 Hi everybody. Thanks, Yoda. I'm Sanjim from UC Berkeley and I'm going to talk about cryptography with a one-way communication This is joined to work with you all a shy in the alcohol shill. It's from Technion and Rafi Ostrowski and a bit shy from UCLA so typically noise is something that's seen as a problem in Information 2d and so on but over the years we've seen that the noise can actually be a very useful tool in enabling very good secure computation solutions in particular Wiener in 1975 showed that you could use noise to for secure message transmission and subsequently a lot of work has gone in in Realizing richer cryptographic primitives such as commitment key agreement and so on Kripper and Killian showed that one can use noise in Communication channels to realize oblivious transfer which can then be used to Realize secure computation for arbitrary functionalities, and this is mixed extended in multiple ways In terms of using different kinds of noisy channels and in efficiency and so on but much of this work has been restricted to the setting of To the interactive setting that is if for example, you're in the two-party setting then both parties must speak This work is is about the setting where there's going to be only one party That's going to speak so only one party has an input and only one party speaks the other party Just keeps quiet and we're still going to be able to achieve secure computation So more explicitly we have Alice and Bob and Alice as an input X and she wants to to to convey some Realize secure computation task in a setting where Bob has no input. Okay, so Bob should just get the output and We're going to be this communication is going to be done over a noisy channel I'm going to be and we're going to be interested in different kinds of noisy channels The three main ones that we're going to be interested in or what are going I'm going to talk about next Many that we consider in the paper but for the talk, I'll just focus on these three The first is the binary erasure channel in a binary erasure channel channel the sender sends in a bit Zero or one and with probability p it's passed as such and with probability one minus p is erased So for example if the sender sends in zero The received bit is zero it with probability p and with mine minus p it's erased So this is a very simple channel and just this channel already has some kind of security property Just let me explain that so in this setting. Let's say the From the perspective of the sender Depending on the random coins of the channel the bit is either passed or leaked but it does not know whether the receiver received a particular bit or not and Analogously from the receiver's perspective it it either receives the bit or does not But when it does not receive the bit then it has no idea what the sent bit So even this very simple channel already has some security property The next channel we're going to be interested in is the binary symmetric channel in this the sender again analogous to BC sends in a bit Zero or one and the bit is flipped with probability p and passed as such with probability one minus p and just like BC We have security properties in the sense that if the the receiver does gets a bit But it does not learn whether the bit is the original bit or the flipped bit and similarly the sender does not learn whether The receiver received the flipped bit or the original bit The third channel we're going to be interested in is the oblivious random oblivious transfer Channel and this is analogous to random oblivious transfer as we know Here the sender sends in two strings M0 and M1 now there's string not just bits you can also think of them as bits and And the sender puts them in the channel and the receiver with probability half receives M0 Come a bot and with probability half at the other probability half it gets bought common one So in particular in this case the receiver gets only one of the strings And the sender does not learn which string it got so that's the security property that comes So in the paper we have other channel, but for the the talk I'm going to focus on these three And there'll be some others that I'll mention along the way So let me move on to our results a The first step that we wanted to take was to investigate we have all these channels We wanted to investigate whether you can use one channel to realize Another channel so if you and and and we do know how to do it interactively But we wanted to see if we can do it non interactively and so we have a various results here the blue lines denote Positive results and the the red ones denote negative results So the first for let me start with the binary region channel in this setting We show that it's sort of self-reducible what I mean by that is that if you started with the it is your channel where The bit was passed with probability p then you can amplify or diminish that probability to any value of your choice Up to a small error That you can make as small as you you want This is sort of natural and we'd see how it has done later on in the technical part But what's sort of interesting is that in the interactive setting all these channels sort of turn out to be equal It's are reducible to each other in the Non-interactive setting they have a very different characteristics So for example if you consider the binary symmetric channel It is both reducible and impossible to reduce so what I mean by that is that you can start with the binary symmetric channel and you can Reduce the increase the probability with which it is flipped But you cannot go the other way around and in fact we can prove impossibility that you cannot go the other way The other sort of main question was well We have these so a radio channel is a generalization of the binary radio channel You can think of as passing strings and so on it implies binary radio channel sort of trivially So we wanted to see whether random oblivious transfer which sort of feels more like secure computation can be realized from any of these Channels and so in this work we show that all these channels are actually insufficient for realizing this random oblivious transfer Which we'll see has other applications later We consider other Natural channels. I'm going to later talk about busty channel. I'm not going to talk about red blue channel They we show that these these imply the the the random oblivious transfer and this is going to be crucial for some of our application Okay, so next day well, we studied the the correlation or the Relationship between these channels the next question is well if we have these what can be used them to realize different Cryptographic tasks, so we show that essentially every channel that we have is sufficient for realizing Secure computation for any deterministic functionality So note that if you have a deterministic function, and let's say I'm Alice. I want to give you f of x And in the semi-honest setting I can all it's trivial to do I can just compute and give you the answer and You can expect it to be correct. So this realizing Deterministic functionality makes sense only in the malicious setting furthermore It's only interesting when Alice's input comes from a large space So let's say the Alice's input was coming from a small space then I could still give you the output and you could Go with all inputs and check if the output is Is among one of those is in the range of the function So this is meaningful for example in the setting of zero knowledge So for zero knowledge one could ask can we realize zero knowledge using any of these channels and our answer is yes Next we move on to the setting of randomized functionalities Where these the Alice has an input Bob does not have an input But the the randomness for the functionality is going to be provided by the channel and This this is meaningful even in the semi-honest setting because the randomness is coming from the channel And it's not provided by either of the parties our results extend to the malicious setting as well Okay, so let me move on to some of the application I will give one application for the deterministic setting which is for the zero knowledge And I'll give one application for the randomized functionality So for zero knowledge The protocol that we have is sort of the first truly non-interactive zero knowledge protocol It does not require CRS or random oracle model unlike previous works and And it achieves non-transferability which previous protocols did not but we we do need noisy channel there So it's sort of that's the I guess the caveat Okay, so the next application is for oblivious certification of cryptography keys So let's say we have a company verisign and wants to give Bob a signature on his public key So typically Bob could give a verisign the public key and then show the secret key to To show that it's indeed correct and then very sign could give a signature on but with this randomized With this randomized functionality in the noisy setting What verisign could do is it could just send one message to Bob and the randomness from the channel would be used to sample the public key And secret key for Bob and along with generate a signature for Bob So this gives very sign the capability by just sending one message to Bob Enabling him to to obtain a public key secret key along with a signature on his public key While ensuring that verisign does not learn anything about the public key and secret key of Bob Okay, so this is This is something that we can do if we have access to my noisy channel Okay, so now let me move on to some of our techniques. I want to give some idea about What goes on? So let me start with the sort of the warm-up example something very simple Which is if you have a binary erasure channel? Which passes the value with probability p then I want to relay relies a Binary range of channel with probability pre pre-prime And then I want to preserve non-interactivity So this actually is very very simple you think about the most natural idea I can Amplify so what does it mean to amplify if I send the same bit twice then it's going to be It suffices to receive only one of them I can and the the probability that you will receive at least one of them is going to be more than if I had sent just one bit And the probability of getting that bit So I can just repeat it multiple times and it's already amplifies the probability with which you get that bit And a logistic I can also diminish the probability with which you get a value How do I do it? I secret shares of if I have a bit B. I sample two random bits R0 R1 so that they Exort to B. I can send the two bits Over the erasure channel and now the requirement is you can recover B or reconstruct B only if you got both bits Okay, so I can diminish the probability We show in the paper that you can take you can use these two amplification and diminishing Again and again to to go as close to to P prime as you want So if you start with a channel P you can get to P prime as as close as you want I'm not going to go into the details. Let me mention some of the Okay, so let me now move on to the impossibility of random oblivious transfer from binary data So this sort of is on the dual side of things where we want to show impossibility of realizing these channels with with more structure So what would a protocol for random oblivious transfer look like so let's say we have Alice she has two strings or possibly bits if you want to consider a simpler case m0 and m1 and She could potentially encode them, you know, using some randomness whatever process she might have into some bits And then she sends these bits over a binary data channel and and Bob is going to receive some of these bits Some of them are going to be deleted and At this point we want that Bob should be able to use the values that it obtained to recover either m0 or m1 Both with probability. Let's say how So correctness here says that each of m0 and m1 should be obtained with probability half Receiver security This is something slightly subtle that receiver security guarantees that the choice of m0 or m1 that the the receiver gets Should depend only on the choices of the the channel not on the choices of the center. So in particular when The sender might have multiple ways of encoding this m0 m1 into these bits and sending them over the channel but we want that any It's random coin do not dictate whether the receiver gets m0 or m1 because if they did then he gets partial information on Which value the receiver seed which would break receiver security so in particular the Encodings must encode both m0 m1 and it's only the random choices of the channel that should dictate whether The receiver got m0 m1 Now this leads us to a contradiction with sender security the reason being that if it's only the choices of the channel And if I'm getting m0 with probability half and m1 with probability half It should be so the probability the two events are positively correlated. So each bit is is being deleted independently some deletions lead me to this these the send the received bits to contain information on m0 and The other bits contain information on m1 So if with probability half they contain information on m0 and with probability half they contain information on m1 then hopefully With the since they are there they're both positively correlated We're going to the received bits are going to contain information of both for both m0 and So this intuition can actually be formalized in the formal argument can be given using a heresclatment inequality For this I'm not going to go into the details of that, but you can look at the paper So some extensions in the setting so we're able to actually show something stronger We're able to show that if you take a binary radio channel with probability which passes the value of Probability p then it's actually impossible to even realize epsilon Randomity where epsilon is a fixed constant that depends just on so regardless of how many times You want to invoke this channel and so on you will not be able to beat this constant given the parameter And the result can be extend to generally rage of channels where you have it is being done over strings and so on We can also extend the result to the computational setting But we require isoparametric inequality or heart-press theorem for for this result The the result these results also extend to BSE where you cannot realize a random or t out of binary symmetric channel one difference with these These extensions to the computational setting in the binary symmetric setting is that here We were only able to obtain losses of one by Pauli. We were not able to show The the loss we weren't able to show impossibility for a constant epsilon, but only one by a poly Okay, so next let me move on to Giving some ideas about so this sort of gives you some idea about the positive as well as the negative sides of Relationship between different channels why non interactivity makes it hard For realizing for example random oblivious transfer next I want to give you some idea about how we can use They raise your channel for example to realize deterministic functionalities And I'll show it in the context of binary radio channel for binary symmetric channel turns out to be slightly tricky But I won't talk about it And then I'll show how we can Realize random oblivious transfer and how that's useful in realizing randomized functionality so for deterministic functionalities it You know, it's a it's a realizing zero knowledge suffices for realizing all functionality. This is easy to see So we have Alice and she has input x and if let's say she wants to convey f of x to Bob She can just give f of x and additionally if she can give a proof that this f of x computation was done correctly Then she's done and and we're going to do this by using this tool called oblivious as e.k. PCP And this was sort of implicit then previous work by a shy sigh and Wagner and and I tie It's it's sort of a zero-knowledge PCP with the additional constraint that the the choices that the PCP verify The queries that the PCP verify looks at are random They did they did not correlated each he looks at each bit sort of independently and randomly and that's a fight In particular if I were to take the the PCP and I write this and I send it over a Eraser channel this such PCP's I have the guarantee that you know each of them is going to be soundness hold if as long as some constant number C of the random locations are read and Zero knowledge holds if each bit is deleted with probability This is sort of very analogous to what we need here. We're just going to take this PCP We're going to ship it over the binary range of channel and we're going to get some soundness guarantees Which are going to amplify by running this thing again and again, so we're going to generate multiple PCP's We're going to send them again and again, and we're going to amplify the soundness So just to highlight then the setting of binary symmetric channel. We're going to do something similar. We're going to send these PCPs over but then we're going to have some of the bits being flipped So we'll have to there would be errors that would be introduced in checking soundness And we'll have to check we'll have to take into account that there are going to be natural error errors And and and so on I will refer you to the paper for more details on it Okay, so next let me move on to the final part, but I want to talk about randomized functionalities and It follows from a previous work of a shy at all that it suffices to realize just this random of Lewis transfer I won't go into the details of this construction But I want to give you an example of a channel that can be used to realize a random of Lewis transfer So it can be realized from a perfect bursty channel, and what is a perfect bursty channel? So if I have a If I was to encode my strings M0 and 1 if a perfect bursty channel is characterized by two parameters K and B the sender sense in K strings and the the guarantees that among these case strings of B of them will be deleted and they will be contiguous to each other So we it's a it's a easy construction I'm going to talk about it that if you had be greater than K by 2 or B is odd Then it's indeed the case that you can use such a channel to realize a random of Lewis transfer So this is different from just a regular binary ranger channel or a ranger channel in the sense that there is a correlation in terms of which values or which parts of the The sent information are being are being deleted and this is what this Discreteness is what allows for enabling random of Lewis transfer and then the application to randomize functionality Okay, so we consider other channels in the paper which are also sufficient for realizing a random of Lewis transfer But I won't talk about it Okay, finally to conclude then there's some open problems So we we initiate the investigation on non interactive secure computation using noisy channel We show that the landscape in the setting is is very different from the the interactive setting is actually pretty surprising at times and the fact that Some things are possible for binary erasure channel and not for binary symmetric channel is very interesting And I think that we have just started to scratch the surface here The final goal would be to have a clear characterization on for every possible a noisy channel as to what it is useful for In and what it can be used to enable in terms of secure computation tasks. We're pretty far away from that We have only considered specific noisy channels of interest and the next question would be can we improve the efficiency of these constructions and relies Something you know right now. We just have these feasibility results and can we improve on the number of for example if you're using a a When you're amplifying from binding these channels from probability p to p prime What's the minimum number of invocations of the underlying channel that you need to make? Okay, thanks