 Okay Welcome to this third day of the randomness school so my name is Krzysztof Pieczak. I'm from ISD Austria and Today I will tell you a bit more about pseudo entropy, but we will actually start with information theoretic crypto. So what I will try is because So the organizers asked me to talk about specific topics in particular liquid resilient crypto So it will be large parts of this week of the stuff that I will show you will be actually stuff that I've been involved in and I will you know use this opportunity to not only show you the technical results one by one but also give you kind of a story how We actually sometimes are more accidentally than not arrived at these results and what worked and what didn't So the first roughly hour or so I will talk about Information theoretic crypto more concretely about intrusion resilient cryptography and even more concretely about intrusion resilient secret sharing Even though the primitive itself didn't turn out to be particularly useful or People don't use it but a tool that we developed in this Within this process, which is called alternating extraction turned out to be very useful for many other applications in particular for liquid resilient cryptography Which I will then mention in the like middle part of my talk and then at the you know Maybe for the last hour or so I will come back to pseudo entropy So I will kind of catch up where Leo left yesterday and I will show you for example the So also what we mentioned yesterday a counter example to the conditional chain rule for hill entropy and Also, maybe even the story how we get went there was more interesting than that actual result so I got like this new toy here and I pat so I will try to Partially do the talk on this on this thing and if it doesn't work I switch you know I might switch back to the blackboard to the whiteboard and maybe also definitions and things like that I might do on the whiteboard so this day Okay, and if you have any questions at any time point just interrupt me. I think we are not such a big group So we can make it more or less interactive Okay, so let's see something this Intrusion secret. Okay, so who has heard about secret sharing So I think most of you exactly everybody who has taken the basic course no secret sharing It was introduced in 73 Independently by Charmin Blakely and for the sake of this talk I will actually look at the simplest form of secret sharing They have n out of n secret sharing So I want to share a secret amongst n parties such that you know when they all come together They can reconstruct it But any n minus one of them have like information theoretically no no idea about what the shared secret is In fact, I will for the sake of this talk even just look at two out of two secret sharing So just two parties and to make things even simpler I will look at something that is called random secret sharing So the secret so the secret that those parties actually share will be like a random string But it's easy to turn a random secret sharing into a general secret sharing by then using this random string as a one-time path to encrypt the message So if you want to share a random string amongst two parties, so you have a dealer And you read this yeah, so if a dealer you have two players p1 p2 and the dealer wants to know send out the secrets And of course the simplest way to do this is you know Let's just give them uniformly random string R1 R2 both It's kind of weird to write on this iPad because I have to look down both the L bit strings right and This the shared secret will be simply R1 bitwise X or R2 and If we now want to share a secret message amongst them, you can also publicly announce or give to one of the players Let's call this a key K We can also simply Announce a ciphertext C Which is the message X or with the key? You know the C can either be public or given to one of the players and I claim this is a secret sharing Why because of course if both of them come together if R1 R2 they compute the key K They kind of decrypt this one-time path secret Ciphertext C and they get the message M on the other hand if you just get one any Any one of the players independently has no information about the key K and thus about the message M So this is something that you probably learned in a in the introduction of crypto courses is something that Shannon already showed right so if you have Let's say you have let's say you have R1 So what do we want to show what one has to show information takes that M1 is kind of Uniformly distributed or if no information about the The message M given what given the secret the ciphertext C and you know either R1 or R2 symmetric So you're not going to do this this math here, but That's a very simple two out of two secret sharing so okay, that's well and fine and So now I want to introduce another concept, which is called intrusion resilience So if you have the secret sharing, you know, we have just two two parties that hold the secret But maybe you know they hold the secret on their laptops or on their iPhones And every now and then a virus comes along the device gets infected and the secret gets stolen and To kind of Migrate the consequences of such attacks the concept of intrusion resilience was introduced or intrusion resilient cryptography intrusion And crypto so who has heard about intrusion is in cryptography The general idea okay almost nothing so let me say a few words about this so this has been introduced independently by Jim Bovsky in 06 at TCC 06 and then Decrescent so Lipton wallfish at TCC one year later The idea is very simple um So if you have your device see this is your computer it has like some short secret Maybe a secret key or a share like in secret sharing or some other thing that you really perish and Now then this virus for example can just take your secret key You know this 1024 bits or whatever and send it out to the adversary That's what happens all the time the idea of intrusion resilience secret sharing is to simply you know Maybe we can it's very hard to prevent computers to get infected every now and then but the idea is that the bandwidth that the So even if your computer gets infected and you have a virus on it Maybe the amount of information that the virus can't send out from your computer is bounded Maybe once it's sent out you know sending out hundreds of gigabytes You will kind of realize this or you kind of like all the mechanisms that kind of detect this kind of infection and Take some counter measures. So the idea is simply to you know Have again your device, but the key now is huge Think hundred gigs or something like that And the security notion that don't want for intrusion resilience schemes is the following even if an adverse So even if you get the virus on your computer and the virus manages to send out not the entire key, but say some function Phi of K Which is say 50 gigabytes or something So it's an arbitrary function of your secret key and you know the virus on the computer can process this hundred gigabytes as he wants he has to compress it to 50 gigs and sends out this compressed key and What we want is basically security Whatever you know, whatever this secret is useful But we want is that the scheme still remains secure assuming that the key K has still sufficiently high mean entropy, right? So we want security While let's say the mean entropy of the key K Given the view of the adversary. So the adversary has like this compressed key Phi of K is Sufficiently large. Yeah Okay, sorry So how can we use this, you know intrusion resilient paradigm for secret sharing? So here's a Very simple idea. So again, we have a dealer Let's call him D and he now instead of having short secrets are one or two Let's pick, you know gigantic secrets are one or two. So it's let's use capital play a P1 P2 Let's keep the capital letters are one or two think of our one or two as hundred gigabytes strings uniformly run a gigabyte strings What what would be the shared secret? So there is something like a two source. So This is just kind of as a warm-up. So I will not really define the objects We will need there is something that is called a two source extractor So we have seen strong extractors where we had the source Which whenever it had sufficiently high mean entropy and you had the uniformly random seed independent of this of this of this source The output was uniformly random given the seed a two source extractor is something more Is something even more sophisticated it takes now two random variables They have to be independent, but none of them has to be uniformly random. Let's say you have two source extractor takes two variables and whenever Whenever each of them has some minimal amount of mean entropy the output will be uniformly random. So if you have such a two source extractor This you can define the secret K to be simply the extracted value of R1 R2 and Why is this a good intrusion resilient scheme now simply because if an adversary now, you know Say he infects the computer of P1. He can leak 50 gigabytes He computes then he may be infects the computer of player P2. He may be also x 50 gigabyte Or maybe even the player P2 infected the computer of P1. So he gets like 50 gigs of office That doesn't quite work Okay, I'd say this this is intrusion resilient as long as let's see But this is several so this are several issues The first I will mention the second issue later the first issue is of course is highly inefficient for reconstruction Right. So even though this these secrets are one or two are huge hundred gigabytes and to reconstruct this short secret really player P1 And P2 have to come together one of them has to bring his hundred Bring their hundred gigabyte chairs together and reconstruct the secret So the communication complexity between them will be huge to reconstruct these things and there is another issue that I will mention in a second But let's first address this first issue Let's just address this first issue that the communication complexity is huge, right So this secret sharing is secure. So what I want to say Think of an adversary who kind of leaked so he infected the computer of few on he got like some few one of our one He infected maybe the computer of the second player. He got the P2 of R2 and what one can show is that the key K is still no Uniformly dist or close to uniformly distributed what epsilon close if this R1 R2 have sufficiently min entropy and this is a Two source extractor which outputs epsilon to close uniform keys So the key K will be still close to uniform even given this 50 gigs leakage of this both chairs Yes so Okay, let's first fix the first issue. How can we make the communication complexity for reconstructing the secret because the key K will usually be very short. We only want the shares to be used to have this intrusion resilient problem So a simple trick a Simple trick to make the reconstruction efficient is the following. Let's say Player P1 not only has this huge share R1 But let's let's also give him a short seed S1 and let's give the player P2 also short seed S2 and Now to reconstruct the secret Let's use a regular extractor. Let's say let's say The key K is defined as we extract from R1 a Short, maybe you know thousand bits it a thousand bits secret or so, but using the seed S2 So the seed from the other guy S2 And maybe X or this sweet and then symmetrically we extract from S2 using the seed S1 now as Before this key K will actually still stay Close to uniformly random even if you have leakage from both You know from both sides as long as this leakage is not too big But on the other hand now the reconstruction of the secret is very efficient Because player P1 and P2 can reconstruct the secret by simply having the player P1 Sending P2 over his short seed S1. The player P2 will compute. Let's call this here K1 The player P2 will compute this short key K1 Sorry K1, this is the one send it over to player P1 Player oh, and he will also send his seed S2 player P1 will compute the key Which he now can do because he has the seed S2 He has the key K1 so you can compute the key K and You know you have reconstructed the secret with very short communication Okay, so we're almost there. This is already kind of you know We have like an intrusion resilient secret sharing scheme both players have your secret even if you leak 50 gigs from any side Yes, no, they can they can leak Yeah, yeah, yeah, so I can't do that now I Come here. You don't have to use it too. So the lower thing the upper thing is the twos or six drop them because Because there is no seed. I mean no short uniform seed No, I just have like this too huge R1 R2's I Did right that was the second solution then in the second step I said give let's give them short seeds define the key as in orange down here and This has now the advantage that they can also reconstruct much more efficiently because they just have to extract this exchange is short seeds Okay, so there is like one big problem here or big problem. Maybe issue and I told you that this you know, this is intrusion resilient scheme Even if not so this key K this key K was the uniform even if the adversary gets You know leakage phi 1 of R1 phi 2 of R2, but this okay, this is still true for this new scheme down there but This is only true if this leakage function phi 1 phi 2 is independent of Let's say if the leakage function phi 2 for example is independent of the leakage Function from phi 1 so here is like if you're not forced to choose this phi 1 phi 2 independently But you can you know, maybe first choose phi 1 then choose phi 2 and maybe then attack the other one at the other Let's see if we can do this on this thing attack the other guy again. Here is an attack. So maybe that's Let's see. So we have player 1 has R1 s1 player 2 has R2 s2 so what an adversary could do is you know, he He has his virus. He infects the machine of this computer here and he leaks something very short He just leaks this very short s1 so this is defined as The leakage of he defines his leakage function fee No, he can define this leakage function phi 1 to leak just a secret this one Now once he knows this one he defines he infects the computer of the second guy and He defines his leakage function phi 2 to depend on the leakage he learned from the first chair, right? So he defines this simply as You know infect that computer extract from s r2 Something and give me that back sorry This is so this is the leakage so infect the computer give me back the short seed s2 But those will give me back, you know Use the seed s1 to extract something from us, too And let's maybe he goes back to the player p1 and infects him again Now he knows s2 so he can learn the short value extracted from R1 using The seed s2 and at this point he has reconstructed the entire the entire secret, right? Everyone with me so far Okay, so I'm I mean these are just shares lying around on some servers You know they just yeah exactly so now Even for secret sharing I actually would even want to have security even if you have this thing in the full or against display But now I even look at the player from the outside to has actually none of the shares He just kind of infects this computer gets s1 infects this one gets the key k2 and s2 Infects this one again gets the first key k1. Of course if this is like a malicious guy, he can even do you know He infects this guy once Gets back k2 and he's done Okay But you already see there is a little bit more going on than before What we have to do here is that you know the adversary has to infect this guy Then go over to this guy and then go back to the first guy So at least he has to kind of alternate already a little bit And you know let's Let's push this even further and this was actually how Alternating extraction came up. We said can you have such a scheme? You know which is intrusion resilient, but in order you okay, we want an efficient reconstruction procedure So we want that the player p1 and p2 exchanging t-short messages will be able to reconstruct the secret This means that no matter what we do if we consider an adversary who can kind of infect the first player output something then infect The second player output something short in fact the first player again if he can do this t times He will always be able to kind of reconstruct the secret But let's see let's make t big a hundred What if the adversary is only allowed to infect you know the players alternately 99 time? But now we allow the adversary to actually not just kind of output like short leakage like the original construction procedure But a lot maybe Even you know 50 gig on average of the entire messages Can you get the scheme that is still secure in this setting? And this is exactly what alternating extraction is about or intrusion what intrusion is in Cryptography intrusion is in secret sharing is about and it's achieved using a concept that is called alternating extraction And this alternating extraction works roughly as follows on the roughly it works as follows So now let me not call them player p1 and p2, but just to be consistent with Actually how these players are called in the literature one players called Quentin and he has like a huge secret queue and Some you know some short seed s1 and then we have another player W I think W starts for wendling or something Something knows the name when Wendling or Wendling okay Quentin and Bending Wendy I think Wendy so Quentin and Wendy So each you know each of them has this huge Huge hundred gigabyte share and now I simply define a protocol between them these two players And then I will later tell you what what property this protocol has in fact. I already mentioned it before So this protocol will have t rounds for whatever you know t Fix some t a hundred and works as follows in the first round Quentin simply sends over as one to Wendy Wendy takes s1 and computes a value r1 How now she uses some normal standard strong extractor and she extracts some value r1 From her big secret W using the seed s1. She just got from Quentin Quentin gets you know this r1 And you can guess what he does he computes a value s2 by extracting some you know again short seed s2 From his big random variable queue using the seed r1. He just got from Wendy and so on You know this goes on up to you know s t. Let me just draw a Few more lines because we will use it are two S3 I think that's going to be enough Okay, so now I want to prove a theorem about this very simple protocol And for this I will eat a little bit of notation. I mean just notations are strong or just let me define some variables and So here's the first observation of course Quentin and Wendy can reconstruct can compute ST for any t of our choice exchanging two times t minus one messages and Here I mean short messages. In fact using a good extractor the messages can be as short as something like logarithmically in the length of q and w log n plus Logarithmic in one over epsilon where epsilon will be the distance from uniform that our extractors provides you So they can compute this, you know this string ST using just no 2t minus 1 very short messages Yeah, and you know another short remark is This efficient no at the end of the day we want you know We want to use this protocol in some schemes you say this extractor gets w as input w is huge Right hundred gig so say okay, maybe the communication complexity is small But the the computation is huge because every time the extractor has to read the entire w but there is something actually invented by salil who will talk tomorrow that is called a locally computable extractor and this is basically extractor that has the following nice guarantee if you have a gigantic string hundred gigs It's guaranteed to have some min entropy maybe ten percent like ten gigs Then this extractor will only and this extractor gets like a uniform random seed And you want to kind of compute Output something that is close to uniform but fairly short compared to the min entropy in the big seed So maybe I just want a thousand bits and not like ten gigs in the big thing And this extractor will have the very nice property that it only needs to read the tiny fraction of the actual big w Which tiny fraction will be actually specified also by this by this seed So basically think of this huge thing the extractor will basically first read a few chunks and Then actually extract from these few chunks So it will be even not only the communication complexities very low here even the computation complexities Basically logarithmic in in the length of these variables Okay Okay, so now of course, you know They can compute st using to to the team two t minus one messages And what I want to show you is what I want to prove you now is that they will not be able to compute st using even one message less Even if they can communicate much much more than what we have here So assume that now they kind of divert from the protocol because they want to compute st using one message less and With the first message as one q not only sense as one but also some reasonably No, potentially rather long string and one q so this is for the notation and one q means the first message q sense and Then w will not just send back our one, but also some message and one w and two q and so So this is just to set notation So everyone with me so now we look at kind of if you want cheating cheating parties Which will later capture the fact that you will look at adversary corrupt Quentin and can leak a large string and one q Then they corrupt Wendy and they can leak a large string and one w and go back and forth And you will show that unless they go back and if they only can't go back and forth to t minus one minus one times The secret st will be close to uniform Okay, a bit more notation. Let's call You know if we have all this all these messages here Let's call them M MR2 for example So M and subject are to our eye or si will be all the messages up to and including the message in the subscript and Now our last patient thing. It's called this here the view of Quentin After he sent after he received the second message So V stands for view q is the superscript Quentin of Andy's view and the subscript will be After seeing after receiving the I message so in particular Let's pick another nice color This will be The view of Wendy too This is just to set some notation and now I come to the theorem And maybe I do the theorem on the blackboard so we can have the protocol and the theorem So what is the theorem I want to prove? so I said before the theorem I want to prove is that No matter what Quentin and Wendy do they will not be able to compute st Exchanging even one message less than is necessary to trivially reconstruct it with very low communication complexity I have to make some assumption about the amount of messages that they exchange because if Quentin just sends her entire q over to Wendy you know Wendy can just locally compute whatever she wants any si so for the theorem We will first assume So this is the alternating extraction theorem So assume That the messages exchanged between Wendy and Quentin are not too long Concretely Concretely if I assume that the extractor that we use is a Epsilon k average case extractor Which means that whenever the source has at least k bits of min entropy or even average case conditional min entropy that Leo Presented yesterday the output will be epsilon close to uniform So assume that all the messages up to message I sent from Quentin to To Wendy have total length At most the length of q minus k So k is what we need to still extract and that's even more general Maybe q is not uniform to start with but just has some min entropy q if Q is uniform that this is just the length of q so as long as the messages are Just k bits totally k bits shorter than the min entropy that was originally presented in q and Moreover The messages is sending the other direction have the same The messages sent from Wendy to Quentin are also So as long or contain as decreased the min entropy of w almost entirely just if at least k bits Then the following is true Then I claim that Okay, now let me What I claim is For concreteness, let's pick i to be two. I claim that you know as long as these messages That Wendy received so there's one plus two as long this leaves enough min entropy in q then the Then s3 for example Given the view of Wendy up to this point So, you know all this everything up here so everything she received so far and secret this s3 will be almost Uniform given the entire view of Wendy how close to uniform Let's see so to get you some intuition how close is s1 to uniform given when these view I mean it's picked uniformly a random independent of w. So s1 is going to be perfect uniform As it arrives then are one from Quentin's view are one This is the absolute you know R1 is going to be epsilon close to uniform because WSI entropy so s1 is So from Quentin's view are one is going to be like roughly epsilon close to uniform Okay, then s2 is kind of extracted from q but not with the uniform random seed But the seed that is kind of epsilon far from uniforms actually this s2 will be too epsilon away from uniform and this are and so on so si plus one so the next s to be received by by Wendy Given her view up to this point will be to epsilon i Close to uniform So to define this notation and if I have two variables left and right so then this tilde with the subscript means The subscript here means that these two variables are you know whatever the subscript is close to uniform This is statistical distance as we've seen yesterday So this simply means that the distribution of si plus one and the view of Wendy and The uniformly random string independent of everything of the same length at s and the view of Wendy at time i After receiving the I message those two strings will be to epsilon plus i close to uniform. Yes So The output that there will be some output and the output will be epsilon close to uniform as long as there is k bits Min entropy in the so the output has to be less than k obviously So the output will be if it's a standard extractor the output will be actually if we use the basic leftover hash or actually The output can be at most k minus two log one over epsilon and you can come close to that even for extractors with very short seats Not the density function is not an extractor Okay, initially, but you know once we start exchanging messages, they're not uniform anymore given the view right So this is an average case extractor which says as long as that the variable we look at as k bits of average case min entropy Conditioned on whatever has been seen so far. So this is this type of extractors. This M is okay. So Didn't know they are arbitrary. This is any anything that can be computed from From whatever has been seen so far and I will assume that as one is always part of the M I's actually say because I didn't actually write this here So I assume that that they are very short. So this is this is neither necessary But it's also not much loss of generality. So just for the proof it gets a little bit easier to assume that the S is are always part of it and Then there is the you know the symmetric symmetric statement for For the our eyes, you know, this is from this is from Wendy's view How close do you from this ice arts and also the our eyes will be uniformed from? Quentin's view so that's the theorem. So how do we prove that? Okay, I don't want to prove here because but then I also want to leave this on the screen So let's make the proof at the board over there. I will prove this basically by induction So I will assume that si plus one Is delta for some delta? Delta close to uniform given So again notation wise if I write something like this So this is for example see BC Sometimes I will you know if I have tuples like this I will shortcut this abbreviate this and simply say Now this is the tuple ac is epsilon close to the tuple bc Or this you know if this the second part is identical then I'll simply write a is epsilon close to be conditioned on c That's just the notational from convention here So this basically says the same as we had over the board on the board over there with delta being 2 epsilon i So what I want what I will show is a proof by induction So I will assume for some I that indeed si is close to uniform and show that this implies That also the next ri Will be close to uniform and what does close mean here close means delta plus epsilon. So the extra epsilon here Right, so if you look at the picture there this basically says if Given the view of Wendy up to say this point here this s3 is Delta close to uniform Then I will conclude from that that this are three will be delta plus epsilon close to uniform Given the view of Quentin. So it's not totally trivial because this you know This closeness is conditioned on this entire part on the right Whereas this is on the entire part on the left, but we will get there and Again, I will prove a symmetric statement for the RIs So if for some delta prime the ri is close to uniform given Quentin's view Then and I claim that once I prove this we're done. Why are we done because? Once we proved these implications we know that s1 is actually zero close or is exactly, you know Identically distributed to the uniform distribution Because you know at initially s1 qw are let's assume sampled definitely independently But s1 is also sampled uniformly at random. So s1 is going to be Uniform and then if you combine these two steps Then you will see that okay. This implies that s3 will be two epsilon close to uniform because s1 No, you see this is just an action you kind of Okay, so let's let's focus on this proving this thing And even kind of less important than really following the proof step by step is that you get the right intuition for these kind of things Because with information theoretic proofs is really more often than not It's the case that you really have to write intuition and once you have to intuition the rest is really just careful and pedantic pedantic math Okay, so More to have to prove actually so first I don't like this, you know, I have this view of w here and here the view of Quentin I kind of don't like that So instead instead of conditioning on this entire so, you know, this s3 is uniformly random condition on the entire view I will only say that it's It's I will kind of assume something weaker I will only assume that it's kind of close to uniform Conditioned on the messages exchange so far Which of course are part of the entire view as before but I will just kind of in the first step I claim that this here This is equivalent to say or implies that As I plus one is still the close to uniform now given just the messages exchange up to this point Which with the notation you had would be M R I Later, we will actually go back and say from the messages Expand to the entire state and this will be kind of a more careful You know there we need to be more careful with arguing but here if something if some variable is epsilon close to Uniform condition on something if I just ignore something of the conditional part It's not going to get you know, I'm not going to learn more. It's not gonna It's not gonna Increase the statistical distance Okay So now what I want to prove is We state this so I have this As I plus one there is some variable w So first so that's what I assume as one is absolutely delta closed uniform conditioned on the messages so far Now I add something here which will be just a function of si and something independent of si so that I have to show you so I Claimed that it's still true. So I add something here. Namely here. I take this w. I extract from W And I think this is still So why is this true? Why can't I kind of just I had these two variables which are Delta close conditioned on something and now I claim they still delta close If I add something so if this would be just a function of si plus one This is like a standard Standard fact from information theory. You cannot decrease Increase statistical distance by computation So if you have a and b are delta closed and f of a and f of b for any function f randomized deterministic still will be Delta close or closer Because you know, but there is this w here, right? But I claim that this w is independent of si conditioned on the view. So more concretely, I claim that si plus one Si plus one the messages exchanged up to that point and W from a Markov chain. So what does Markov chain mean Markov chain means that These variables can be all dependent on each other But the dependence of w and this I plus one is totally captured by this intermediate values here So once I give you MR plus one, you really don't care and you want to learn something about w You really don't care about anymore about this si plus one and why is this the fact? So again, I will not prove it but look here is w Here is this say my si plus one and These are the messages in peace. So initially this Yeah Actually, let's let's prove a strong statement first I claim that q this q the message is here and w that this forms a Markov chain Then this will also form a Markov chain because this is three simply a a function of q and the mi's Why is this the case? So this is also lemma that probably is common knowledge But has been that we proved in the in the paper. It's just the following if you have two variables a and b they're initially independent and then you somehow Start, you know, you compute something on a Some value on a Then you compute something on b that can also depend on the messages exchange so far and so once you have all this message is going back and forth Then the statement simply says that this a messages be that this is a Markov chain and the intuition is kind of clear because a and b are initially independent of Course these messages here depend on both a and b but kind of the dependence between them is totally captured by this Intermediate exchange so I'm not gonna probably even couldn't do it on top of the law of my head like that the proof But I hope that you believe me this right so You have these two things in initially independent I start communicating and then conditioned on this thing in the middle if you see this they are still you know They form a Markov chain this there is there is nothing you can learn about w Given these messages here Sorry given q and these messages here that you cannot already learn about w just given these messages here because everything Another way to see this that if I give you these messages here and w here You can actually sample this cube with the right distribution just seeing the messages here, but ignoring w completely Because why would you care about w just kind of? okay, so hand wavy but Facts about information so this is why This this first step here is kosher Okay, but now what is this this is simply our I plus one right Okay, so now Let's see what is this so this w has high mean entropy because we assumed that This message is here leave enough mean entropy in w for the extractor to work So this is uniformly random seed so this here actually is going to be epsilon close to By definition of the extractor and the fact that w has high mean entropy from you new prime for so many from the random you prime Now I kind of want to go back and replace this first you with the si plus one I know that it's you know Delta close. Okay, everything is Conditional distinct This is here So Okay, so I have si plus one here si plus one here. So let's you know, let's move it to the conditional part So what I proved to you is that our i plus one which is this here is There is a triangle inequality for statistical distance. So if a is Delta Far from bb is Delta far from cc is epsilon far from e then a from e is you know the sum of all these distances So this is the triangle inequality that is true for a statistical distance So I add up Delta epsilon Delta To Delta plus epsilon R i plus one to this u prime To uniform conditioned on what on our i one si plus one Which equivalently is just all the messages Exchanged up to point si plus one And I'm almost there There are two problems First of all instead of mi plus one I would like to condition on the view of q But now I claim that R is the same argument as before I claim that Given the messages, so this R3 given the messages exchanged so far R is independent of q So actually if I condition just on the messages or on the messages and q It's not gonna change anything and this thing here is exactly what I want. That's the view That's one thing So this this this fact that that we have like this fact that we have this Markov chains between different sets of variables Is used extensively in this proofs and the other fact that is wrong is this two here actually, I don't want the two and You can prove it directly without the two in the original papers Which actually wrong was actually we just claimed it without proving it that is a delta You have to really actually write out the probabilities and sum it up directly because here we go from si We replace it with u we use the extractor property and we go back to s That's why we kind of lose this delta twice because this s is delta for her But you can just write out the probabilities to the math and kind of you come you save one delta Okay, I Maybe if it's time later I can show it to you because I have to proof on the iPad is like half a page of You know writing out the things but I don't want to show because there's no intuition in that at least It's kind of clear that you don't have to lose delta twice But the proof is not giving you more intuition than that Okay, the s what again What you want to what you want to prove is the following You want to prove assume that s is delta close to uniform That you have that you have like a epsilon k extractor and What you want to show is that then s? extract W has a fish-time in entropy You want to prove that this is delta plus epsilon close to what to s comma? sorry uniform What I showed you see an extra two here because I first replaced the s with uniform Then I replaced this with using delta I replaced this with uniform using epsilon I replaced this s back, but you can do it directly and then okay Actually, let me show you I mean if let me show you the proof. It's under if I find it Okay, so That's the wrong proof, right? So that's what you want to prove That's what I just showed you you have an extractor W s a fish-time in entropy s is delta close to uniform So if this s was uniform, this would be epsilon close to uniform But it's not it's delta far away and I would like to make a statement about you know this distribution here s comma You print so this pedestrian way to do it as I showed you there is okay replace s with uniform that cost you delta Then once to see this uniform, we know that this is also epsilon close to uniform by the definition of the extractor Okay, replace s back and we kind of get what you want. We have to add delta epsilon delta. We get to delta plus epsilon not good Right. So how can we avoid this delta? So here is the proof Without losing it you just write stuff out So let me define this delta x to be the distribution So the statistical this so this statistical distance of the extracted variable using the particular seed x from uniform just so That's what you want to bound Right, so the statistical distance of this from this So first of all the first argument here s is the same in both distributions So statistical distance I can simply you know sum over the first I kind of write this out And I write this statistical distance as a sum of statistical distance is summing over this first parameter, right? So I sum over all possibilities for x and then I take the statistical distance of the second argument here So if you write stuff out statistical distance, you will see that this is kosher Nice, okay, then I do something weird This is equivalent to I simply subtract here the probability of you know uniform distribution being x Right, and I add it back So I you know I I subtract this term here and I add it back So that that's exactly the same things, but now let's look at these two terms What is this the sum over all you know the probability that the uniform distribution is x and the statistical distance of You know the extracted value given x so this actually by definition is Is the statistical distance of the extracted value from uniform when using a uniform seat? So this is going to be at most epsilon Okay, what about the right term? So here I make some stupid things. I want to upper bound this So first of all I have this this minus this let's put absolute values left and right This can only increase stuff right because this could be positive or negative and cancel out Let's make it, you know absolute values once if absolute values here. So this delta x is at most one So let's be generous. Let's always put it to be one And so we left with this so what the new what is this by definition? This is just a statistical distance of S and use what this is So you see this is true and you gained no intuition, but that's how you know that's how How you prove it if you have to and so I have to say that this is actually from The first correct proof of this was actually in the lecture notes of Leo when he was teaching this and I think that The original papers actually not just ours also follow-up papers just stated this you know because this fact is so obvious that you kind of Just basically, you know This fact is so obvious that you just stated without proof and fortunately in this case the intuition was correct and Because the two really ruins the theorem so it looks harmless, but it you can it's inductive arguments So if you double every time that's problematic because you get like instead of you know, I times To you wouldn't get the two epsilon I but to to the I times epsilon Would only be interesting for very small eyes Good okay, so that's all I wanted to say about the first part. This was alternating instruction So this was went actually much faster than I expected. So do you have any questions about that before we go to the Application of alternating extraction, which will be liquid reason to talk of you No, okay, so let's go to liquid reason crypto and again so again what happened so we proved this in 2007 and It ended up to actually you know having you know, nobody cares about intrusion resilient secret sharing but actually several other applications like liquid reason crypto or key reconciliation or now also Non-malleable extractors and other things use this kind of use this kind of technique and trick and Are much more interesting than the original application was devised for Okay So what is liquid reason cryptography? Actually, I can actually you know start drawing again on my funny. So you prefer whiteboards or this Okay, liquid reason crypto. This is good to see right? So who has heard about side channel attacks? Okay With most or I'd be fast. So, you know that if you have crypto 101 you learn about you know Prove, you know, you learned that the pillar of modern security is Provable security pioneered by Shafi and Micali to just got like to read to got the Turing Award for that and and what so what we typically do is we kind of Anticipate an adversary. So here's an adversary and we and this adversary can attack some kind of Crypto system which we typically model as a black box. So there is some box here This box has, you know, some specified input-output behavior. Typically, it would have some kind of secret inside That initially sample before the experiment starts Then the adversary can talk to the box. Let's say it's a signature scheme So the adversary can say look here is a message M M and then the box would say nice. So here is a signature for M right, so There is a secret key K I mean, this is maybe secret key just for concreteness, right? Maybe the adversary initially even gets the public key So we sample the public secret key for signature to see the adversary gets a public key He can query for messages of his choice at the end of the day. He has to output some message M star Sigma star and if this is a valid signature on M star and he has not asked for a signature of M star explicitly before We say he won the game. This is called And if we can prove that no adversary exists under some assumption that can win this game with non-negligible Advantage we say that the signature scheme is secure under Existential forgery on the chosen message attack. So that's this kind of stuff that you see, you know, in typical crypto lectures But in practice this black box doesn't exist, right? It has to typically if an adversary in the real world interacts with the crypto device it's a smart card the ATM machine maybe laptop and potentially this machine leaks much more information than just You know than just this black box input output behavior that you see for example It has been demonstrated like I think mid 90s by Paul Cotcher He took the smart cards who computed RSA signatures like that and what he measured an extra information He just had like a very good stopwatch He just kind of measured roughly how much time it takes to to sign a message totally harmless, right? I would why would that hurt but he showed that if you just like straight naively implement RSA signatures You know on some device and then you can kind of measure the running time of this device on different messages You can actually totally break the scheme because you know RSA computation is multiplications and multiplications and exponentiation and depending on how the message kind of overlaps with the secret key with things like that you have more Exponentiations and then you kind of collect this data and at some point you solve some system of equations and you just have the secret key out Like running time, right? So very funny So nowadays there is like you know tons of other side channel attacks have been discovered the most serious ones are probably power analysis, so people Take like smart cards and they measure the power that is you know the power consumption between the battery or the power source and the chip and they see how much energy the chip sucks and from this From this curve they kind of can get information about the secret key so now So this is a big big topic like the chess community So this one of the seven ICR conferences is you know half of the papers There are about side channel attacks about coming up with new side channel attacks about devising countermeasures against these things and This countermeasures are usually quite a talk. So okay for timing. It's kind of easy to protect We just make sure that the running time of your algorithm is independent of any kind of secret values For other things it gets more complicated. So for power analysis, they can you can put Transistors between the battery and the chip to flatten this out or you randomize the computation You do all these ad hoc things and you know for us as as Cryptographers, this is horrible right because we come and we have this beautiful provably secure schemes And then what happens in practice? You know people throw all these heuristics on these things to kind of protect them against what's actually happening. So you know Unsatisfying so leakage is encrypted that the general theme is you know, can can we use provable security grip provable security? Which has been so, you know tremendously successful in you know devising the secure cryptographic schemes by you know Proving schemes via reductions to hard problems and so on to also say something about side channel attacks Now we are not kind of so we don't want to go into the chess literature and see what kind of side channel attacks are there How to protect against them so we kind of more ambitious and we say we want schemes that are secure against You know any kind of leakage. We don't know what kind of side channel leakage. There is what information X or just everything Right, so how would we even it's almost everything. So how would you even model this? How would you model? You know just before we want to construct or prove anything How would you model an adversary who can get arbitrary leakage from device? We say look we now Anticipate adversaries who not only can ask some messages like I'm here, but also choose any leakage function F It's any efficient or beautiful function and then they not only get the signature here, but They will get the function F evaluated on the secret key So maybe this is probabilistic so it has some random coins and you know whatever other secrets have been kind of whatever other secrets have been touched or during the computation there, of course in this Setting no security is possible because F could just be the identity function. It just leaks everything On the other hand, we don't want to make assumptions about what F is Because like improvable security. We don't assume that the adversary runs this and this and this attack and we prove You know if he does this it's not gonna work if he does this it's not gonna work The only thing we assume is that his running time is bounded. It's polynomial time So here we want to do the same we don't want to make assumptions about what F is because we don't know But let's make some assumption. Let's make a sum assume. It's bounded So what does that mean? It's kind of a channel, right? It's a side channel attacks Let's assume the capacity of the channel is bounded or equivalently that you know the length of the output of this leakage function It's not too high say with every signature. He gets at most 100 bits of you know side channel information Okay, you see even this is not in this in this general even this is not possible because if I just leak the first hundred bits of the Secret key in the first step the second hundred bits in the second and so on nothing can be achieved But you know that's not quite true because it could of course be that This secret keys may be Not a fixed value, but it kind of updates itself And even if you get hundred bits of every of every chunk there you will not be able to come up with anything Any kind of attack So let's see. So what do we want from you know from a leakage resilient scheme? So I told you there are like two two aspects that kind of that leakage resilience should have at the same time That kind of sets it apart from things that have been done before so one was we want leakage to be general Right so F should be any efficiently computable function We just want to bound the capacity of the channel not the type of leakage and the other thing is you wanted to be continuous And by this I mean the adversary can choose a fresh F with every query is that the total amount of leakage is not a priori bounded It's just kind of he can run full is bounded per round But not a priori. So, you know, he can get any polynomial amount of leakage So what has been you know, there has been People have looked at into provably secure using provable security in the context of side channels for maybe one of the best-known papers or works in this aspect is private circuits. This was Ishae Sahai Wagner o3 It got the test of time award. No No, that was me. Sorry. That was the wrong conference. You can't wait. I mentioned Okay, so who has heard of private circuits? So they anticipated a very particular side channel attack. Namely what the others so where the adversary can probe Wires on the circuit. So you have a circuit the circuit implements the Cryptographic algorithm the adversary can choose some of the wires and he gets whatever values were carried on this way So it's not general at all But it's continuous and in fact arguably as the most influence currently on the chess community because they really like these Things because they have to come up with this masking scheme So on and they really like the fact that they can now do things that come with some kind of provable guarantees and not Let's talk. Okay, the boundary retrieval model So basically this is like like intrusion resilience that I told you before So you remember I told you in the boundary retrieval model We have the secret the adversary can leak any function of it So that's any function of it as long as there is some in entropy left in the key So definitely the function is very general But it's not continuous right so if the key is maybe big a priory so you can actually leak a lot But not more than the key length. So it's not not continuous So and what we will try to do So what I will show you now is actually something that you know allows general leakage and is continuous So there is a little caveat here When I say general leakage It will make like a little assumption about not about the function F But about to what inputs the function F is applied So this is called the only computation leaks assumption that I will Tell you in a minute and where it's justified and just let me mention that there actually now exists leakage resilience schemes Which kind of without any caveat really can Leak any bounded information about the entire secrets and public coins and so on and they're continuous and this is for example by Harald ambiev look this out by Evgeny Fox 2010 and I think at the same I think you know the same conference. There was think by cats and be not so this that this is like Much more recent stuff arguably much less practical than what I will show you but just to say that This totally general things also exist Okay, so I will show you this thing here and the concrete primitive. I want to look at this is stream cipher So what is a stream cipher? A stream cipher is basically a pseudo random generator You have some initial secret state and then this algorithm takes the state pros So so yes some initial secret state as zero then you have some kind of Process it takes the secret state as zero it outputs the next date. Let's call this as one and also some some secrets of bits x1 and Then you can call it again Okay, you get the idea and what we want is that this So this states as zero as one is to they are supposed to be secret They are in the box and kind of the other so you should never get to see them and this sequence of bits or x1 x2 and so on They should be pseudo random So what we want is that? for any I or any polynomial I X I should be computationally indistinguishable from uniform Given you know given all the previous Previous blocks of outputs this by the way as I showed one of the first applications of the of a hybrid argument is Equivalent to saying that if you see a sequence of these blocks x1 to xi You can distinguish this entire sequence from a uniform random sequence and this subscript C here What do I mean by this? this simply means No adversary running in time Tn for any polynomial T So we have initially some security parameter n the adversary can run in time polynomial in n N squared something like that at no matter what the polynomial T is I want the advantage of that adversary in distinguishing, you know xi from you to be negligible So to be smaller than one over any polynomial So I hope you have seen this I don't want to if you haven't seen it I'm sure that Salilu tomorrow basically the C just means computationally indistinguishable. So what you kind of Okay, okay, so this is a stream cipher. How would the stream cipher now look in the context of leakage attacks? So in leakage attacks what we said is okay now the adversary come You know he had kind of okay. There is no input this time for you in the black box setting There is no input. It just get outputs, but in the leakage setting We allow the adversary to choose, you know some leakage function f1 And he will get back some leakage. It's called this lambda one Which is you know f1 applied to all the secret state which here is just s0 Then he looks at this he gets x1. He gets the leakage. He thinks for a while. He says, okay Here is my next leakage function f2 and what he gets back is lambda 2 which is some kind of function of the current state this one and so on and What do we mean by a leakage resilient stream cipher? It means that we want this security guarantee as before Even if the adversary so the I the next block to be output should be uniform indistinguishable from random Even given, you know all the previous blocks and all the leakage so far So why don't I so this is i-1 this is actually important. Why don't I put i there? because The Ith leakage can actually compute, you know If you have any leakage function it could just compute the output xi and output for example the first You know the first lambda bits of xi so I cannot hope xi to be I cannot hope that some output is through the random given leakage that actually sees that output, right? so so this is argue with the best we can hope for and Yeah, also something what I could show is that xi has height here through the entropy given that leakage to but you know So can we have a stream cipher like that? Yes? Yes, f and they are adaptively chosen Yeah, so exactly. So this f2 I'd call f1 f2 f2 is must only be decided upon by the adversary after he has seen And there are many different variations because once you do not allow adaptive f's the adversary has choose f1 f2 and so a priori It's much easier than the other machines that there are schemes that Then there are stream ciphers that are secure in this sense Whereas in the sense as I show you he so who sees it so this notion is also not achievable No matter what you do and no matter what you know I don't only if you come up with the construction that you claim is secure in the sense. I don't even have to look at it I know what the attack is going to be So who sees it? Give you a minute to think about It's a totally artificial attack, but you know we want to prove things at the end of the day So but there is just no hope to prove anything because there exists a super artificial attack that Even if you just even if lambda is one you're just allowed one bit. It's the pre computation Attack It's totally artificial because it was as follows. So let's let t be the length Of the secret state thousand bits or whatever and then define the i-th leakage function as follows The i-th leakage function input si will simply output the i-th bit of st So the leakage function gets the state the leakage function computes f forward up to st and leaks the i-th bit So f1 right so f. So here is st somewhere So f1 would give you the first bit of st F2 you know gets as one as input computes st gives you the second bit and so on once I after t rounds I learned the entire st and once I have the entire state I can you know compute forward whatever I want so there is No Very artificial and you know if you show this to a practitioner he will laugh at you He's a you know leakage. It's like timing or something the leakage right now But you know we want to have something that is provably secure and maybe still reasonably elegant So we don't know if there may be exist some other subtle things that can't go wrong Okay, so we have to make some additional assumption at this point number six and the assumption we will make additionally Which you know hopefully you will think does not ruin the entire You know appeal of this argument It was actually proposed long time before This leak it was in and stuff came up by Silvio Mikali and you're raising in a paper called physically observable cryptography, which was kind of Early paper which kind of mostly philosophized actually about the possibility of doing provable security in the context of side channel leakages it had like many axioms that That it said such leakage would satisfy and one of the axioms I think there were seven right one of the axiom was the only computation leaks and it said okay. It's true that you know That you can get side channel leakage But you have like one handle that you can use and if you have such a leakage typically that the leakage comes from Things being computed on so let's assume actually you have You have a device this device has maybe two Two memory blocks a and b there are kind of maybe somehow even physically separated on the chip Then you have like this chip here. So this is like a super fast chip. It may be also has some small small memory for itself and assume that the computation is performed as follows in the first step this chip Only touches memory a And you know I'll put something only only touches this this memory a but doesn't even doesn't read or write anything in B And the only computation needs assumptions. Okay, the leakage will only depend on you know, whatever is touched here But will be independent of B So that's the only computation. So if you have If you can kind of clearly separate memories that are accessed in different steps But for example in stream cipher every invocation of that block that I showed you before would be one step And if that only touches some part of the memory the leakage function does not get the entire status input But just that part that was touched upon so maybe in the second step. That's actually what's going to happen In the second step you only use this memory block B So then this leakage lambda 2 will only pin on that and maybe then in the second step you are Okay, so now I'm gonna show you Okay, so because it's 15 minutes now I'm going to show you actually a stream cipher that is leakage resilient in the only computation under the only computation x assumption and it will look vaguely familiar to something that you've seen like half an hour ago because let's see Maybe I have this picture in here. Okay, let's see how this does as a stream cipher So this is not going to be a stream cipher because we didn't even use computational assumptions, right? Let's say this s1 r1 s2 r2 and so on are the output of a stream cipher We are in this only computation leaks model So this would be the initial key is q and w. So it's a stream cipher. That's a gigantic key. So it's kind of stupid But right does this gigantic keys? So in the first step I would you know You would get leakage from this here in the second step You would get leakage from this here in the first step You would get leakage and so on and what I showed you before is that as long as the you know, the entire leakage is sufficiently shorter than q and w The next output to be output will be actually information theoretically statistically close to uniform So this already is kind of a leakage resilient stream cipher except that the initial key has to be longer than the total output of the Total output of the stream cipher but this was like the But once you make this observation and you you've heard Leo's lecture that you can even kind of Increase the amount of pseudo entropy even in the context of leakage or even if secrets are not uniformly random This gives you the idea to say okay So let's kind of try to refresh these keys on the left and right side so that you can kind of continue Can start outputting pseudo randomness forever basically without You know without using it up Yeah, I know Maybe I spoiled already too much because now something. Okay, so here is the construction so in the last ten minutes So the secret key of our stream cipher will be like we'll have three parts. In fact the part k zero here Okay, it's part of the key, but it's even public so this you can actually It's gonna be the first if you think the first output of the stream cipher and then it has like two other Two other secret keys a zero and b zero and think of them as not as before there's a not hundred of gigabytes think of them as 512 bits or something like that. So it's like something that you can reasonably implement and the construction that was the following Okay, so in the first step it only touches like the k zero b zero part. It was important It computes a value k one and the value x one by extracting Sorry, can you read that so base? Okay So in the first step We take this public random value k zero our secret value b zero and we extract a Value k one and in fact this k one is going to be the next output Right. Okay. Now. What do we do with b zero? In the alter it looks like alternating extraction, but except now we're not going to just keep b zero as it was we're going to refresh it and we refresh it by Defining b one to be PRG of x one So everybody knows what the pseudo random generator is I think you mentioned yesterday pseudo random generator is a Cryptographic object that takes a short random string 512 bits and expands it to something a long string that is pseudo random What is happening on what's happens on the left side is nothing. So let's just let me just write this So nothing is touched or changed or anything a zero stays a zero Now what we do what do we do in the second step? We do the same But we kind of alternate we go back and the back and right so here we compute K2 X2 to the extraction of a Is your key one? So we have the output K2 and a 2 is going to be Sorry, I do is PRG off and here so now why on earth should this be a liquid resilient stream cipher, so let's Let's Remind what the attacker can do in the OCL model in the only computation leaks model in the first step Okay, so this is the the first step only touches K0 and B0 right and this is the final output This is the input is the output So let's see So the adversary gets some leakage lambda one, which is a function of these two values In the second step He gets leakage here and so on now Now I'm not going to the proof why this is good But it's kind of let's try now combine all the things that we have seen in the last two days to kind of Argue why this should be good leak it with your stream cipher. So with the alternating extraction argument. We kind of have seen that This K values and so K1 should be somewhat K1 is independent. So K1 would be independent of a one given all the history If we wouldn't do this weird stuff with the PRG stuff here, right? But Okay, so but it's still will be crucial argument in the proof That every time that because so we will we will change this this evaluation of this dream cypher step by step Replacing pseudo random value by uniformly random value arguing that the two games are computationally distinguishable it will be the case in this new games that this K i's and bi's and k i's or i and a i's for odd i will be independent given the view so far So it will be no so this extractor will kind of really outputs of the uniformly random and Then we will show that this refreshing really is meaningful. So what do we know about x1? So x1 if this are independent so assume that you know Think of this ki and bi is somewhere for them assume that they are independent Be zero has sufficiently high mean entropy given, you know the past few of the other series so far Then whatever we extract here is going to be uniformly run Now the adversary get leakage lambda one. So x1 is no longer uniformly random given on the one, but it has high mean entropy Now you've seen yesterday that if you apply a PRG to a seed with high mean entropy What you get is a seed that has is indistinguishable from something that has high hill entropy So it means even though this thing here is okay, right? So what we know is that this even given the entire view so far this b1 here This b1 here Is computationally distinguishable let's say from some epsilon from some let's call it b1 prime Where b1 prime Has high you know conditional average case mean entropy conditioned on whatever we have seen so far So what we will do in the experiment so what we what what is actually done in the proof Is that you basically carefully do these replacements you kind of say I start you know initially they are uniformly random You get leakage this H x1 is uniformly random, but conditioned on lambda one It's only has high mean entropy Then the output of this PRG will have high helps with the entropy So it will be this b1 will be indistinguishable from something that has actually high mean entropy And now I switch the games now I replace b1 with b1 tilde and they claim that these two games are computationally distinguishable So I have something with high mean entropy here and then I can just basically use the alternating extraction game or you know all the way down This you know this looks ugly it is it's it's a highly non-uniform argument actually, right? when I so Often if you have cryptographic proofs it tells you know you replace this with this of hybrid argument You plug you plug something in there and then if the origin adversary had advantage epsilon here It will have some epsilon prime advantage over here That's not the case here because the only thing that the dense model theorem gives us it itself such a distribution exists We don't know what it is so it doesn't actually give you a It doesn't actually give you like a constructive reduction But it still gives you a meaningful reduction if you assume that the pseudo random generator is secure in a non-uniform setting Which means that the output of the PRG on the uniform that no matter what extra and auxiliary input you get So so we get some super highly sophisticated Information that some aliens computed for let's say is in them, you know, right? But even then is is going to be secure with uniform random keys. That's all that we need so we need that there is no No kind of hidden but potentially extremely hard to compute oxygen first. That's why this proof is non-uniform But you know, we're not going to do that Okay, so in the last two minutes Actually, it's good that you finish. So Okay, no, maybe it's let's stop here. So I will show you one other construction of a leakage receding stream cypher Which will use a totally different fact. Maybe what you've gained. He told you that the big PRFs are Secure even if the keys are not uniform, it's going to be a much simpler construction than this so this will be just like the next 20 minutes of the next block and Then we will actually switch to Helps to the entropy and see like why the chain rules do not work as we would like them to Okay, so see you In half an hour, I guess