 So, this talk is about the gap between selective and adaptive security in various cryptographic protocols. So, as we all know, selective security is a notion of security in which we require that the adversary commits to some or all of its choices ahead of time before seeing either the public parameters or other features of the construction, whereas the adaptive notion allows him to do all his choices adaptively as the protocol continues. This is, of course, much more natural, but much harder to achieve usually. As an example, think of garbling where the standard notion of security requires the adversary to commit on his input that he wants to garble before seeing the garbled circuit. This is the classical security notion of garbled circuits, and, of course, the more natural notion, the adaptive one, in which we require the adversary not to commit to his input ahead of time, but only after seeing the garbled circuit, is much more natural and harder to achieve. There's a long series of works in the past decade showing that various protocols that we only knew how to prove selective security can be shown to satisfy some notion of adaptive security. It all started in the work of Manjwani in 2007, where he devised a game he called the general selective decryption, which is very easy to prove its selective security, but seems super hard to prove its adaptive security. The latest work in this series of works is by Jeff Orgolian Weeks showing that Yau's Garbled Circuit construction is actually adaptively secure. One downside of all these works is that whoever knows them had a feeling that they're all somehow related, this series of works. They all had the common features in the proof and the analysis looked similar, but nobody could really point out what's the main common thing. And the second point is that the original work of Manjwani and some other works are very hard to understand. They're super complicated. Our first main contribution is a framework that shows that all of these constructions basically follow the same framework. They have the same pattern in the proof, and we recover all the results from all these previous works using our framework. Our framework is quite modular. It basically takes a problem and it reduces it to some combinatorial problem about pebbling of graphs. And as a bonus, we also get a new result for the adaptive security of Yau's secret sharing scheme, which I'll talk next in this talk. So these are our results. I would like to spend a couple of slides about the framework. So there is a very classical way or a very trivial way to take a selectively secure protocol and make it adaptively secure. And it's usually a combination of a hybrid argument and guessing. So here's how it works. Think of two games, G-left and G-right, GL and GR. They're adaptive games. So keep in mind the adaptive Yau garbling as an example. And one to prove that they're indistinguishable. So what we usually do, we just selectivize them. We just guess the adaptive choices of the adversary ahead of time. Define selective games, H-left and H-right. And now we just apply the selective proof of security, which usually consists of a sequence of hybrid H1 till HL. Now the result is that the original adaptive games are indistinguishable, but the security loss is huge. It's two to the N for guessing the choices of the adversary. And there's a factor of L, which is the number of hybrids we had in the selective proof of security. And this is, of course, something not very good that we would like to avoid. The main idea in our framework can be said in one sentence. It's very simple to say. It's basically saying, devise a new sequence of hybrids, not the original ones from the selective proof of security, but a new one, and make sure that in order to move from each hybrid to the following one, you don't need to know the whole set of choices of the adversary, but only some small fraction of it, some H of the choice of the adversary. Two small comments that are important. You can choose a different H at any two consecutive hybrids. So that allows you to have much more flexibility. And overall, you might need to know the whole choice of the adversary, but at any specific point you will need to know only few bits. As an example, think of, again, adaptive yaw garbling. So if we had a sequence of reductions in which we could only know in every two consecutive hybrids only a few wires, not the whole input, then we would be able to devise a much more efficient reduction. So here's a glimpse of the formalization of our framework. So again, we have the adaptive games, G left and G right, and we have a hybrid, the selective hybrids H1 to HL, but now the selective hybrids have an additional property. Not only they're the selectivized versions of the adaptive games, but each two selective hybrids are the selectivized versions of something we call less selectivized games that I symbolized by H hat. And the property that these less selectivized games have is that in order to move from one to the consecutive one, you need to know fewer bits about the choices of the adversary. So that's the formalization. You can have a different pair for each two consecutive hybrids. If you have this property, then you can get a security reduction in which the loss is 2 to the M times L rather than 2 to the N times L, and if M, the number of bits you have to know in every two hybrids is much smaller than N, we win. We get a much more efficient reduction. So this is the main idea of the framework, and I'm going to show how it applies to secret sharing, the new result in the paper. So what is secret sharing? Secret sharing is a very simple game introduced in the late 70s by Blakely and Shamir. And the game is described as follows. There's a dealer that has a secret. Think of the secret as a single bit, just 0 or 1. He wants to distribute it among N players such that there are qualified sets and there are unqualified sets. The qualified ones should know the secret and the unqualified ones should not know the secret. So we just take the whole set of N inputs and we split them into two sets, one of which is good inputs and one of them is bad ones. And the goal is that the subsets that are qualified will be able to recover the secrets while subsets that are unqualified will not be able to recover it. And cannot, can be formalized in various ways, either information theoretically or computationally, and we know a bunch of stuff on each one of them and I'll talk about it in the next slide, but now I want to talk about the security definition. So in the selective security definition, the dealer has a secret. It generates a bunch of shares, Pi 1 to Pi N. And the adversary commits to his whole set of parties that he wants to see their shares, I1 till IK, and sends them to the dealer. The dealer replies with the set of shares of the corresponding parties. And then the adversary has to say what's his guess for the secret, either it's 0 or 1. He wins if he succeeds in his guess. In the adaptive game, the dealer does the same thing. He chooses a secret asset random, generates a set of shares. But now the adversary only sends one index out of N to the dealer and gets back the share of that dealer, of that party. And he can do it multiple times. So he can choose the share of the next party based on the shares it has seen so far. And again, when he decides to finish, he sends what he thinks the secret is. And he wins if his guess is correct. We say that a scheme is secure in either case. If the probability that the adversary wins and he chose only an unqualified set is at most 1.5 plus something negligible. Okay, so what do we know about this notion? There's a long line of works about information theoretic constructions that achieve perfect security and they're all perfect. But we'll focus about the computational ones. In the computational setting, we have two main schemes. The first one is a scheme of Yao that I'll talk about more in the rest of this talk. It basically allows us to share a secret to a set which is described by a monotone Boolean circuit. So there is a monotone Boolean circuit, which is public, that tells you who are the qualified sets and who are the disqualified sets. There's also another construction that allows us to share a secret to every axis structure, not only to ones that are described by monotone Boolean circuits. And what we currently know is that both of these schemes are only selectively secure. We have no result about their adaptive security. Of course, you can do what I said in the beginning, hybrid argument and guessing, but lose two to the end factor in security, which is something we would like to avoid. So our result is the following. Based on the axis structure, it is described by a monotone circuit that has various parameters. But basically our result says that if the axis structure is described by a monotone circuit of size S and depth D, then Yau's secret sharing scheme is adaptively secure and the loss is only S to the D, and not 2 to the N, which is much better in several cases. One notable example is an axis structure called directedistic connectivity. It's an axis structure in which parties are edges in a graph and the qualified sets are those that form a directed path from some specified vertex S to some specified vertex T. Before this work, we didn't have any adaptively secure construction for this axis structure in which the security loss is less than 2 to the N. With our result, the security loss is only quasi-polynomial. It's only 2 to the polylog, okay. So I'll continue with the description of Yau's scheme and then I'll show our analysis. So Yau's scheme works as follows, you give me the Boolean circuit, which describes the axis structure. And I am going to label each wire in the circuit with some label. The labels of the input wires are going to be the shares of the parties. So we start by labeling the output wire with the secret. And then we see either an OR gate or an N gate. They might have multiple, like fan out larger than one and fan in larger than one. Let's assume it's just two, both of them are just two. So let's say we see an N gate in which the output wires are labeled with L1 and L2, or an OR gate with the same labels. So the first thing we do, we sample a fresh encryption key for a symmetric encryption, anyone. And we associate this encryption key with the gate. Now if it's an N gate, we label the left input wire with the random label. And the right input wire with cake sort with this random label. So we just one time pad this key. If it's an OR gate, we just duplicate it to both input wires. This is the scheme. The last thing we do, we publish on some board or just give each party the encryption of the label L1 and L2 with respect to the key K. We do this in both cases. So that's the scheme. Correctness is quite easy to see by just reversing the process, going from the leaves to the output wire of the circuit. And let me talk about security. So in the security proof of this scheme, the selective proof of security, which is the classical proof of security, we do a sequence of hybrids. What is this sequence of hybrids? What we're doing is we're replacing the encryptions that everybody see. This cipher text, we replace them with bogus ones. So instead of encrypting real labels, we are encrypting random stuff or junk. But we can't do it for every gate, right? Because some gates, the adversary can know the encryption key and can open the encryption. So we do it only for the gates for which the adversary doesn't have the encryption key. But how do we know which ones? So we know because this is where we use the selective security. We know the set of parties the adversary opens their shares ahead of time. So we know exactly which gates the adversary can compute their key and which gates he cannot compute their key. And there must be a path from the input wires to the output wire in which we can replace all cipher texts with bogus ones and thus replacing the output wire with a bogus one, which makes the whole thing independent of the secret, so the scheme becomes secure. So this is the high level idea of the proof. And notice that it seems in this approach, using this approach, it seems inherent to know ahead of time the set of parties the adversary is going to choose, just to know the path of gates that we can replace with bogus ones. So what we do, we devise a new sequence of hybrids that allow us to use our framework. So here's our sequence of hybrids. Each hybrid H.I. will correspond to a pebbling configuration of the graph, meaning that on every, we think of it as if on every gate in the circuit, we either put a pebble or not put a pebble. So all gates are either pebbled or not. Pebble gates will correspond to circuits that have bogus cipher text, bogus associated cipher text, and gates without the pebble will correspond to gates with the real cipher text. And our goal will be to start with the game in which there are no pebbles. So all the cipher texts are honest and devise a sequence of hybrids in which in the last hybrid there is a single pebble on the output gate. And what it means is that the cipher text that corresponds to the secret will be a bogus one, and therefore the secret is hidden. Okay, so this is our high-level approach. Let me tell you before showing the sequence of hybrids, how we go from a hybrid in which there is some set of pebbles to a hybrid in which we have a different set of pebbles. So for this, we use something we call pebbling rules. We define two pebbling rules that we allow to make in order to move from hybrid HI to a hybrid HI plus one. The first rule that we allow is if you have an end gate in which one of its inputs is pebbled, meaning its corresponding cipher text is bogus, then you can also pebble that gate. And you can reverse it by unpebbling it. And if you have an or gate in which both children are pebbled, you can also pebble that one or reverse it. And the idea why HI is indistinguishable from HI plus one is just due to the semantic security of the encryption. So our main idea would be to find a sequence of hybrids in which in every two consecutive hybrids we apply one of our pebbling rules. And in addition, the number or the description of the pebbles or the pebbling configuration would be very short. And this is what we are going to guess in our hybrid argument. So our goal now is to find a pebbling strategy for Boolean circuits with not so many pebbles at any point in time. And in which the number of hybrids or pebbling configurations is not so big. So this is the goal. And our result is a pebbling strategy that requires two to the D moves or pebbling steps. And in every step, every pebbling configuration requires only D times log S bits. And here is where our loss as to the D comes from by just guessing the description of the pebbling configuration in each two consecutive steps. So the configuration will consist of two things. It will consist of a sequence of pairs of the form, a label of a gate, like a name of a gate and a bit. This bit will just represent either whether only the left subtree is pebbled or the right subtree is pebbled or both of them. So if none of the inputs wires of a gate is pebbled, we will just not write it. If only the left one is pebbled, we will write a zero in the bit. If both of them are pebbled, we will write a one corresponding to the gate name. And we'll have another bit just to specify if the root gate is pebbled or not. So this is the configuration. And let's see how we pebble a circuit. So that's what we're left to with to do. So think that you have the following circuit. There's an OR gate. And for example, it has two inputs which are by themselves OR gates. And there's a big subtree underneath each of them. So we're going to recursively pebble this circuit. So first, we pebble the left subtree of the circuit recursively. We put the pebble. We add the pair root gate comma zero to the configuration to symbolize that the left subtree of the root gate is pebbled. Then the next step is to pebble the right subtree and to update the configuration to contain the pair that the root gate comma one, meaning that both of its children are pebbled. At this point, we can pebble the root gate which is an OR gate. So we need both of its children to be pebbled. So we pebble the root gate and update the bit corresponding to the root gate in the configuration. And now we reverse this process by unpebbling the right child, updating the configuration and unpebbling the left child and updating the configuration. And now we're in the situation we wanted to get to. We wanted that there is only one pebble in the tree and in the graph and it's on the root gate. So this is what we wanted. If you followed me then what you can show is that the number of pebbling rules has a recursive equation which is four. If you want to pebble a tree or a circuit of depth D you need four times whatever you needed to do with a circuit of depth D minus one. The four comes from the fact that you need to pebble the left child and then the right child and then to reverse everything. So that's the four. And the size of a configuration is just the size of a configuration in the subtree plus the description size of the name of the root gate which is log S bits plus two more bits which are minor. Just this is the bit to specify whether the root is pebbled or not. And that's it. That basically gives us whatever we wanted. If you solve this recursion you will recover what is written in the top. So I'll conclude. What we have is a framework. What I showed you is a framework, general framework for proving adaptive security of various protocols. Using our framework we recovered many previous works and simplified their proof and some of them significantly. We have a new result for secret sharing that I described to you. There's a related framework in the work of Fanant et al from last year's TCC in the context of adaptive run delegation which leads me to the following question of whether we can find more applications or more works that can be phrased in this framework. It's really easy to define, really easy to use. Of course it raises questions, many questions about pebbling games. And I think a very nice question is whether there is a relation in the opposite direction. Namely, if we can prove a lower bound for pebbling can you use it to devise a text on the adaptive security of various protocols that we're trying to prove? And that's it.