 Thank you very much for the introduction. My name is Jiaxin Guan, and today I'll be talking about our work, Simple Schemes in a Boundless Storage Model. This is joint work with Mark Gendry. Both of us are from Princeton University. So I'm going to start off the talk with a quote from Joe Kiden in year 1988. Cryptographers seldom sleep well, and their careers are frequently based on very precise, complexly theoretic assumptions, which could be shattered the next morning. I don't know if it's true for you guys, but sometimes I do have trouble falling asleep, or maybe not of this reason. But anyhow, it is true that traditionally when we build cryptoprimitives, we're basing the security of the cryptoprimitives on some complexity assumptions. For example, maybe factoring is hard, or maybe discrete lock is hard, or maybe the hardness of LWE. However, for some reason, if maybe, for example, with the existence of a quantum computer, we're able to actually break discrete lock, then consequently, the security of our cryptoprimitives will be broken as well. And therefore, the question is, is there any way that we can actually have some good sleep without using any maybe sleeping aids or visiting a psychiatrist? Or in other words, can we build cryptoprimitives without any complexity assumptions? Well, of course, here's the naive solution of the OTP, but is there anything more sophisticated that we can build? It turns out that the answer is yes. So in 1992, Yuli Mora gave out the concept of a bounded storage model under which such security proofs are actually possible. So what is the bounded storage model? So traditionally, in cryptography, when we talk about an adversary, we need to somehow bound the adversary's computational resources. And there are mainly two directions, namely, the two dimensions are a time and space. So traditionally, the adversary is bounded by time. The adversary has only a certain amount of time that he can use to execute his algorithm. So usually, we talk about efficient algorithm that needs to be finished in polyn. However, in a bounded storage model, the adversary can have as much time as he want. He can run the code forever. However, there is a bound on the amount of memory used by the adversary. And in this specific model, it is bounded by a fixed polynomial, p of n. So in this talk, you can think about p of n being on the scale of n squared. So what is the intuition behind the bounded storage model? The idea is that the two honest parties, they exchange so much information that for an adversary here, with a bounded storage, you cannot possibly write down all of the information being transmitted. So it turns out that in this model, it's actually possible for us to give unconditional proofs without any complexity assumptions. In addition to that, the bounded storage model also guarantees everlasting security. What does that mean? So for example, Alice is sending some encrypted message to Bob today using RSA encryption with the secure parameters. And unfortunately, there is an eavesdropper eave who intercepts the message. Well, because it's using secure setup of the RSA parameters, eave, of course, could not see what's the actual message. However, eave could just make a copy of the message. And then eave waits and waits and waits until 50 years later, he actually get access to a quantum computer. And he used that quantum computer to actually factor the RSA modulus. And then he will be able to decrypt the message and somehow figure out that it was actually some funny cat picture from 50 years ago. So however, for the bounded storage model, there is no such concern. Because at the time that the conversation happened, the adversary has not enough space to possibly write down the entire transcript of the conversation. So in the bounded storage model, we can actually achieve everlasting security. So with all that said, you might be wondering what might be one possible construction of a protocol in the bounded storage model? So actually, most of the previous work in the bounded storage model is based on the birthday paradox. And we will look at an example of a key agreement protocol, which is proposed by Yudi Mora in the original paper, which is based on the birthday paradox. So there's Alice and Bob. They want to achieve a key agreement protocol. In other words, they want to output a key, a shared key. And in the bounded storage model, in the original model, we assume that there is a public source that is broadcasting random strain. And you can think about it as there is a long random strain and there is some guy sitting in front of a radio station reading out the bits one by one. And Alice and Bob and all the other parties in the game are just sitting in front of the radio and listening to the broadcast. And you can write down what bits you want to write down. But once the broadcast is over, you cannot listen to it again in addition to what you've written down. So here we have random strain, which is n squared bits long, where n is the security parameter. So here I give an example of where n equals to 4. We have a 16-bit length strain. So what Alice is going to do, she's going to pick n random indices out of these 16 positions. In this case, you pick four indices out of these 16 positions. And then you're going to write down the corresponding bits at those locations. In this case, Alice is going to write down the first bit, seventh bit, 12th, and 15th bit of the random strain. And Bob is going to do the same, except that Bob has his own secret set of these random indices. And then the broadcast is gone. You can only look at what's written down. You cannot consult the strain again. So to initiate the key of Riemann protocol, Alice will just simply send over her own secret set of the random indices over to Bob. And Bob is just going to compute the intersection between the two secret set of indices. And by the birthday paradox, with a constant probability, these two sets are going to have something in the intersection. And in this case, it's the index 7. And hence, Bob just sends back the index 7. And Alice and Bob will just output the seventh bit in the common random strain as their shared key. Notice that for an adversary, if the adversary wants to output the key with probability 1, the adversary has to write down all the n squared bit strains. If the adversary only has access to a small portion of these n squared bits, the information that the adversary has about the final shared key is very limited. We'll point out there are some issues with this game. First of all, it succeeds only with a constant probability. If there's nothing in the intersection of these two sets, well, I don't need to repeat, or we need to somehow increase the two parties' storage in order to increase the probability of having an intersection. Secondly, actually to store all of these indices, you require more than o n space. You require actually big o of n log n space, which sort of decreases the gap between the adversary and the honest parties. Well, this can be solved using pairwise independent functions, but this adds on to the complexity of the scheme built upon this. And lastly, notice that when the broadcast is going on, an adversary can always make a guess for the final index that's going to be chosen by Alice and Bob, and just record a bit at that location. Notice that the adversary can guess the index correctly with probably 1 over n squared, which is non-negligible. So in order to make it actually secure, another privacy amplification step is applied also adding on to the complexity of the scheme built upon this protocol. So as a result, previously in the Boundless Storage model, all of these constructions are based on the birthday paradox. We have a key agreement scheme, which has imperfect correctness. And the best known results for big commitment and OT protocols are based on a previous result by Yen Zong Ding et al. in 2006. And the result is that they have a five message protocol for OT, which leads to a five message big commitment scheme. In our work, however, we first show that there is a key agreement protocol which achieves perfect correctness as opposed to imperfect correctness before, as well as we demonstrate a big commitment scheme that is one message and an OT protocol that it only takes two messages. Notice that one message and two messages are round optimal for big commitment and OT, respectively. All of our constructions rely on something very different from the birthday paradox. In fact, we rely on the recent lower bound in priority learning proved by round rise in 2017. So what is that lower bound about? So that's going to take a few minutes and look at that. So now let's have an exercise, just so that you don't feel sleepy. So I have some string, say k. The string k has five bits. And each of the bits is represented by k1 all the way up to k5. In the next few slides, I'm going to show you a few equations. And at the end, you need to tell me what k is, OK? Cool. So here's our first equation. Second equation, third, fourth, fifth. OK, now tell me what k is. It's kind of hard, right? 0 is actually not a correct answer. But so however, it's actually really straightforward. If I just give all of these equations to you on the same screen, you can just use Gaussian elimination to figure out that k is actually 1, 1, 0, 0, 1. However, the idea is that when I'm streaming these equations to you, you don't have enough memory to write down all these equations so that there's very limited amount of information you know about the key k. So let's formalize this a little bit. So first of all, we expand out these equations by adding the missing terms with coefficients of 0. And then we figure out that we can actually write them as an inner product between a vector and a secret vector k. So we're going to represent these vectors, call them r's. And for the inner product values, we'll just call them a's. So now essentially what we have is just a whole bunch of equations in the form of ri inner product with k gives us ai mod 2. If we further rewrite it, we write it essentially for each equation. It can be represented by a pair of values, which is a vector r and a numerical value ai, which is just the inner product between ri and the k. So here, we're using the dot product to represent the inner product here. And everything is carried out mod 2 so that bear that in mind. So plus will actually be just xor. Now let's actually jump to the actual lower bound. So it's defined through a game. So here's the adversary. The adversary has a space, which is cn squared for some small constant c. Here, we actually require that c to be smaller than 1. Because if the c is actually greater than 1, you can actually just write everything down. So as a challenger, we have a secret key k value that is hidden from the adversary. So we're going to send over to the adversary a whole bunch of these equations that you've just seen. It's represented by these pair of ri and ai values. Actually, we're going to send over m pairs of these values. And at the end, the adversary needs to make a guess for a k. What RAS has proved is that as long as the number of queries we've sent is less than or equal to 2 to the alpha n, where alpha is a value dependent on the constant c. In other words, as long as we have less than exponential number of these pairs or these equations, the probability that the adversary is able to guess the key k correctly is exponentially small. That directly gives us an encryption scheme, which is also performed by RAS in his paper. So if Alice and Bob wants to encrypt the message, they already have a shared key k. And if Alice wants to encrypt a message m, all that Alice needs to do is to sample a random r and just mask the message with the inner product of r and k. And to decrypt is very straightforward. Bob reproduces the inner product and masks the original message, or masks the ciphertext with the inner product. Notice that here plus is actually XOR. So it's sort of like one-time path. You XOR it twice. You get back the original message. In fact, we can repeat this process many times. Alice can send as many of these messages as she wants, as long as it's less than exponential. So one thing to know about this scheme is that it's additively homomorphic. If we have two encryptions, r0, a0, and r1, a1, if we add them together, notice that the second term a0 plus a1 actually expands out to this, which actually turns out to be an encryption of m0 plus m1. And the security of this scheme directly follows from the lower bound that RAS has just proved. Essentially, we can construct an adversary that breaks the parity learning game from the adversary that breaks the CPS security of this scheme. So moving on to that, for today's talk, we'll be focusing on introducing our bit commitment scheme in our paper. And with this directly follows from the encryption scheme that we have just seen. So what's a bit commitment scheme? There are two parties, the committer and the verifier. The committer has a bit B. And they're going to sort of have some initial conversation between committer and verifier, which we refer to as a commit phase. And later on, at a later point of time, the committer is going to stand over a revealing of the bit B. Well, it usually consists of the bit B and some auxiliary data that allows the verifier to verify if it's a valid commitment. And then we call this reveal phase. And then verifier is going to output either accept or reject based on a commitment and the revealing that it has received. There are two desired security properties of a bit commitment scheme. So first of all, we're quite a hiding property. Essentially, we say that after the commitment phase, the verifier should have no idea of what the hidden bit B is. Well, this is sort of straightforward. For the binding property, it's slightly different. We need to have a security game to define this. So the committer is going to carry out the commitment phase just as usual with the verifier. And at the end of the commitment phase, instead of revealing a single bit B, the committer is asked to make two revelings. Essentially, the committer needs to reveal to both 0 and 1. And the verifier is going to verify these two revelings and output accept or reject. We say the committer wins the game if it's able to trick the verifier into accepting both openings of the commitment. Well, then we say the commitment scheme is binding if Alice, as the committer, cannot produce such two openings of the same commitment. So now, let's take a look at our actual construction. We call it take1 here, because here, bear in mind that in this construction, it's only secure against an honest but curious committer. In other words, the committer will abide to our protocol, but will try to get as many information as he wants. So Alice has a bit B. And to set up, Alice will just have a sample random secret key k. And in the very beginning, Alice is just going to send over a whole bunch of these equations that look like this. Now actually think about what are these? If you look at each row, essentially we have a random vector r and an inner product between this random vector and the key k. In parentheses, x wrote with 0. So in other words, each of these rows is an encryption of 0 using the key k, using the encryption scheme that we've just talked about. So now we have a whole bunch of encryptions of 0s. Now, once we have those encryptions of 0s, what Bob is going to do is take a random subset sum of these encryptions of 0s. So how is Bob going to do that? Essentially, you're going to have a random bit for each row, and if the bit is 1, you just add that row to your running subset sum. So in this case, if we let x to be the subset sum of the r's and y to be the subset sum of the a's, this is what x and y will look like. All right. And if we actually then look at all of these conversations together, all of these messages, we can actually, if we put the r's, the r-r vectors, into the rows of a single matrix, we can rewrite this whole thing in a matrix form. Essentially, we just send over two matrices, not two matrices, a matrix r and a column vector a, which is equal to r times k. Correspondingly, we're able to rewrite the subset sums in that j is now a row vector, and x is just equal to j times r, and y is equal to j times a. So j is a row vector you can think about as j. Essentially, j tells you which rows from the r matrices should you select and sum up. Once we have that, to finish up a commitment, to actually commit to bit b, Alice just needs to send over a encryption of the bit b using the same key, k. Later on, to reveal the commitment, Alice will simply reveal the bit b and the secret key, k, used for all the previous encryptions. And to verify, Bob will check two things. First of all, that indeed, the secret key, k prime provided by Alice indeed decrypts y to 0. That's what the first equation is essentially saying. And the second equation is just saying that using the secret key, k prime provided by the committer, actually you are able to decrypt the commitment back to the bit b prime. So now let's take a look at why the scheme is hiding. So essentially, for hiding, we're required that at the end of the commitment phase, the adversary has no idea of what the bit b is. This is actually trivial, because notice that all that Alice has sent is just a couple of encryptions of 0 followed by an encryption of b. Because the encryption scheme is secure, well, the value of b is hidden from the adversary. Because b is encrypted using k. So for the binding, it's slightly more complicated. But let's take a look. So here we're going to run the same commitment phase again. And at the end, the adversary needs to provide two openings, essentially 0 and 1. Open to both 0 and 1 with the two different keys, k0 prime and k1 prime. And Bob is going to check two things that both openings are valid. To check the first openings are valid, think about these two things. Checks that y is equal to x times k0 prime, and a prime is equal to r prime times k0 prime. I'm just rewriting the conditions that Bob needs to check. And Bob needs to check again that the opening for 1 is also valid, which looks like this. So now think about, because the adversary only wins when all of these four conditions are met, if we write the two of the first equations together and combine the two second equations together, we actually have these. First of all, from the second rows of these two boxes, we know that k0 prime is not equal to k1 prime. And from the first rows, we know that x times the difference between k0 prime and k1 prime is actually 0. Well, what is this? This is actually equivalent as saying that we have some linear equation x times k prime not equal to 0, and you need to find some non-trivial root for that linear equation. Now think about why this could be difficult for the committer to do. We set our security parameters for m to be equal to 2n. So in that way, r is a matrix of 2n times n, which is a tall matrix. Because it's tall with very high probability, r is for rank. And if r is for rank, we can see that x actually appears random if you don't know about j. And therefore, from the view of the committer, you need to submit some k prime that satisfies a random linear equation, which you can do no better than a random guess, which essentially you pass with probably a half. So in this way, the verifier is able to catch the committer with probably a half. If we want to further boost this probability, it's very straightforward. Instead of keeping one single subset sum, you can multiple of these subsets sums. And therefore, you will be able to catch a cheating committer with a higher probability. So however, all these things are based on the fact that the committer is actually honest but curious. If the committer is actually malicious, he can actually generate the matrix r not randomly. He can deliberately choose the matrix r to be of low rank. And therefore, x will just no longer appear random to him. And you can easily find a k prime such that the equation holds. So to counter that, we only need to make some very small modifications to our scheme. So now instead of having one single key, Alice is going to have two different keys of different lengths, a secret key k and a secret key s. And in the beginning, Alice is going to still stream over a whole bunch of encryptions, but this time no longer of encryptions is 0, but rather of the bits in s. And after the streaming is over, then Bob is going to still do the same thing. He's going to take a subset sum of these streamings of the encryptions. And at the end of the streaming, Alice is going to send over the key k used for to encrypt all of these encryptions before. And Bob is going to do some simple math on his end. Given k and the x and y that he has recorded before, he's going to calculate z equal to y minus x times k. Trust me, if you do the math, you will get that is equal to j times s. All right? And Bob no longer needs to memorize what x and y is. All that Bob needs to know is j and z. And to commit a message, it's still the same old trick. You encrypt bit b using the secret key, but this time no longer using k because, of course, you already sent over k. You encrypted using the secret key s, which you haven't sent to the verify yet. And to open the commitment, it's still the same old trick. We revealed a bit together with the secret key that's used to encrypt a bit. So now what Bob is going to check is that essentially that the secret key s, s prime sent by Alice, indeed decrypts z to an encryption of 0. And secondly, that indeed, s prime is the key used to encrypt a bit b prime. So notice this is kind of similar to the previous scheme, but notice that recall that in our take one, at the end of the commitment phase, what Bob has recorded is y and x, such that y is an encryption of 0 under the key k. And here, at the end of this commitment phase, what Bob has recorded is j and z, where z is an encryption of 0 under the secret key s. However, there's a crucial difference here is that notice that x, if the adversary is actually malicious, x will not be random to the view of the committer. However, here, consider the value j. j is entirely chosen by the verifier, and therefore, even if the committer is malicious, j will be completely random to the view of the committer. Therefore, in this case, we achieve binding property even against malicious committers. So lastly, to sum up, in our paper, we present three schemes, essentially a key-wim protocol, a big-commitment scheme, and OT protocol. We stress that our big-commitment scheme and OT protocol are both round optimal, and we want to stress that all of our constructions are really simple as we have just seen. They don't have much complicated operations in there. So this brings us to the future work. We suspect that, and we're really confident that it's actually possible for us to build more sophisticated crypto-primitives from this parity-learning lower bound. So we encourage you guys to look at our paper, read our constructions of these three schemes, and think about if it's possible to maybe build IO or NICS from this parity-learning lower bound. And that's our talk. Thank you. Yes, you're welcome. Yes. The adversary is still a computational imbounded. The only restriction that we pose is that the adversary has the space bound. A simulator? Yeah, so the previous constructions, usually you require that any adversary can be simulated where the resources of the simulator are polynomial in those of the adversary. And the previous constructions of OT in the bounded storage model only satisfy the weaker requirement that even if the adversary is efficient, the simulator still needs to be computationally imbounded. So my question is whether your scheme avoids this caveat. Yes. So for our commitment scheme and the key women protocol, it's secure even if the simulator has the same memory space as the adversary. So in other words, it's secure for a bounded simulator. Yeah, the running time is always imbounded, but rather we're talking about the space here. However, for the OT protocol, it's slightly trickier because we want to show that essentially it's for the OT protocol is essentially for the sender security. We want to show that the receiver only knows one of these two bits. And there we either need to assume that the simulator has access to the receiver's secret coins, or we need to assume that the simulator has the power to rewind the receiver to run it over and over again. Because that's the only way that we were able to find out what actual bit that is interesting that we can simulate it. Any more questions? Again. Just a quick technical question about the model, so when you assume the attacker's memory is bounded, how fine granular is it like you kind of assume? So how short should be the message? So you send a message, he has this memory, you send the message, he has this memory. How long are those messages? Can your messages be like, I'm just trying to see is it like does your protocol critically use the fact that after every kind of short message, he has to condense to n squared? Or can the messages be kind of long? Yeah, you can think about that. The whole message is sent over as a bit stream, and you can read each bit only once. And in terms of practical security, if you think about an, say, honest user with gigabytes of memory, it turns out that it's like 10 to the ninth bytes. It turns out the adversary will need somewhere up to 10 to the 18 bytes, which is roughly, I don't know, thousands of parabytes, which definitely seems more intimidating than the gigabytes of memory needed by the knownest parties. So follow-ups to as the original work showed that these low bounds for parities actually hold for many other functions, like basically everything that is hard to learn. Could you find out, I can hear you. Yeah, so now we know, after follow-ups for the original paper, that parity is not just a special case, there are many other cases that will be hard, like that you can prove time memory trade-offs. So does these problems give you more power to construct primitives or you just stop with parities? Yeah, we haven't checked the follow-up work to the, you were talking about the follow-up work to the original TimeSpace Lord. Yeah, I think that there are already like four papers out or something. Yeah, we haven't checked that, but we suspect they would make, that essentially would give us more power in constructing our schemes. Yeah, thank you. Thank you, are there any more questions? Yes? First of all, thank you for the great talk. Is your OT protocol compatible with OT extensions? Is it even necessary to consider that? Compared to OT extensions or? OT extension protocol. Of this transfer protocol? Yes. So how our bit commitment scheme extends to the OT protocol? Yes. OK, yeah, actually I can explain that within a few sentences, our OT protocol is very straightforward. Notice that our bit commitment scheme, essentially your commitment is just an encryption, and therefore our bit commitment scheme is actually additive homomorphic as well. In terms of your commitment tag. And our OT protocol is just that the receiver is just going to commit the bit that you're interested in to the sender. And sender is just going to use the additive homomorphism of the commitment message to calculate the two cipher tags for b times x0 and 1 minus b times x1. And notice that if you decrypt the envelope, you actually get xb and 0 times x1 minus b. So that's like the general idea, the actual construction. You can take a look at that in our paper together with the proofs. Thank you. Thank you. Thank you very much. Let's thank the speaker again.