 Welcome, everybody, for the paper session, which is part of the best young police search award. So this is the paper that is read out on the problem of reprocessing by everybody regarding the gifts and the treatment of COVID. And Henry, the stage is yours. Thank you so much. Thanks for inviting me to act on our session. So this is joint work with Dima Kogan, who is also a teacher student at Sanford. So the dispute log problem is really one of the foundational problems in modern-day growth. We use it to build signature schemes in the lives of artists of our D.H.Change, T.E. case-crypto-systems, parent-case-crypto-systems, and lots and lots of other things. So for the versus of this problem in mind, which is a dispute log problem like this, and this dispute log on the other side is similar to a Google Prime or an Ad for the district in a group, and a problem that's in the GVS, it has to have a dispute log X. So given that the dispute log is such an important problem for us, you can ask yourself, why do we believe this problem is hard? The first reason we believe it's hard is that the person has been tussled with analysis of the problem. But another reason is what I call generic control over balance. So a generic algorithm is one that works in every group, so a dispute log algorithm that doesn't really care about the group that's working in. And the picture she showed is that every such algorithm that works in a group of crime or an Ad that succeeds with good probability has to run at a time, at least where we live. So the best generic attack in a 256-bit elliptic curve group, let's say, takes two to one twenty-eight times. And since the best attacks on our standard elliptic curve, let's say, elliptic curve group is the means for key exchange on the internet, the best attacks on these groups are generic attacks. This gives us some confidence in the hardness of this dispute log. Because coming up with a better dispute log algorithm would somehow have to involve coming up with a better dispute log algorithm. So this is why generics dispute log over balance are a very useful approach. So since I would be talking about generic algorithms a lot, I want to define what I mean a little bit more formally. So a generic dispute log algorithm is one that can only make black box use to make a collaboration with me. Again, think of these as algorithms that work in any group. Formally, we define this with a generic group model where a group is defined by an objective wavelength function, a sigma, that it takes an input to the X one from one to n, and how it puts a label or a bit string that represents the corresponding group element. So an algorithm engineer, while it has access to a group operation horrible, then you give it this horrible two bit strings representing two group elements and it returns to their product with a group operation that is defined by a label of a single element. So a generic dispute log algorithm takes a sigma one, sigma one, sigma X that represents G and G to the X, and the algorithm makes some quarries with this group operation horrible, and then has to come up with a dispute log X. And we'll measure the complexity for the running time of an obsession out of the label by the number of quarries that it takes to this generic group horrible. And as many of you probably know, this has been a really, really useful way to understand the hardness of this dispute log that probably improves, including parent groups, all sorts of assumptions have seen sort of an analysis of this problem. But one thing that is a cause for concern about the generic model is that it doesn't account for what we call the processing of the past. So the premise of the model is that the adversary doesn't know anything about the structure of the group when it starts executing it, and the only way that the adversary can learn about the group G is by talking to this world. But in reality, for the groups that we use in real life, there's really only a small number of groups that we use for teaching on the internet. So a realistic adversary can perform more pre-processing relative to one of these groups and potentially use that pre-processing to solve this dispute log faster than later on. And it turns out that the existing generic floor amount don't say anything about what happens in the face of these pre-processing tasks. So the model I'm imagining sort of looks like this. The dispute log algorithm with pre-processing works in two phases. In the pre-processing phase, the algorithm A0 takes its input into the description of this group G. Does it work in an outputs and advice directory? You can think of it as a data structure containing what it does about the group. Then, to relate our online phase, the algorithm A1 takes its input of problem instance G to the X, and has it out of the dispute log X. And in this talk, both of these algorithms are going to be generic. So I'm interested in algorithms that work in every group. When we measure the complexity of such an algorithm, we can look at a bunch of things. We can look at the pre-processing time, so we measure the number of queries in the pre-processing phase. We can look at the size of the advice range that the algorithm outputs. We can look at the online time and the online outputs of how many queries it makes for a problem instance. And then we can look at the success problem of the S1, and think of the choice of the group, and of the choices of the challenge. So, this is sort of the plan for the rest of the talk. I first wanted to use an existing pre-processing attack to try to admit that these attacks are sort of relative and interesting. This is an attack that achieves a key group complexity, and it works for any group. So it's a generic attack. Then I'll get into articles on pre-processing lower balance in attacks. So we show that this pre-processing attack is actually optimal for generic operands. So you can't depend on that. And furthermore, any such attack has to use a really large amount of pre-processing. So if the online time is pre-processing time, the pre-processing time is in two thirds. And then finally, I'll talk about a new attack. We have a paper on a DTH-like problem, and so on. So the first thing, again, I want to do is show you this pre-existing result. It's a pre-processing attack on this pre-mod that works in every group. So the theorem here comes from that appears in many different places. And the result is sort of this form. There's a generic, disparate operand with a pre-processing that uses S-pensive group-specific advice in the online time t, and succeeds with probably the epsilon where the parameter is satisfied right out from the form from S-t squared to the right epsilon. And although it's totally here, it's highly log-in attack. So what this means is if you plug in an S-equals t equals Hubert event, S-pensive advice, and Hubert event all the time, you get an algorithm that succeeds with a constant parameter. And I'm going to sketch this out, because I think it's sort of a thing that all of us should know, and it's also just sort of surprising. If you're used to thinking of this pre-mod, it's a square root of that problem. So as a setup to the algorithm, I'll need one slide of the material. The one bit of the material you need is, I'm going to define a pseudo-random walk on that all in some different groups. So this is going to go from a group of g to the x to g to the x plus alpha where alpha is picked using a hash function, or you can think of it as a random function. So if we take our walk starting in some group of g to the x, and move to g to the x plus alpha one, then g to the x plus alpha one is alpha two and so on. So we get g to the x plus a bunch of alpha s. And an interesting property of such a walk is that if you know that this pre-mod can be 10 points of the walk, you can work backwards and solve for x and this pre-mod is right. So having given you this one tool, we can actually put the entire pre-processing algorithm on this walk. The way the pre-processing algorithm works is, in the pre-processing phase you build Hubert event chains, so you take this walk for Hubert event steps, and you start all these walks with this random random result. Then you start with Hubert elements. Then you store the discrete log of the end points of the walk. So these circles all represent your elements, and then the advice for you to store the discrete log of the walk. So storing these end points takes roughly Hubert events to the device, right? There's Hubert events to the walk, which is roughly the walk of this, and that's the whole process of this. Then, in the online phase you're given a challenge g to the x, and the online algorithm is writing a line pass. The way this works is by creating a walk of length roughly Hubert event, and hoping that you sort of collide with one of your pre-computed walks. If you do collide with one of these pre-computed walks, you'll end up with one of these pre-computed end points, and you'll be able to work backwards to the recovery of the discrete log that was starting the walk. And it turns out that this takes roughly Hubert event, Hubert event operations. And I'm not going to argue that this succeeds with constant probability, but it does. The catch is that the pre-processing time here is massive. It tends to do through its time, because we have to build many of these walks, and each walk is quite long. So this, the fact that the pre-processing time is large, is what allows us to serve an event, a shoe floor bound to the online phase type. So, just to emphasize what happens here, without pre-processing, we know from shoe floor bound that generative log attack takes Hubert event time at least, which is processing that happens here. So all the subjects you allow is pre-processing for free. The sort of security of 256 bit of the curve groups drops from 128 bits to something like 86 bits. And it turns out that a related pre-processing attack creates multiple discrete log problems and we discussed that in the paper. And the sort of related attacks would break the end of the long screw cipher, and one from this component is actually breaking the warp ledger back. So this Hubert event upper bound is what got us interested in knowing this is the best discrete log attack processing that's possible, at least in engineering study. The reason that's relevant to practice is you can imagine if there were a 10-3 event attack using a 10-3 event in space and time you would really worry about the security of the 256 bit of the curve group because it would imply that there's been a trap door for these a little bit curve groups that would let you compute discrete log really fast. And if this happened, you can imagine what we think of as discrete log crumbling we might have to revisit the key sizes that we use, revisit the demographic standards that we use, and so on. So that would be a disaster. So what I'm going to tell you now is that a disaster doesn't happen. In fact, that hubert of engineering discrete log attack is really optimal. And furthermore the pre-processing time that it uses is also optimal. So you don't have to worry about this intuitive decaying. So we proved the following theorem in our paper. So we showed that every discrete log out of the processing that uses s bits of the group's specific device in online time t succeeds with the problem. The epsilon has to satisfy a trade-off of this form. Again, sd squared is sort of where epsilon happened. And it turns out that the attack that we showed proves that this bound is optimal at least up to the log factors. So this is sort of a robust result in the sense that we know the best we can do for any choice of devices. And that's what I'm going to tell you. And if you're familiar with generic floor balance, I should mention that there's a technique that Victor Sheep used to prove this as a classic result. And many of the other floor balances follow up on that as well. So we crucially rely on the adversary having no information about the group when it starts executing it. And in our setting, the adversary actually has a few bits of information about the group. And he has bits of information about the group when it starts executing it. And in the same time, the lower bound in this setting requires a different setup of the case. The other thing we proved is that the lower bound of your processing time is a function of the all-night time. So the trade-off will be like this. If you want to make it concrete, if you want the out-of-the-door and all-night-time keyword event, the supply of the pre-processing time has to be at least the same. So there's a very smooth trade-off. The faster you want your all-night time processing phase is going to go up. There's no way around that. So for the bulk of the remainder of the talk, I want to go through how we prove this is first-generation because that's really the hardest thing to do. And before I do that, I want to remind you again of how the generic is well worth. So a group here is defined by an objective function of state-funded mass exponents to district-certified labels. And an algorithm that has access to this horrible implement group operation relative to this late-point state function. In the high-level, we prove this time space or bound using a new compressibility implement, which of course has a really long history of crypto, even longer history of complexity here. In the high-level, we'll use a better than possible generic discrete-logging processing algorithm to compress this mapping signal that defines the new group. So if we have an algorithm A that is really good at solving the discrete-logging, we can use it to build an encoder or a compression routine that takes a compressed representation of the signal in such a way that it will later be compressed. And we show that any adversary that uses a compressive device in an online time t such that SC squared is a little low amount gives us an including to compress as well. And since a random strength or a random sigma is incompressible, this immediately gives us a lower bound. So no, we're crucially using the fact that our algorithm works for a random signal or a primal signal. This is where we take advantage of the fact that our algorithm works. So I'm going to sketch how this encoder is going to work. And for the sketch, I'll just assume that the adversary here is deterministic, but I need to remove that. Okay, so I'll sketch how we build an encoder that compresses this random logic signal. And again, a high-level idea is we'll use this pre-processing discrete-logging adversary to compress compression. So we'll have to somehow construct an encoder that will take the pre-processing algorithm and will run it on a signal. So the encoder has the entire signal as input. And the pre-processing algorithm will run it on some adversary and will write that as a cracker. Then we'll run an online algorithm, A1, and we'll run it on each group element in which is essentially a fixed string in the image of the signal. So all zero strings here represents we'll make some horrible queries to the generic and horrible, and then we'll output some of the disparate algorithms. What we write into the compressive encoder into the compressive representation is all the responses to A1's horrible queries. So we'll continue running A1 on all the group elements in in mysteric graphic order, and we'll write the responses to A1's horrible queries. And after we do this a bunch of times, we'll fix some number of times iterations running A1, we'll write our values into it. So this is how we compress. Now we have to decompress. So given this compressor representation, I have to convince you that it's somehow easier to recover signal. And again, when we do this, it's not too surprising. We'll just take A1, the online algorithm, A1, and the decoder will run it on the first group elements in mysteric graphic order, which here is involved in this experiment. As A1 makes queries, we can respond to all A1's horrible queries in the compressor representation. And as we do, we'll sort of learn a bit of information about signals. So we'll build up a table of the function table of signal as we go. So for each query we'll be able to write one row into this table. The trick is that when A1 outputs a discrete log, we'll get one row on this table for free. Because we didn't have to write a discrete log in all zeroes into our compressor representation, A1 gives that to us for free. So if we continue doing this, we'll build up this table in a way described, and eventually we'll have all signal that. So if you believe this, you believe that we'll be able to encode and decode signal. But I also have to convince you that this is a compressive encoder, so that we use fewer bits that have been taken to 90-degree results. And I'll try to argue that in a high-level product. So my claim is that each time the encoder invokes A1, it sort of compresses signal by one bit, rather than the 90-degree result. There's two cases here. So the easy case is that the responses of all of A1's are distinct strings. In this case, A1 actually outputs a discrete log for free. We get one row on that table for free, and we can compress by something like a log in that's relatively different. The slightly more difficult case is if the response to an oracle query that A1 makes is the same as the prior response, that it's the same as, the same value twice. And if you're not careful, an A1 is going to be going to pay twice what the same value is. So you pay twice what the same row on the table, and then there's no savings. So instead, the encoder writes a pointer to basically the prior orator to cause this collision. And if you sort of do some work, you can see that if we run this all night out of the A1, for at most the number of T squared iterations, we'll be saving it basically because the pointer is not going to take too many time to invoke in one. Whether it's an easy case or a hard case, we'll save one bit in this size and term of the equation. So to complete the proof, we showed that we'll sort of invoke the fact that a random query is an encoder. So we'll say that if we run A1 on N over T squared instances, the encoder does. Each execution compresses by at least one bit. But then we have to pay for this estimate advisory that we sort of stuck at the top of our cracker equation. So the overhead of this encoding is T squared, and this thing has to be bigger than zero, again because the ram is very incompressible. So if you don't... in that sense, just think of using an incompressible error. Using a better than possible adversary to compress a random string. There's some extra technical bits that I'm going to get into that you can check out on paper about decision-making problems and how to lose a fail often, but I'll just review the paper. So once you study discrete log, the logical next step is to ask you about other technical problems. So, particularly the DEH problem. We have matching our upward and lower bounds for generically logarithms with your processing as I just showed. And it turns out the same techniques with not too difficult modifications also gave you upward and lower bounds for the DEH to match. But for DEH, we have a gap. So, it depends on how long the best upper bound we have to solve this problem. The best lower bound we have doesn't quite match. So, we're not sure if DEH is exactly as hard as the super-parter, so it won't be easier if you do it in the process. So, we don't know if there's a better attack. So, towards understanding this question, we study a related problem that I'll mention on the next slide called the squared DEH problem. And we give a new upper bound a new algorithm on the squared DEH problem that actually matches the lower bound. And so, these are the new results we have. Upper bound squared DEH and then these are the lower bounds. So, just one word about squared DEH. The squared DEH problem is to distinguish two rules a little more from gg to the xg to the a squared from random. And it turns out that for generic online only algorithms, if you're not a library processing, this is exactly as hard as the stream model. But for generic algorithms, quicker processing we actually show that it's much easier. And this is surprising to us because if you think of DEH, this problem is roughly at the same level of difficulty. And here it turns out that once you allow a reprocessing, some of these DEH problems turn out to be provably easier than the stream model at least for generic algorithms. So, the last thing I wanted to just mention, a couple of open problems and recent progress on this line of work. So, the thing that's been bothering us the most is the types of this DEH up to the lower bound. Is the DEH with reprocessing as far as the stream model, or is it ready to approach? Another direction that we think would be pretty cool would be to look at sort of non-generic processing attacks on a lot of the purposes of the model. This seems very difficult, but we do have such an attack for a DEH to start with. So, if we could come up with an idea that I don't think would be surprising. I also want to mention some recent work for any of those in the world that gives alternative proofs of similar techniques or similar ideas in the generic model. And they use the pre-standard line of that, which is a complementary set of techniques that we use here. And they prove the hardness of the one more or the two more problem, knowledge of maximum impact assumptions, many things in the ideal cycle model that we have for creation model. So, if you're interested in this type of result, you should check out it. So, I've tried to convince you that if you're processing attacks, it's surprising and relevant to the critical as we use it on the internet and the lower bound of the attacks, showing that there's fewer generations of public attacks optimal, that the pre-processing time has to be huge, and that there's some surprising attacks on the general public. And with that, I think it's a big question. Coming from the microphone. So, that's an answer to what we've recently learned, but it is true, thanks to the forum and so long to think this would kind of aggregate the problem. That's a good question. So, if you don't have more than a volume in many hours, and it shouldn't change the right time at all, we didn't look at what happens when we go to exponentially many hours of attacks at the end of the minute, and there are aspects of something, and you wouldn't get a bigger variation in the security. But actually, as you said, that's true even in the online perspective. The question about the collision in how the adversary gets such a collision, and is that helpful for the adversary in some cases? Yeah, so you're asking about the collision events. Right. Yeah, so that's the event in which the adversary keeps the distance apart. And so, it's representative to the forum. And so, that is sort of an interesting case, and why would it happen? Yeah, so the collision can happen as a result of a sequence of quantum coordinates, so I was just wondering what kind of sequence would that be? It's a sequence of queries that would lead the adversary around to be bought out of the element that's trying to find out. Okay. So, I know that he's so he can get a collision by making different quantum equations. That is that. Sure, so I guess generative clock algorithms are an essence of collision-fine algorithm. So typically, if you think of the simple generative clock algorithm, then you can choose g to the r for a bunch of grand values, and then h to the s for a bunch of grand values, and you find a collision in that one. So, there's some things right, so you were using this compression algorithm by using the fact that the shoe quantum gets the right representation. So my question is if the same result was solved in the string quantum by a problem? Yes, we didn't look at that supposed to be an ancient version of DNA in any discussion. I guess the reason we were interested in this problem is because we treat the things that the adversary, the queries the adversary in class again as actually an experience that the adversary can continue on, and that's relevant for many of the clock algorithms that actually require the adversary to be able to admit that the district is a different organization. Okay, so that's very, very good.