 So the next talk is entitled Unclonable polymers and their cryptographic application is joint work by Gada Almaschkebe, who's giving the talk, Rankaneti, Yaniverlich, Jonathan Gershoni, Tal Malkin, Isik Per, Anna Reutburg-Berman, and Aaron Traumer. Thank you. Thank you so much. Hey, everyone. As mentioned, I will introduce our work on unclonable polymers and their cryptographic applications. So imagine we have memory devices that are unclonable and they self-destruct once you retrieve the data. Furthermore, if these memory devices are storing several messages, you can only retrieve a few of them before having the device fully distracted. Such bounded query memory devices can be used in several applications. Among them, we have bounded execution software or what is known as one- and k-time programs, which are programs that can be executed over a few inputs only. We know that we cannot do this only with software and even in the quantum model, we need these special memory devices in order to build bounded executed quantum programs. So this idea was first put forward by Goldwasser, Kali, and Rothblum, who introduced the concept of one-time memory devices, which imitate the functionality of non-interactive oblivious transfer tokens. They introduced these gadgets to use them to build one-time programs from garbage circuits. In their paper, they introduced or they discussed general directions on how to construct these gadgets without any real-world construction. The only way we know to construct these memory devices is by tamper-proofing the computation while assuming that these sophisticated hardware tokens are resistant to side-channel attacks and reverse engineering. So we wondered if we can build these gadgets using alternative hardness assumptions. And to achieve this goal, we joined forces with top-notch and brave biologists to find alternative technology to build real-world unclonable and self-destructive memory devices. We do that in a rigorous way, laying down formal modeling and analysis of the capabilities and security guarantees that we can achieve. We also introduced several cryptographic and algorithmic techniques to amplify the weak properties of these devices in order to build provably secure cryptographic applications. Our request was inspired by recent advances in biotechnology that allowed stirring digital data in the form of DNA. So you take a digital message and you encode it into a sequence of nucleotides that is then synthesized to produce the DNA material. For now, don't worry about the biological details here, just keep in mind that you can take digital data stored in the form of DNA and you can retrieve the digital data back from the DNA sample. However, DNA evolved to be clonable. This is a feature of that polymer. So you can replicate the sample as many times as you want and then you can read the digital data as many times as you want. And this led us to think of another biological polymer, which are proteins. Similarly, we can use proteins to store digital data. The difference is that now we encode the digital message into a sequence of amino acids that is then synthesized to produce the protein material. And here the magic started. First of all, proteins are unclonable. The central dogma of molecular biology states that once information has got into a protein, it cannot get out again. Meaning that given a protein sample, you cannot replicate it and you cannot get the genetic information back. This challenge is still standing for 65 years and even a few billion years of evolution. And to us cryptographers, this is just a biochemical one-way function. And we know what to do with hardness assumptions. We turn the hard lemons into lemonade, as I will show you shortly. Another amazing feature of proteins is that reading them, this process is destructive. Meaning that if you want to determine that digital message encoded as a protein, you have to feed the sample into this machine, mass spec. And this will ruin or distract the protein sample in order to get the sequence of amino acids, which is your digital message. So you cannot get the material back. Another thing is that this machine requires the protein to be of high purity. So if you feed this machine with a mix of multiple proteins or random proteins, you will get nothing. And this is the beauty of it. You either get the message or nothing. There is nothing in between. There is nothing like partially retrievable message or superimposition of the states in the storage. Based on these observations, we developed a construction for what we call consumable memory tokens. And as before, we transformed the digital message into protein. But we connect this protein with a shorter protein sequence that is called a header, which is recognized by the matching antibodies. So knowing the header, which by the way can be represented as a digital description, you can determine the matching antibody. And this header is the secret key for us. Then we mix this target protein with a massive set of decoy proteins that are connected to other random keys. And the mix, which is in the vial that our co-author Anna is holding here in this figure, is our consumable token. Now, to retrieve the data from the vial, remember, if you just feed it to the mass pick machinery, you will get nothing. So it is not that you will get, again, something about the message or the message itself. You have to purify the sample first, and you do that using the secret key. So you apply the antibodies. This will pull down the target protein. And then we cleave the header, feed it to mass pick. And at that point, you will get the sequence of that protein, which is your digital message back. After spending months and months to develop this construction, we spend more months to distill the model that best represents biology. Our goal was to assume or to require the minimum on the biology side so we can get the simplest possible construction. In particular, our tokens can store only a small number of messages, actually short messages under short keys. So we need some amplification techniques in order to get stronger security guarantees. Also, the only meaningful way to interact with the token is by applying keys, which is the antibodies that I just mentioned. Furthermore, each data retrieval attempt will consume part of the token. Because remember, the reading process is a destructive process. And in our construction, although we set the amount of material or the parameters to allow the honest recipient to perform only one data query, we also account for the fact that maybe there is some adversary out there who's more powerful and can use the same amount to perform multiple data retrieval queries. We model that by saying that the honest party will be able to perform one query while the adversary or the malicious party can perform up to n data queries. So she can make up to n key guesses, if you will. At the end, our tokens are weak in the sense that they support non negligible soundness error. So if you apply an incorrect key, but it is close enough to the correct one, there is a gamma chance of retrieving the correct message. And again, we need amplification here to get better security guarantees. Also, we extended our construction to let the token store a vector of the messages under a vector of the keys. And even if the adversary knows the set of keys used to construct the token, she can retrieve up to n messages out of the V messages. So not all of them. And again, the honest party will be able to retrieve one of them. Then we put our cryptography toolbox on the table and we ask two questions. How can we amplify these weak tokens that support constant size data storage to obtain more powerful functionalities that can deal with arbitrary size input? And achieving this goal took us a long journey. First of all, we needed a mathematical model to represent biology and we produced what we call the vector model, where we look at the vial as a vector of protein amounts and we modeled all the biochemical procedures that are performed in the WIT lab as algorithms working on these vectors. Then we developed an ideal functionality for consumable tokens with clean interfaces and formally showed that our vector based construction realizes or securely realizes this ideal functionality. Then we introduced again several algorithmic and cryptographic amplification techniques and we showed how to use our consumable tokens in several applications. In the interest of time, I will discuss these applications at a high level where in this paper we introduced two of them. The first is digital lockers and the second is one in time programs. A digital locker is simply taking a secret message and encrypted using a low entropy key or a human generated password. We know how to do this so in the literature there are many papers around this topic where they construct obfuscators for point functions with multiple output and these constructions shows that the only possible attack against these digital lockers is exhaustive search over the password space. With our consumable tokens, we were able to defend against even this attack where the adversary can try only up to n password guesses after which it cannot interact with the token anymore simply because it was self-destructed. The construction wasn't easy at all because you can say okay this is easy just store the secret message in the consumable token and now the adversary can try just only up to n password guesses or queries but we have none negligible soundless error. We had to use secret sharing to share the message among you tokens instead of one and we had to chain these tokens together in order to preserve the number of queries to be n. This is because all these tokens are tied to the same password so you will take the password map it to a token key and then interact with the tokens and we show that with our construction the advantage of guessing the password and retrieving the message is n over the size of the password space. The second application is one n time programs. These are programs that are secret or contain some secret data so you give it to the recipient where the honest party can execute that program over one input while the malicious party can execute that program over up to n different inputs. This is a variation of the one time program construction that we know from before but the difference is that we build our construction based on the real world memory devices that we have. And for this we account for the power gap between the honest party and the malicious party. So we couldn't just use garbage circuits and whatnot we had to use iO in order to construct one n time programs and at a high level the idea is the following. I'm going to start with step two so you take your function you package it in a program that is obfuscated in the following way. This program once it gets the input x will not output f of x unless you support a secret message that corresponds to the input and we store this secret message or the secret messages corresponding to the domain of f in a consumable token. So in order to execute you query the token first based on your input you get the secret message you present it to the obfuscated program it will check that everything is correct and then it will output f of x otherwise you will get nothing but again remember our tokens can store a small number of messages so we cannot cover functions with large domain space. So what we did we used linear error correcting codes so instead of dealing with the input itself we will deal with the code word of the input instead of sending one token we send omega tokens where omega is the link of the code word and each symbol in the code word will tell you which secret message you have to retrieve from each token and now our obfuscated program as you see here will take the input generate the code word and check if the secret messages that you provided which you have to get from the tokens correspond to this input and then you will get f of x also that wasn't easy it wasn't just like a direct idea we had to figure a way to configure the code distance in a way that the malicious party can get up to n valid code words meaning that it can execute the program over only up to n different inputs we also we have the formal security proofs and even more details because the construction is more involved and I will refer you to our paper to see the full details there to conclude in this work we built a real world construction of unclonable and self-destructive memory devices we do that and we also do formal treatment and show provably secure cryptographic applications for our ongoing and future work directions these are two fold on the biology side we are working on a sister paper to show the full biological construction along with empirical results and on the cryptography side we are working on refining our models and build more applications from these memory gadgets thank you so much for listening and I am happy to take questions okay so if we have questions please get to the mic hello thank you very much for the talk I was wondering um hostables are these proteins I'm sorry I was wondering who's tables are these proteins the stability yes oh interesting okay uh so this is part of the biology uh work that you are still doing um but let me say this uh the construction that I presented here is also at a high level just to make it closer to the audience especially that the cryptography audience the actual one is uh more involved it relies on pages and even more biological techniques yeah to achieve the stability especially that we are dealing with short messages so we cannot deal with long messages at all because of the stability of the proteins thanks so could you maybe comment on um uh how yeah the the long-term validity of your underlying biological assumptions because uh a short google scholar sure search uh sort of returned quite a few results on uh non-destructive near-infrared spectroscopy of uh proteins so seeing that your cryptographic constructions have quite a significant overhead it it seems like to turn this into something practical quite some time might still pass by and during that time maybe there's some significant progress in in spectroscopy so might it might be that the break-even point will be missed by between the advances in biology and in the speed up for your construction. Matthew first of all thanks a lot for the question and I'm smiling because uh the same question we had in the review process during uh applying this conference uh so let me say two things first of all I wish that uh one of our biologists co-authors is here just like to tell you that because yeah uh these other papers that talk about non-destructive proteins they are not uh kind of like doing what is the promise which oh yeah you can read the protein without uh fully distracting it they are talking about specific polymers and even it is kind of like it is way different from what we are looking at and again I'm not a biologist so I'm not sure even how to answer that in a better way um but uh it is not what we are after at all these are just like still preliminary preliminary results and this is similar to any other hardness assumption right if you if you solve it this is great it will be great for biology and it will be uh bad for us but at the same time it has been years and years people are trying to do all this replication and non-destructive uh reading of proteins and they didn't succeed so this is what we are relying on and I don't know if in 10 years or 20 years someone else came up with this breakthrough we'll be happy because this will solve million problems on the medical and uh biology side thank you that's not the question it's kind of an and an added answer um some additional discussions with the uh with our biology friends so another just to make uh right as a point uh stronger the the all the work that is known for uh finding uh spread cross-croppy uh of proteins they work with an existing directory of proteins and they can see if one of uh of a directory of known proteins are there we're talking about something completely different which is encoding a random protein all together and in that domain uh finding a random protein uh it's it's it's far to understand this is a completely different ballpark and there's no work known uh and again we are in this world of win-win but you know either the system is broken there's a great progress in biology or not um and about this stability this is really the issue of the uh of those phages of um keeping the sporting um stable is done using um uh technology it has to do with phages of viruses and in fact it's the same labs that this work started before covid and all these labs immediately turned into working on covid and therefore this project was uh was uh was told of it but the same technology and apparently uh there's even now more technologies to make this stable but this is still working progress on the biology okay thank you we're out of time just one quick question if it's quick oh very informative and different talk especially for the cryptograph cryptographers so my question is have you considered the practical manifestation of these uh unclonable devices because with regard to the physical environment the embedded system how it physically goes into so have you considered those factors or just it's a pure study at this stage and so how far we uh to see practical uh product of these things okay definitely uh so first of all thanks for the question and yeah that's a true point because now we are dealing with biochemical procedures that are more on the randomized side they are not all the times they're guaranteed to get the output and we accounted for that in the sense that we say that oh we have non-negligible completeness error that is handled on the biology side and the sound this error that we handled at the cryptography the cryptography side for the practicality issue this is biology it will take its time so I don't know some biochemical algorithm or procedure will not be faster if we just like look at it right but the thing is that uh look at that this is a new technology this specific construction is very new it's not like we just took something that existed out there so we are still doing the empirical stuff but of course yeah it will take time more and more in the future uh because you can see this is a very interdisciplinary and ambitious project we will see more and more and we can tell you even more but of course we listed all the parameters the assumptions that we need to falsify or look at or study in more details okay thank you very much the other will be here during the break to answer other questions that I know are present here okay thank you very much