 Hi everyone, thank you for joining this presentation. This presentation is on secure computation from one-way noisy communication. Our main construction suggests a rather interesting way of realizing anti-correlation between a pair of events using anti-concentration inherent to binomial distribution. This is a joint work with Swetha Agrawal, Yuval Eshai, Ayal Kushilevich, Manoj Prabhakaran, Vinod Prabhakaran, and Alon Rossin. My name is Varun Narayanan. First, let me quickly describe a channel. A channel is a mathematical model of a noisy, memoryless communication link. It has a finite set of input and output symbols, and a single use of the channel can be described as follows. When the input is x, the channel outputs a symbol y with probability p of 5 given x. Binary erasure channel and binary symmetric channel are two channels that are studied extensively in cryptography and information theory. A binary erasure channel, or BEC for short, takes a single bit as input and erases it with probability, say p. And otherwise, let's it pass unchanged. A binary symmetric channel, or BSC for short, takes a bit and flips it with some probability, say p, and let's it pass unchanged otherwise. These channels approximate several natural processes, and they are the main channels of interest in our study. We studied the secure computing capabilities of these channels when communication is only in one direction. It is known that when Alice and Bob are talking over a noiseless communication link, with the exception of a small class of functions, secure computation of most functions is impossible against computationally unbounded semi-honest adversaries. However, when they additionally use a noisy channel as a resource, they can indeed compute any function with statistical security against even a computationally unbounded malicious adversary. This is to say that any channel with a non-trivial noise profile is complete for secure computation. In this work, we look at a constrained version of this model, where there is no interaction. That is, the communication is restricted to be one-directional along the provided noisy channel. This model is called one-way secure computation, or OWSC for short, and it was introduced by Gar Gaital in their 2015 paper. Due to the one-directionality, we can only expect to compute sender-receiver functionalities, which are functionalities that take an input A from the sender and provides an output F of A to the receiver. Further, in the semi-honest setting, this problem is interesting only if F is randomized, because otherwise, that is, if F is deterministic, it is secure for the sender to simply compute F of A and send it over to the receiver. Going forward, our focus would be mostly on OWSC in the semi-honest setting. A randomized sender-receiver functionality can itself be thought of as a channel, and then OWSC can be thought of as a way of securely implementing a desired channel using the channel at hand. Because of its simple structure, the protocol for one-way secure computation is simple. The sender encodes the input, say A, using an encoder N, and sends it to the receiver, possibly making multiple uses of the channel. The receiver decodes the output of the channel using a decoder deck to compute the potential output. Correctness of the protocol requires that the receiver's output is distributed according to the distribution F of A. Security against the receiver requires that the receiver only learns F of A. This specifically means that the sender cannot simply send her input A to the receiver using an error-correcting code, for example. The security against the sender requires that the sender only learns that the receiver's output is distributed according to F of A. Hence, specifically, the sender cannot simply sample F of A by herself and send it to the receiver using an error-correcting code. Formally, in the semi-honest setting, we need the joint distribution of the sender's encoding and the receiver's output to be epsilon close to the joint distribution of the sender's encoding and the output of the functionality in total variation distance. This is the condition for the correctness of the protocol and for the security against semi-honest sender with epsilon error. Security against the receiver requires that the channel's output can be simulated using only receiver's output, that is F of A. In the malicious setting, the condition for security against the receiver remains the same as they are inert in the protocol. However, the security against the malicious sender requires that the receiver's output is consistent with a valid input to the functionality, even if the sender is sending an illegitimate encoding over the channel. Now on by default, we will be discussing security against semi-honest adversaries. Intuitively, in this model, the secure computation is necessarily carried out by the channel. The encoding and decoding are done to facilitate such a secure computation by the channel. This makes the model interesting from a theoretical point of view, as it investigates the secure computing capabilities of an NYC channel. Many cryptographic tasks can be modeled as sender-receiver functionalities. OWSC model is non-interactive and does not use any setup. As a result, the parties can even, parties are not even required to be present at the same time to carry out an OWSC protocol. These observations make the model appealing from a practical point of view. Notable applications of OWSC include generating random puzzles without giving any parity and unfair advantage in solving them, and realizing randomized blind signatures which have applications in eCache and non-interactive PKI generation. Zero-knowledge proofs in the OWSC model are truly non-interactive and do not require a trusted common randomness setup. This is another application of the OWSC model. Let us briefly look at what is known about OWSC. The previous works address the question of existence of channels that are complete in the OWSC model. A channel is said to be complete if it can be used to compute any functionality in the OWSC model. Gargaytal in the 2015 paper showed that the infinite family of string random oblivious transfer channels or string ROT for short is complete for OWSC with negligible error against malicious computationally unbounded adversaries. Here, by negligible error, we mean that the security and correctness error is a negligible function of the number of uses of the channel. Random oblivious transfer functionality or ROT is the sender-receiver version of the oblivious transfer functionality. A string ROT channel takes a pair of strings as input and erases exactly one of the strings uniformly at random. A later work showed that no finite channel is complete for OWSC with negligible error. This is true even against any, even against computationally bounded semi-honest adversaries. However, a finite channel, specifically the bit ROT channel is complete against malicious, computationally unbounded adversaries if we are ready to settle for an inverse polynomial error. An important question that was left open by the previous works is the question of whether natural channels like BEC and BEC are OWSC complete. In our work, we address this question and answer it in positive. Our main theorem states that BEC and BEC are complete with inverse polynomial error against a computationally unbounded semi-honest sender and a query bounded, but otherwise computationally unbounded receiver using an ideal obfuscation. We will describe OWSC using ideal obfuscation in detail in the coming slide. In short, the sender additionally communicates a black box implementation of a function to the receiver in the setting and the receiver can now query this obfuscation with inputs. To put our result in context, previous results imply that we cannot demand completeness with negligible error against computationally bounded semi-honest adversaries. Furthermore, against computationally unbounded semi-honest adversaries, specifically in the case of BEC and BEC, it is known that certain functionalities cannot be computed with arbitrarily small error even by making arbitrarily many uses of the channel. Note that this impossibility only applies to perfectly correct protocols with abort, that is the kind of protocols in which the receiver is always aware when it is making an error. Please note that the protocol that we come up with actually satisfies this condition. The OWSC of a given function F using BEC or BEC is realized in three steps in our construction. First, we realize a string eraser channel or SEC for short using BEC and BEC channels. As the name suggests, a string eraser channel or SEC takes a string as input and erases it with probability half. Next, we use the SEC to realize a string ROT channel of appropriate input size. Finally, since ROT, string ROT is complete as we already saw, we use it to realize F. The challenging part is the second step. The first step can be realized along the same lines as in the second step, and the third step is already known. We focus now on the second step, that of realizing string ROT using SEC. As we observed, it is impossible to realize string ROT over SEC with small security error using perfectly correct protocols with abort. At the core of this impossibility is the difficulty in realizing the anti-correlation that is inherent to ROT channel using the eraser channel at hand. When the ROT channel reveals the first string, it erases the second string and vice versa. This kind of an anti-correlation is not inherent in SEC. Let us now briefly look at the proof of this impossibility to see where the difficulty lies in making a construction. Consider a OWSE protocol for ROT over SEC. For any typical encoding of input A0, A1 to the ROT, to ensure security against the sender, we need that half of the eraser patterns should decode A0. And so let's call this set of eraser patterns S sub zero, and half of the eraser patterns should decode A1 at the receiver. Let's call this set S1. Since the protocol is perfectly secured with abort, we require S0 and S1 to be monotone sets. But then classic results show that S1 intersection S0 is of a substantial volume, that is of volume about one by four. Hence the receiver can decode both the messages with substantial probability. This makes the scheme insecure against a receiver, a malicious, I mean a corrupt receiver, semi-honest corrupt receiver. Note that this does not give rise to a constructive strategy for the receiver to obtain both messages. What would a constructive attack by the receiver look like? In an OWSE protocol, the sender encodes the input A0, A1 and sends it over the SEC. The receiver takes the erased version output by the SEC and runs the decoder on it. Suppose it decodes A0, the decoder can now try to decode A1 by calling the decoder after guessing some of the erase symbol or after further deleting some of the received symbols. We essentially build an OWSE scheme that is robust to such an attack from the receiver and simultaneously is secure against the sender. We do this by creating a kind of computational anti-correlation by exploiting the anti-concentration of the binomial distribution. Let me describe the model of OWSE using ideal obfuscation. Here, in addition to sending the encoding of the input over the channel, the sender also sends an ideal obfuscation of a function F of its choice. By ideal obfuscation, we mean that the receiver only has oracle access to this function F. This can be realized in the real world by having the sender ship a stateless tamper-proof hardware of the function F. Now the decoder, decoding function DEC has oracle access to this function F. Observe that using ideal obfuscation does not make the problem trivial. The first scheme that might suggest itself is to not send any encoding at all and send F which on queried with zero outputs A0 and outputs one and when queried with one outputs A1. This, of course, is insecure as the receiver can obviously make both these queries to obtain A0 and A1, thus breaking the security. Let me now give an outline of our OWSE protocol for ROT over SCC. On input A0, A1, the sender sends in randomly chosen symbols X1 to XN over the SCC. It then constructs a function F sub S, X, parameterized by X, S, where S is a randomly chosen secret test set of size square root N. It then sends the ideal obfuscation of this function F sub S, X. So let's first try an F sub S, X that works as follows. When called with an input Y, F sub S, X first checks if Y is consistent with X. That is whether all the unerased positions in Y coincides with X. If not, it aborts. Otherwise, it checks if a majority of the indices in the secret set S is erased. If that is the case, it reveals A sub zero and otherwise it reveals A sub one. Suppose a majority of the indices in S is erased in the received stream. In this case, the receiver can decode A sub zero. The only way for it to obtain A sub one in this case is to unerase sufficiently many erased indices in S so that there is a majority of unerased symbol in S. And then using such a string to query F sub X to get the other input A sub one. But it is impossible for a query bounded receiver to correctly guess a uniformly random string of large length. This makes it impossible for the receiver to obtain the other input in this case. However, when the receiver receives a string in which a majority of the positions in S are unerased, it can decode A one, but it can also try to decode A zero as follows. All it needs to do is get a majority of the indices in S erased. But this is easy to do. Although the receiver does not know the location of the secret set S, it can erase a large number of indices arbitrarily hoping to get a majority of the indices in S erased. And this is a valid attack. To protect against this attack, we add an extra condition to F sub S comma X to obtain our final scheme. The function now aborts also when the number of erasures is more than N by two plus into the two by three. Why does this work? First of all, this does not affect the correctness of the scheme because the SCC does not cause more than N by two plus into the two by three erasures, except with negligible probability. This follows from a simple turn off bound. This tweak protects against the forgetting attack mounted by the receiver that we just talked about. The crucial observation is that by an anti-concentration bound on the binomial distribution, when a majority of indices in S is unerased, with all but an inverse polynomial probability, it is a substantially large majority, say, of the order N to the one by eight. But a receiver who's unaware of the whereabouts of the secret set S will not be able to erase a majority of the positions in S with this new constraint in place. That is, with all but negligible probability under the budget constraint of N by two plus N to the N by three erasures, the receiver will fail to erase the surplus N to the one by eight symbols in S. Hence this attack fails, making the scheme secure with inverse polynomial security error. SCC can be realized over BSE or BEC using similar construction, as we mentioned in the beginning. And the functionality F can be realized using the string ROT that we just now realized. This concludes the proof of our theorem. As we observed before, a direct way to implement ideal obfuscation is by shipping a stateless tamper proof hardware to the receiver. To get a plain model instantiation, a natural approach is to use indistinguishability obfuscation instead of the ideal obfuscation. Since IO is the best possible obfuscation as shown by the work of Goldwasser and Rothblum, if some instantiation of ideal obfuscation in our protocol is secure, then so is IO. We, however, are not able to show that our protocol remains secure under, I mean, when ideal obfuscation is replaced with indistinguishability obfuscation. This leads us to the following highly plausible conjecture. Replacing ideal obfuscation with IO, with any IO scheme in our protocol results in an OWSE protocol over BSE or BEC. In the plain model with inverse polynomial error against computationally bounded semi-honest adversaries. It turns out that in the plain model, assuming the conjecture, we can actually obtain security against malicious adversaries also. However, using ideal obfuscation, we could only claim security against semi-honest adversary. To ensure malicious security, we only need to additionally secure the protocol against a malicious sender who attempts to influence the output distribution of the receiver. This is because the receiver being inert has no additional power in the malicious setting. To ensure security against the sender, it is sufficient to ensure that the function that is being obfuscated is a legitimate function. This can be ensured by making the sender provide a non-interactive zero-knowledge proof of this fact. Non-results show that NIZK can be realized using the provided channel that is BEC or BEC. Hence, we can realize malicious security in the plain model assuming the conjecture. Thus, in the plain model, the natural channels like BEC and BEC are complete with inverse polynomial error against semi-honest and malicious computationally bounded adversaries. In conclusion, we showed that ROT can be realized over BEC and BEC using ideal obfuscation with inverse polynomial security, which further implied that BEC and BEC are complete in the OWSE model with inverse polynomial security. We leave two important open problems. The most pertinent one is that of instantiating ideal obfuscation in the plain model. The other one is in the ideal model where we would like to extend our result to malicious adversaries too. That's the end of this presentation. Thank you for listening.