uniformly or computationally distinguishable from uniformly sample binary strings. And again for simplicity I'm going to only treat the case of public encryption, whereas the case of identity based encryption and attribute based encryption will follow. Essentially immediately. Of course in the paper we present this in the most general form as possible. So these are the ingredients. So all it's left to do is now to describe our trapdoor function. The next key consists of the public key of the public encryption scheme, the public parameters of the Indian PRG and Lambda many uniformly sample string from the domains your one gamma, where again gamma is the domain of the ciphertext. The trapdoor, naturally, of the of our of our trapdoor function is said to be the secret key of the encryption scheme. Now let us see how to evaluate the function. So the function is going to be evaluated bit by bit on input. We're going to set string x for all indices I in one to lambda, we're going to set why I to be an encryption of zero. So there's actually nothing special about zero this can be actually any distinguished strings so long as it's going to be publicly recognizable, we just set it to zero for convenience. So one coins of this encryption scheme is going to be the ith block of the Indian PRG evaluated on x. So this is what this notation means. So here there's an index I here. So this is going to be what why I set if the ith bit of x is equal to zero. Because if the ith bit of x is equal to one, we're going to set it to be the same thing, except that we are going to explore the resulting ciphertext with our eye, which is the ith block of the public parameters. And recall that the ciphertexts are in are always lambda bit string sorry always gonna be string so this operation is always well defined. Good. So now, why I up to my land is just going to be the output of our trapdoor function. And so let's see even the trapdoor we can invert it. So we can recover essentially the input bit by bit. Again, for indices I from one to lambda, we can just set Xi to be equal zero. If the description of why I is equal to zero. And one otherwise, and correctness is actually pretty easy to argue, though one has to be a little bit careful about the union bound that doesn't kill the efficiency of the scheme. As I said, this is pretty much our compiler. And it is so simple that I can even give you a proof sketch why that should be should should satisfy one wayness. And after that is going to be the conclusion of my talk so bear with me for a few more minutes. And as usual, the proof will be by hybrid hybrid argument, where we're going to modify the distribution of the challenge image. And then we're going to argue about the indistinguishability of neighboring distributions. The hybrid is just the original distribution the challenge images sample uniformly from the from the distribution as defined by the trapdoor function. In each one we're going to program the index key after seeing the challenge image. So namely, the blocks are I to be as follows so for each for each index I from one to London. If Xi, which is going to be the challenge pre image, if Xi is equal to zero we're going to set our eye to be why I which is again an encryption of zero using the random coins as the random coins the I block of the Indian PRG. So this piece here, absorb with some uniformly sample string as I again as I is sampled from the from the property domain. Whereas if Xi is going to be equal to one, we're going to sample why I uniformly and our eye as the XOR of this uniform string with an encryption of zero using the appropriate block of the Indian PRG. And actually, if you squint very, very, very carefully, you will notice that we didn't really do anything. We've just been moving variables around so this these two distributions are actually identical. So, so far nothing has happened. So in the next step. Instead of computing as I uniformly, we're going to compute it as an encryption of zero, although note that I'm not specifying the random coins here. So this means that Xi is going to be sampled using uniformly sample randomness. And now we can argue that since the encryption scheme is to the random ciphertext and encryptions of zero computation in this indistinguishable to to random string that's the definition of pseudo random ciphertext so computation and distinguishability of these two hybrids follow. Now in the next hybrid. We're going to compute all ciphertext as encryption of zero using truly random coins and the security here does not follow immediately from the fact that the coins are super random but one really means the security of the Indian PRG. And the reason is that the position of the ciphertext does leak something about the seed, but it turns out that that leakage is precisely the leakage which is allowed by the Indian PRG. So, again computation and distinguishability follows follows by a simple invocation of that property. And finally, as the last step, we can change all ciphertexts of the challenge image as encryptions of one. And at this point, since all ciphertexts were previously computed with truly truly uniform coins. We can appeal to the CPA security of the encryption scheme. And finally the proof is concluded by observing that at this point the challenge image is no pre image and therefore it cannot be inverted. And with this, I would like to thank you for your attention and conclude my talk.