 So, let's continue. Okay. So, we saw I moved this kind of general thing over there. So, just to remind you, we are in this two corners, so we are talking about privacy with weak sources. And I'm going to show pretty strong negative axis here, even though there will be some reason for hope. But let's get into that. So, in particular, what we're going to start with is, I'm going to talk about a general framework for showing a possibility result of crypto of privacy with weak sources. And so, this framework will consist in three steps. So, let me do them step by step. So, the first step is going to be something which is independent of the particular source of randomness. And it will only depend on the privacy applications that we have in mind. Then there will be a second step that will be something that you do only once. It's a little bit painful, but we'll do it only once. In fact, we will not do it. I will just point you to the paper. And the third step will be something where it will be independent of the application and it will be the only time where you need to look at your source in question. So, it will be like relatively modular treatment. So, the first step is going to be the following. It will say that there is no privacy task P under S. So, this is the unfortunate conclusion that we are going to reach. And we'll reduce this unfortunate conclusion to something that we call S is expressive. So, I'm going to define below the notion of expressivity or expressibility of the source. It's just the name that we came up with that will generically imply for various privacy tasks that unfortunately if your source of randomness is expressive, it contains enough distributions to do something which I'll define next, then there is no privacy task. So, let's define expressivity here. So, we'll say that the source S is T delta expressive if for any two functions f and g from 0, 1 to the n to some domain C, I don't really care what domain is, such that... So, this function has to be sufficiently different from each other. We will formalize that this probability f of x is not equal to g of x has to be at least 2 to the minus T, where x just comes from the uniform distribution. It implies, and I'll have to define something in a second, it implies there exists x in the source such that the statistical distance between f of x and g of x is at least delta. Alright, so let's parse it. It's a very natural definition, but maybe if you haven't seen it, well, you haven't seen it, but just some notation. So, there are some parameters T and delta, but roughly speaking, expressivity means that the source is reaching up to separate any sufficiently different functions f and g. So, if and g are different on 2 to the minus T fraction of the domain where T is a parameter of the definition, then there exists a source, a distribution in the source such that the statistical distance which I'll define next between the distribution f of x and g of x is at least delta. Maybe as an aside, let me remind you what the statistical distance is. So, the statistical distance between the distributions a and b is there are two equivalent definitions. The first definition is purely mathematical. It's one-half times sum over all x in 0, 1 to the n of probability a equals x minus probability b equals x. But we usually, I like the alternative definition. Over all distinguishes d of probability d of a equals 1 minus probability d of b equals 1. All right, let me try to parse it and maybe I'll draw a picture over here as well. All right, let's see if I want to draw a picture. Okay, I'll draw it over here. So, roughly speaking, you have this two, so this is a probability masses. And of course, I mean, this is like 0, 1 to the n that I view it as a line. But roughly speaking, there is one probability distribution, you know, this is a probability distribution over f. And there is another probability distribution over g. Of course, I discrete, I'm just drawing them like that. So, these are all the points, these are all axis belonging to 0, 1 to the n. And this is probability a equals x and then black is probability b equals x. So, if you draw this kind of plot over here, statistical distance is simply half the area in between these two curves. So, and it's not hard to see. So, I actually saw the statistical distance to the sum of these blue parts, which is where the black distribution is above the red distribution. And it's a simple exercise that this is also equal to the sum of green parts where the other distribution is bigger than the first distribution. So, roughly speaking, that's why, well, ultimately it's a half. So, essentially, if you look at this sum of these absolute values, this is the sum of green and blue. It's essentially the difference in between two curves. And because the total area, the sum of all probabilities is equal to 1, you know that the sum of blue is equal to the sum of green. And so, this is just kind of a mathematical, you know, definition doesn't tell you maybe much. I mean, intuitively, it says that if the distributions are the same, of course, there is nothing in between. The statistical distance is 0. But from the cryptographic perspective, the statistical distance is the best probability somebody can tell a sample from A from a sample from B. Because think about it. If you're the attacker, what do you do? I assume you get this kind of sample. Are you going to guess? So, one means that I guess it's in A and zero means I guess it's in B. So, if you're the attacker, you get this point. You'll say, listen, red is above black, most likely you're going to guess. I mean, this is the best, most likely guess. You'll say it's red. And more generally, everywhere in this green region, you will say red. So, here, anyway, here you will say red. But on the other hand, in this other things, you will probably say black. So, here you will say black because it kind of makes sense. So, intuitively, if you are the computationally unbounded attacker, the best way if you want to guess, if you're given a sample from A or B, you will just say, I get a point. If this probability, if A happens with higher probability, probably it's A. If B happens with higher probability, probably it's B. That's why, and if you look at it, so this is like either, it's equal, so essentially the best distinguishing advantage equals to exactly the blue area, which is also equal to the green area. Did he confuse you completely? Or is it just so that, all right, so I assume it's kind of obvious. So, anyway, so statistical distance, I mean, either the mathematical definition or kind of cryptographic definition, it just tells you what are the best ways that the computationally unbounded attacker tells those two distributions apart. And the statistical distance is very small. It means there is nothing you can do no matter how unbounded you are. And so let's get back to this kind of definition from this aside. So, expressive source means that whenever these two functions are, at least not point-wise equal, of course, if the functions are point-wise equal, there is nothing you can do. But if the function, there is a non-trivial fraction of the domain where the functions are different, I would like to say that the source is expressive, meaning that there is a distribution such that you can tell apart f from g on this sample with this kind of probability. So it's a relatively natural definition, maybe not the most friendliest to work with, but you'll make it friendlier in step two. But for now, this is kind of the definition. So just kind of, you know, just to see the example, so I assume x is equal to uniform, or the source is equal to the uniform distribution. So the source simply consists of the uniform distribution. In this case, I claim that this source is not very expressive. Well, it better be not very expressive because as I told you, the source is sufficiently expressive. You know, it turns out you cannot do any privacy. So why is it not sufficiently expressive? So let's just take, I mean, I don't know, like an arbitrary function, let's say f of x equals x1 and g of x is equal to 1 minus x1. So two completely different functions. So in this case, what is t? These functions are different with probability 1. So t is equal to 0 in this case. So these functions are completely different. But if you look on the uniform distribution, what is probability that x1, little x1 is equal to 0? Or g of x, which is essentially 1 minus f of x. In this case, it's the same as probability x1 equals to 1, which is equal to a half, you know, because it's under uniform distribution. So under uniform distribution, probability f of x equals 0 and probability g of x equals to 0, I mean, they're just, you know, a perfect coin flip. So there is no way. So in this case, essentially, this is a uniform bit and this is a uniform bit. So as distributions, you cannot tell them apart. As a uniform distribution, just cannot tell them apart and that's actually the basis of a lot of amazing things, eventually culminating through the randomness and so on, where there are distributions which are like, you know, that essentially under uniform, you know, uniform distribution is not sufficiently powerful to kind of separate functions which are like very, very different, even complementary to each other. For example, you know, jumping ahead, you can have like encryptions of 0 and encryptions of 1, completely this joint support, but under uniform distribution under one time pad, you cannot tell them apart. So, but unfortunately, it turns out that if you look at this equation, once the source contains more and more distributions, if the functions are different enough, we should be able to put more and more kind of mess of different points and eventually start to separate them from each other. All right, so any questions about the definition before I start showing this kind of implication? And you can see for this implication, you know, this is like a general thing, it's the general property of the source. So, you know, when you show this kind of thing, the source will be kind of, will be carrying it along and the only difference will be for different tasks, like p, we will get different t and deltas, okay? All right, so let me see how to use this definition. So let me give like a very simple, you know, kind of lemma. So essentially, I will, you know, so this is like a formalization of this first step. So, so the lemma is, so you'll say that if L is t delta expressive, then no, so using an annotation that I didn't define, but it's like relatively obvious, no S delta secure privacy task p exists where, so this is just a formalization, right? I told you that if the source is expressive, then it shouldn't be possible to do a certain privacy test. So I'm going to give you a list of how, depending on the privacy test, for each privacy task, we need different levels of expressivity. So, so this notation means that, you know, so essentially it means that you cannot come up with a single scheme which is delta secure for any distributions in my source. Right, this is just this, you know, relatively intuitive notation. So let me just start giving you these implications. So for example, for zero delta express, you know, zero delta expressive and p equals encryption or extra, you know, 1-bit, I guess we can do it even for 1-bit because it's an impossibility result. It's already stronger. So if your goal is to encrypt, let's say, generalized one-time path to just even encrypt 1-bit, you know, forget about n-bits, I just want to encrypt 1-bit, I want to come up with encryption schemes to try to tell a part encryption of zero from encryption of one. As long as the source is already zero delta expressive, which is a pretty weak form of expressivity, it means that it can tell apart functions with completely joint support. Then it's impossible, and we have more results. I can list them here, but I'll only show the encryption result just because maybe actually I should copy it from the paper. I might forget, but I think it's like one delta expressive and p equals even weak bit commitment. Like for secret sharing, I think I need something like log t delta expressive and p is t... I'll explain what it means. t secret sharing and so on. But there is something for differential privacy. For those of you who don't know differential privacy, it's something about it's like a weak form of privacy which is usually used in database security where you only care about the result, cannot tell any two databases apart but only any two databases which differ in one record or something like that. Details actually don't matter. This was actually by the way an excuse to write this crypto paper because that's where the new results were, but really what I liked about it is that it unified all those kind of things. For differential privacy, we had another crypto paper a couple of years ago where we showed that you can do this differential privacy with Santa Vasirani sources while as we will see from this framework, you wouldn't be able to do traditional encryption with Santa Vasirani sources and then we kind of showed later an explanation for this and jumping ahead, the explanation was that in this lemma, as you can see, the numbers are slightly different because this lemma is usually very simple to prove. We will see it, but there will be like one or two tricks where it will depend on a specific or a privacy application and depending on those specifics, the bounds become a little bit worse and turns out the bounds for differential... So this is like t equals zero expressivity, it's already rules out encryption and so on. One rules out commitment, something like log t by t is like a parameter of a secret sharing, how many shares you give rules out secret sharing, something else with a lot of differential privacy will turn out that essentially that Santa Vasirani source is just not... it's expressive enough to rule out these guys, but just somewhere here it's like... it wasn't expressive, but roughly speaking, once you get to big source and so on, it would even rule out this stuff. Any other questions? Not yet. Oh, yeah, yeah. It's a number of shares here, so for a t secret sharing here, because we're doing possibility results, I'm ruling out the most kind of the weakest form, so even one bit encryption, just even if I care about encrypting one bit. So for secret sharing, I say, okay, I have a secret and I split it into t shares and normally in secret sharing there are two parameters, number of shares you need to reconstruct and you require privacy. So he'll push them as far apart as possible because it's a negative result. I say even if you need all t shares to reconstruct and you require privacy even just for one share, like the weakest kind of most trivial part, even that kind of weakest form would be impossible with this source, provided the source is expressive enough. So I'll give you just a proof because the proofs are really simple. So this was like the hardest... I'm not even spelling parameters because I don't want to define differential privacy and this was like the hardest, that was like a page in that crypto paper just because the definition of differential privacy was annoying enough, it had some parameters and so on. But the high level intuition was very, very simple. So let me give you like a proof of this. It's one of those things where I'll definitely finish the proof over here. Yeah. Oh, yeah, so that would be step three, you're jumping to step three. So essentially as we will see, the uniform distribution is not expressive because it's just one thing, so you can have this kind of thing. But the moment the source, like Vick's source, Santa Vasirani, this source from Bitcoin that I mentioned briefly, falls all sources. I mean, I'll tell you actually how to deal with something easier with expressivity. All those things are going to be pretty expressive, so you wouldn't be able to do any of those kind of thing. So that will be step three. So I'll come back, I'll give you like a simple example of Santa Vasirani, how to prove it, but for now I just want to concentrate on step one. So this is kind of this framework. Okay, so let me just give you like an example of the proof and it's really one line, it's just parsing the definition. All right, so let me give you proof of A and I will concentrate on encryption. All right, let's just understand what it means behind this notation. So what I'm trying to show, I'm trying, so let's see which direction I want to go. I want to say that if the sort is expressive, so I assume on the contrary, or give me any example of encryption scheme or something like that. So assume the source is expressive, so assume somebody gives me like a candidate encryption scheme. So let me define, given any encryption scheme and deck, let me define, so I have to define these functions f of x and g of x. And I'll define f of x to help me with g of x. So f of x is going to be encryption of zero. And so if somebody wants to make a guess what g of x is going to be, encryption of one. All right, so these are my two functions. You know, the range is arbitrary. I mean, it's whatever the cypher takes space is. I don't really care about it, put the strings, whatever numbers, never mind. So in this case, what do I know? Well, you know, let's just see if this pair of functions satisfy non-triviality constraint, right? So this generalizes to imperfect decryption, but assume you can decrypt perfectly. So what does mean you can decrypt perfectly? It means that for any particular secret key, f of x and g of x have to be different. So we know that probability f of x, you know, not equal g of x, is equal to one, which is two to the minus zero, right, because you can decrypt. I think we use actually about encryption, just the fact that you can decrypt, right? Nothing more, so it's t equals zero. And so let's see, I mean, it doesn't matter in what direction I give you. So I guess I want to, let's do a direct thing. So if the source is expressive, it means there exists a particular x, right? So it satisfies, so the source is zero. So here we said the source is zero delta expressive. It means there exists x belonging to the source such that statistical distance between encryption x of zero and encryption x of one is greater or equal than delta. Right, that's what expressivity means. So it means that, you know, you can actually tell a part encryption of zero from encryption one, but it means it's not delta secure, right, because that exactly, you know, this is exactly definition of information it means that there is an attacker who can tell encryption of zero from encryption one, right? So this was just kind of pushing 20 parts but to tell you something and you can do the same for, let's say, extraction. For extraction, so what is f of x? So for extractor, f of x is simply extractor of x and g of x is a complement. It's like one minus extractor of x. For example, again, they have disjoint support but because it's like statistically close to uniform, you know, they have to be, you know, close to each other. Right, and for secret sharing it's a little bit more complicated and for differential privacy it's more complicated but roughly speaking for secret sharing and to Italy we kind of say, listen, there are these t-shirts, all together they determine the message. So I will, you know, essentially f of x will be one of the shares but I don't know yet the index of the share but I'm kind of saying all together the t-shirts, you know, have to be distinct because you can uniquely decode from all t-shirts so roughly speaking by some kind of averaging there will be one particular share for one player where there is at least one over t apart so one over capital T so I will set for secret sharing I will set, you know, one over t equals two to the minus t in this case as I chose this letter so again I will kind of be able to show by simple averaging arguments there exists one share which is like, there is one player such as probability at least one over capital T the share has to be different so this is like a relatively simple argument and the same kind of proof works so the point is from this proof, one line proofs you can see that this is the only thing that depends on the primitive, privacy, primitive p so it kind of tells you the heart of what privacy, what, you know, so here you can say okay the only thing we care about encryption is uniquely decryptable and encryption of zero is close from encryption of one for secret sharing is like all t shares can reconstruct the message but no individual shares tells it apart for differential privacy something else details what kind of, you know for commitment it will be, you know again commitment of zero is close to encryption of one but it will be some form of binding which will be not unique but essentially depending on the binding you have to translate binding into this f of x not equal g of x either way it's really not hard this is like in the paper, you know this three are like half a page total and this one is like one page just because we need to push some coin to first and notice we don't need to tell you about Santa Vazirani or KVK it's just a general implication so any questions about step one so essentially it just shows that this notion of expressivity which is relatively friendly it doesn't talk about cryptography it immediately rules out so this is the only place where you connect privacy application with this expressivity so here I do consider information theoretic but all the results we are talking about will extend to computational settings essentially you will just need to generalize statistical distance to kind of computational distance let me see if there is anything non-trivial it's just, you know instead of SD you will have computational distance with some parameter T so everything extends trivially there is only one place which is in step two which also extends but I will need you know I will need to make a separate argument why but everything that I said I'm talking about information theoretic but everything if you make an analogous computational definition you just need to change statistical to computational there's an extra parameter what computational but it's like everything is like just like here you carry this L you just write it but you don't need to know anything about it the same you know our definitions are kind of friendly enough they're just worth of computational as well and you can show the problem yeah, yeah, follow them I mean there are some small subtleties for like zero knowledge which I didn't put there in our original papers or some notion of simulator but yeah essentially there could be some minor definitional subtleties but for everything natural like encryption commitment I forgot what the subtleties for zero knowledge is but we kind of handle it in the paper so this paper this presentation is in the paper at Crypto last year I think we kind of ambitiously called it privacy and imperfect randomness so the excuse was to do these results with differential privacy but really it was like this framework but it abstracted a lot of these things were implicit in our previous work but some could there we didn't completely kind of separate the detail of Santa was Iranian this I mean there were bits and pieces but here by separating them we also surprisingly improved some of the results in previous papers in a minor way but still like shape them some small factors you know like in entropy and so on but yeah so this is just from last year believe it or not and the way it came out I was teaching actually a class and just as a way to prepare a class I saw there was like similarities and you know just gave it as a project to the student to say okay we are probably repeating the same thing two or three times so something the same is going on so and just came up with this and it turned out to be really embarrassingly simple alright let's do step two over here yeah yeah of course x no sorry this is little x sorry this is the definition of the function so this is I'm just defining a little function so it just depends on the primitive at hand encryption commitment so this is just a function you know it's no probabilities a function given x view x is a secret key and encrypt 0 view g so this is little x and so here I guess this is example from uniform distribution but but this capital this is capital X sorry so this is just questions whether where there exist oh yeah yes so yeah of course x no no x of course depends on f and g yeah so of course x depends on f and g I mean this is part of the definition I mean we need to know what f and g is because if I don't know f and g of course I cannot say yeah x can depend on f and g in case it wasn't clear so this is like so yeah so you fix f and g and then you're saying for any f and g now they fixed if this is whole then this so yeah x depends on f and g you can write it alright so let's do step 2 just so that we get here so I'll try to put it here step 2 is just a slight kind of strengthening not strengthening or actually weakening of definition of expressivity so step 2 says that so we'll say is that so now expressive alright just because I have little space I'll use horizontal arrow instead of vertical will show that t delta expressivity follows from t plus 1 delta separability so I'll have to define what separability is so roughly speaking here we define a notion which is nice to work with applications so think about like semantic security for encryption and this is like indistinguishability for encryption so qualitatively here I'm giving you a notion which is not as natural to derive this result but it will be much easier to get impossibility results from this result so this is like indistinguishability and this is semantic security if you wish so so this notion so let me define what extractability or separability of the sources will say that L is t delta separable if for all sets g and b of 0, 1 to the n such that z is joined and I'll write it here the union is at least 2 to the n minus t so as long as you know finding two disjoint sets which are sufficiently large so together they at least 2 to the minus t fraction of the domain of the whole the universe again there exists x belonging in L such that and here I will even write it I mean I could write it as a statistical distance but I write it probability x in g minus probability x belongs to b is at least delta so roughly speaking I guess I will not reuse this board but if you have a universe and you have any sets g and b so roughly speaking there exists z is joined and not too small otherwise of course if they are too small you never hit there exists again a source in your sorry a distribution in your source which will put significantly more mass over here than over here I mean maybe it has like mass over there but there is like this distribution that with much higher probability is going to get into g than into b well with absolute values just for symmetry right so roughly speaking we can kind of intuitively separate the sources rich enough to separate any sufficiently large disjoint sets so this version intuitively you can actually even say it formally this separability is a very special case of expressivity for Boolean functions of disjoint support essentially because here I can look at characteristic function of g and characteristic function of b right so they they kind of have disjoint support by assumption and all and right and they will be different yeah this probability at least 2 to the minus t because all together you know they are different with this kind of probability so this is kind of essentially a special case of expressivity and what we are saying we are saying this kind of restricted thing so more or less the key thing is just this is like the main kind of thing from general range which was very convenient for encryption and so on I don't care about cypher, tech space we are kind of reducing to Boolean functions essentially and what it costs is only one in terms of like non triviality so I just need this kind of things to be right so this will be a little bit just marginally harder to prove we just lose one than this but it's so is the statement clear or it's confusing you guys want to observe it because I was actually not going to to prove it the proof I mean maybe I'll tell you the intuition of the proof the proof is kind of uses universal hash functions in a queued way it's not very hard but it's kind of it's like a page is long like once and it kind of reduces more or less it composes a extinguisher so we kind of the way to prove it we have to say that I assume the sources so separability implies expressiveness or whatever it is so we have to say that so if the source is expressive then you know there exists somebody okay so sorry let me sorry if the source is separable it's expressive so let me see which direction you want to do it so if you can separate any guys here then you can separate any function and essentially we kind of argue that to I'll probably get it wrong if I think of line but roughly speaking you just compose you know the distinguisher here that expects oh sorry the distinguisher here to build the distinguisher here you just take this thing applies universal something called universal hash function to it and call the distinguisher here something like that so I'll probably get it wrong because I didn't write it but it's something that you kind of do once and it's not that unintuitive and there is a very much simpler version of this you can do by hybrid argument but then you will lose not a factor of 2 but a factor of log of range size which is what we did in our original proofs you know because yeah no no because this we don't change what we change here is so let's see well because this is also a kind of a statistical distance but so let me just see if I stated correctly because I didn't take notes because I was just lazy to read this one page alright so let's see I'll spend one minute on this and then so if good so the sources I see so is the sources separable so I need to tell you given any two functions good so roughly speaking we show that to separate any two functions we take these functions then we have to define the sets G and D and the way we define it we'll take this function we'll compose it is a randomly chosen you know kind of universal hash function but you know from whatever this range is to 0 1 and then now we kind of get those two kind of sets and we can make them disjoint by losing it most of factor like one half or something like that and then you know we just directly use the existence of this guy and we are we'll argue it works here as well something like that so yeah no no no no restriction there is only this factor a half which you lose over here yeah it's at least the 2 to the n minus t so at least 2 to the minus t fraction of the whole domain so it's like a random element we'll hope we'll fall into either into G or B with probability at least 2 to the minus t just like generalizing here so okay so let me skip this thing it's not super deep but you know hopefully you see the intuition that this is just kind of a special case and using kind of a one-time trick that we prove once and it's so this step is independent of both the source and the application it's a general statement is done only once so that's why I kind of you know after we wrote the proof I forgot about it so all right so let's do step 3 and hopefully then everything will come together so what do steps 1 and 2 imply they really imply that's in probability implies no privacy tasks right for this thing so let me just give you some very simple I'll give you like just a couple of very simple examples of separability and and there is like you know a lemma which exactly proves it but not notice that separability is something which is very concrete and very kind of intuitive so let's give examples of separability let's example 1 will be k weak source and in fact I'll even set k to be n-1 just you know like this generalization of this one-time pad remember one-time pad with one-bit entropy deficiency was already bad so we kind of want to say that you cannot forget about one-time pad there is no kind of encryption skin which will tolerate n-1 weak source even if you want to you know to just increase one bit so let's apply it here and I'll just do it for t equals 0 but it works for any t doesn't really matter so actually I guess I can do it for general t so there are these two sets g and b and without loss of generality let's assume g is greater or equal than b and also g is so this will be at least 2 to the n-t-1 so you know g will be a slightly bigger set so all right so now I want to pick a distribution which has been entropy at least n-1 and which falls into g with much higher probabilities than in b can somebody tell me how to do this distribution all right I'll help you I'll arbitrarily partition just draw a line over here such that both of these sets are of size 2 to the n-1 all right I mean you know just 22 sets you know I'll just I mean if g is too big it's even easier for me so I'll just assume I can do it all right so what would be my distribution of n-t-1 which will fall in g much with much higher probability than in b so I'll just make it this uniform here right so I'll just make a uniform distribution here then probability x belongs to g minus probability x belongs to b is equal to well the second probability is 0 because it never belongs to b and the first is essentially size of g divided by 2 to the n so this is greater than oh I see sorry size of g divided so this is greater than you know 2 to the t plus 1 I guess right because all together the size this is 2 to the minus n minus t so g will be the bigger guy so it was at least this side so I get this so essentially this means that this is using this notation this is t 2 to the t plus 1 separable I hope I didn't make a mistake but I'm not sure but you see it's like in this case it's like for big sources it's totally obvious you put as much mass as you allow it in one set and completely avoids the other set right you just plug it in and this is kind of good enough for any application so you can set you know 0 1 here so it will be like 0 1 half separable for example so because it's 0 1 half separable you cannot have 0 1 half secure like encryption or extraction or something like that so it actually gives you in a very concrete way the kind of insecurities that you get over here right and I guess I have the whole table I'm not sure if I should draw the whole table or not I think I prepared it here I guess I can try to draw it and then let's see if I need okay I was going to give you Santa Wasirani kind of thing so I guess let's see if I, so is this kind of proof clear? I mean I said I didn't spell out exact parameters but I just wanted to say that it's like really really simple right the definition I just look at this definition just find it two sets I need to come up with distribution that separates them and it's really in this case it's kind of obvious what to do but for other sources it's actually kind of trickier so for example now I guess I can I'll raise the expressivity kind of thing because now that we know separability is all we need for Santa Wasirani it's a little bit cuter so I will give you the whole proof but for Santa Wasirani actually the proof will start similar so I have this two sets G and B and I have to define a distribution so for the weak source it was very simple I'll just put uniform distribution over here for Santa Wasirani remember I need to have this constraint probability XI equals 0 condition of essentially X minus it has to be between 1 minus gamma over 2 and 1 plus gamma over 2 so this is my distribution so let me define the following distribution X so this is how I sample from X so first let's call these sides okay need letters let's call it H0 and H1 so this is like these two halves H0 and H1 so I will say pick a bit B in 0, 1 such that probability B equals 0 is equal 1 plus gamma over 2 so roughly speaking I'm going to pick a half with you know just a slight bias okay and then I pick uniform X from HB so I have a very slight bias in picking the half but then after that I pick a completely uniform element in this domain let me give you two kind of simpler things so there are like two claims so the claim one is probability X belongs to B I don't know I'll probably mess it up but it's like it's roughly speaking gamma times 2 to the minus T maybe 2 to the minus T over 2 minus 1 or something like that because think about it essentially like for this case let's just think H0 is equal to G and H1 is equal to B just to ignore the ST factor right so in this case roughly speaking the difference is M in H0 M in H1 and the difference between these probabilities is exactly gamma right so it will be 1 plus gamma so for T equals 0 is just 1 plus gamma over 2 minus 1 minus gamma over 2 which is exactly gamma right so for T equals 0 is just I put a slight bias over this and you just kind of scale it down by T using like an obvious thing so is it clear for Santa Vasirani the distribution is just pick a slightly bias half and pick a uniform element inside the half so and it's very easy to argue that this is going to separate them with this probability what is harder and I'm going to leave it as an exercise X is gamma as V source so the proof of this is cute but I'm just going to leave it as an exercise so this is the only kind of slightly painful thing to argue this source but doesn't look at the bits it's like partitions of space arbitrarily into half and just picks a bias half somehow every particular bit will be only between half plus gamma over 2 so the application will be the Santa Vasirani course is like T gamma times 2 to the minus T expressive and again you can plug it into this kind of thing and get immediate impossibility result so let me summarize where we are in case I'm too sloppy in my derivations so the point is everything is really simple I mean yes you need to keep track of this minus T's but we are under an ambitious task we want to show that no encryption or commitment is possible with these big sources we kind of separated them into like essentially two tasks not counting the one time task and the task is given a new privacy thing zero knowledge encryption commitment just understand what kind of expressivity is enough to rule it out and that looks kind of complicated but you know I raise it is really usually just a couple of lines proof after that you say instead of expressivity let's work with separability and for separability there you forget about your privacy application you just kind of see okay what's the best way I can separate two sets in my distribution two sets which are disjoint support and here that's the only thing that you need to know about the source and by that part you don't really care about your privacy and then you get some number like for Santa Vasirani we get T times this for weak source we get like this there are other sources like that you can look like Bitcoin source you get something else you know similar to this and so on and then you see is it what you get now you you add one right because you need to add one because of this plus one but that doesn't really matter you know it's like a minor thing and now you just plug it in into this theorem and you see is it enough or not so what happened for Santa Vasirani essentially for weak source it was very quickly enough to rule out everything for very very mild parameters even if my entropy is like very close to n like m minus 1 for this three for Santa Vasirani it was good enough to rule out this just not good enough to roll out that which led to the script of papers that we wrote three or four years ago giving a very non-trivial you know differentially private mechanism using Santa Vasirani unfortunately because Santa Vasirani is such an unrealistic source nobody is going to use it because you have to make a lot of assumptions to assume that your real source of randomness is like that at the time it was an interesting thing because you know they gave you something for which you cannot extract but you can do differential privacy but unfortunately this follow-up kind of work shows once you start making things a little bit more realistic for the parameters that I didn't put here things become impossible as well so just the kind of things that you can do maybe I'll draw them here so any questions I was going to draw just an example of the kind of impossibility table that immediately follows by combining this framework but I'll take questions if people have some higher level concerns I hope I didn't lose you guys because that was supposed to be cute and painless but I'm not sure I succeeded so the kind of things that you do from this maybe I'll feel like only one or two rows for this table you can like immediately plug it in like here you can have a table I guess you know so here you can have a source and here you can have a privacy task p and the privacy task could be extraction encryption commitment they're all like bid versions I could put differential privacy but I didn't define it so I'm not going to put it and I'll just give you so for example if the source is weak I'll put a block source so the block source is even stronger result so if you have a block source that's actually a surprising pretty strong negative result even if I have a block source with one bit of entropy deficiency but there are a lot of blocks you can have a gazillion things one bit of entropy deficiency there are a lot of them even in this thing no matter how many of them you cannot have more than like one-fifth encryption and extraction one-nine secure secret sharing so you even get a concrete kind of constants or one over 40 plus one secret sharing so it means that any kind of encryption or whatever secret sharing and so on there exists an attacker who will distinguish encryption of zero from one probability one-fifth or distinguish extracted bit from random with probability f-fifth the same for commitment for secret sharing and so on and you can put like various numbers for Santa Vasirani for example Santa Vasirani with bias gamma you get things like gamma over 2 gamma over 2 gamma over 4 gamma over 2t and you know we had like other sources which I didn't define you know quantitative impossibility result super clean and they just immediately one line follows from this kind of thing no you can't so with block sources that's actually that was the way it was new so that was new in our work because people showed because people didn't do well I guess something did follow because like for differential privacy for example this was new but yes specific separability result for block sources was a new part of our paper and it was actually super painful to get the right that was like the longest proof in the paper it's like a two page kind of ugly thing deterministic encryption from weak sources no you cannot from block sources no because sorry sorry let me clarify so there is like a lesion of terms so here this is a secret key is from this usually for deterministic encryption in the traditional setting the secret key is perfectly uniform but you assume the messages have some high entropy distributions that come from a block source so here I'm saying if the secret key or more generally local randomness of everything the only thing you have is like this block source you cannot do it all right but if local randomness is available or something like that everything that's like going to be this column that we're going to spend the third part of this tutorial on so this I mean let me just clarify this are like very theoretical result hopefully cute but this are like very theoretical result they just kind of this are philosophical result this has what assumptions about your source of randomness are needed to do cryptography authentication and so on and here we are saying the moment the source is separable which is essentially the moment the source has enough kind of distributions well I shouldn't say because there are pretty powerful sources which are even extractable from which you can deterministically extract stuff like two independent sources that's like this breakthrough recent results that have like better extracts for two independent weak sources so I want to kind of warn you know so as long as you have independence there are a lot of like results where you can even extract randomness but the moment you don't have independence everything becomes kind of separable expressive and then impossibility results come in but I wanted to say that using this very clean framework you get like very concrete very simple kind of results that you know I was a little bit slow but in like one hour you can present everything from the beginning to the end here of course we didn't see it initially we had like a fox paper then some PCC paper like two crypto papers but now we have a clearer picture so you know it took a few years to clarify what's going on but it's really simple ok so let me tell actually the next thing that I want to tell is this so coming back to this table so we did like the first part we had very strong thing for specific sources but here still you can ask this kind of more conceptual philosophical question so I'm kind of going to raise here you can say listen find maybe for this natural to define sources nothing you know privacy is impossible extraction is impossible privacy see here by the way when I do this X you know they were kind of the proves were pretty much the same as you see the only thing I changed was the definition of F and G when I talked about bit encryption extraction was just you know I just defined F and G differently but the prove was exactly the same so here for this kind of specific sources it was really the same kind of proof was going through but you can ask this kind of more philosophical question you can say listen in general if I need to do encryption do I need true randomness to really do encryption right is it like it's a philosophical I think you know this is a kind of you know rarely give talks in the departments of philosophy and I never tried but I was at this workshop in South Africa where me and David Zuckerman was only crypto people but they were actually people from the philosophy department and they asked me questions so this is the kind of thing that even like philosophers might be you know conceivably you know interested they know a little bit about encryption just you know do you need true randomness do you need a word with like perfect randomness or you know or not and you know so I will tell you a sequence of results so I'll write it here and I already started to tell you the same embarrassing story about non-university of the one-time path followed by the university of the one-time path so let me tell you exactly what I mean so first in this paper with Joel Spencer and Foxo2 and that was improved by a paper with a student of my boss Lee in TCCO7 and this is actually by far the most involved combinatorial argument I've ever you know was a part of maybe it doesn't say much but for me it was actually kind of you know we used like kind of horse marriage theorem this that like the duality of linear programming was like pretty cool kind of thing I'm not sure if the goal justifies the means but it was actually involved stuff what I'm going to tell you so we constructed a very artificial but nevertheless valid and bit source as capable of perfectly encrypting roughly speaking log and bit there are some other parameters which I'm not putting here so I'm just going to put approximate sign perfectly encrypting roughly speaking log and bits but where I can't with some constant even bias can't extract even one bit one just let's say one bit and it's actually you know if I put even every epsilon delta it's not much more complicated that what I'm saying here you know there is some epsilon or whatever in delta flowing around but really qualitatively what it says I'm giving you a source a family of distributions on n bits so a bunch of distributions and there exists a single encryption scheme encryption and encryption scheme for which no matter what distributions that Akkar chooses this encryption you can even encrypt up to log n bits close to log n bits the encryptions of any two messages on any one of the distributions in the source are identical it's like one time pad every message is like uniform distribution so here it's the same for it's like one scheme any distribution you choose now you try message 0, message 1, message 2 they always will give you the same distribution as the result so it's like perfectly secure encryption of log n bits but now if you try to build an extractor there for any extractor even if extractor can only try to extract only one bit as opposed to log n I will come up one of those super sneaky annoying distributions the source that will tell apart you will be able to distinguish extractor of 0 from extractor 1 this is like ok let me just clarify so this is a counter example so I'm defining oh I see so you're saying why it's not because it's you know it's uniform but you know the domain keeps changing so for every particular distribution there exists a different kind of domain where the ciphertyx will be uniform in this subset of ciphertyx distribution it's this so roughly speaking just because you're saying listen I mean I already advertised that this was like a hard proof I mean I could actually even but let me not give you because I'll concentrate on the converse kind of thing but just to give you a little bit to demystify this so what we did there instead of proving this what we did I gave I started with defining an encryption scheme an encryption scheme was actually universal encryption scheme was kind of saying that you know essentially for any k tuples for any like for any little n tuples of ciphertyx distinct ciphertyx there was a key which produced this ciphertyx for this message so I looked at essentially complete kind of vanilla generic encryption scheme where everything is possible and then I defined my source to be like artificially all distributions for this encryption is perfectly secure so just in case you're saying how did you do it I said well I started with encryption and then I tautologically set my source as all distributions so this encryption is secure so this way I handled perfectly encrypting enough bits the question is why this is non-extractable why can't you extract even one bit statistically close to uniform and there we need to understand a lot of kind of things and usability of linear programming and all kinds of things so in everything that I was going to say this is by far the deepest result but probably nobody ever read it and nobody will ever read it but it was fun working on it good so you actually reminded me I'll answer this question in a second for that question somebody kind of asked me before about efficient simpleability oh I see so the question was about officially for this kind of examples so is the source I guess will contradict so this source, yes a lot of distributions of this source which are not officially sampled so this could be a weakness and conceivably yeah it actually would be interesting if you can extend it of course once the source is officially sampled for various parameters this source is deterministically extractable so in some sense it cannot be too efficiently sampled because a family of efficiently sampled sources is not large enough compared to all possible sources so that family is known to be extractable with some at least parameters so in some sense the answer is yes for this result it's definitely the way distributions which are not efficiently sampled and for a good reason but I'm saying that's impossible to achieve because the family there is a result that will come see like 5 minutes in a different context that if your source contains not too many distributions but not too many is like single exponential as opposed to double exponential number of distributions this source is deterministically extractable and efficiently sampled distributions there are not enough there is only a single exponential number of circuits like on n bits so this source is deterministically extractable and there are papers that study it which I'm not going to talk about but it's necessarily some of it is not efficiently sampled but for this impossibility result this is a great question so in fact the impossibility result the way we show that the source is not separable very often the distributions that I just erased they were not necessarily efficiently sampled and there was a whole paper at Krypta of like Raphael Paz and I think his postdocs which at least for Santa Vasirani they showed very non-trivial using some Fourier analysis stuff how to extend our impossibility results to efficiently sampled sources but for other sources it's kind of hairy so there is something open there but arguably but yeah as I said if the source is too efficiently sampled there is some deterministic extraction so there are some caveats but yeah there is a little bit of room to improve these kind of results I don't think you can improve this result in this setting okay so yeah so this was kind of somewhat technical but at least this gave us hope we call it the universality of the one-time pad maybe at least inherently yes maybe full natural sources you cannot do both but at least conceptually it would be interesting if there is a separation there is a little bit of separation but then unfortunately there was a second part of this paper which I will prove in its entirety to you and this is by far probably the more important result even though it's much simpler to prove so this is a second result which is the unfortunate negative result so the unfortunate negative result is the following if S on N bits is capable of encrypting of encrypting B bits I mean it will be necessarily that B will have to be greater than log N you will see why of B bits then you can deterministically extract roughly speaking B minus log N bits from S alright so this is like a pretty general kind of result that hopefully once you see the proof it will teach you something about the relationship between encryption and extraction and to a large extent it says yes there is a little bit of a gap in terms of the number of bits you can encrypt and extract but roughly speaking usually you want to encrypt more than log N bits because once if you want to encrypt more than 200 bits and it will be more than 200 which is a number of molecules in the universe or something so for an interesting setting as long as in our lifetime we want to encrypt more than 100 bits essentially it just says that you must have true randomness in the world or you must have something which is if it's not true randomness but you can just deterministically extract true randomness at least one bit or in fact almost as many bits as you need so in some sense this result says that one time pair is almost universal maybe you lose so if you can do encryption at all you might as well first extract being minus log N bits and then you might as well use one time pad you lose like log N bits but in some sense you know one time pad is almost a universal encryption scheme in this sense so any question about the statement then the proof will be surprisingly non-complex of this statement so and it's philosophical implication alright so let's try to do the proof and maybe I'll mention before the proof in case I run out of time so let me just shelve it for a second and tell you a little bit about some other results so there is another paper with I think Kshishov which doesn't get any citations because it's super-iciteric but because you know who is to cite it if not me so I'll mention it here so here we kind of extended this result in DSO2 because there is a following question and this kind of leads me to one of my favorite open questions so let me tell you this result and then the open question which I really really would love one of you to solve but I keep giving it to every new postdoc and they try for the months and they say it's too hard so but I think it would be cool I would really appreciate it all right so what is the result so we can see the following kind of trivial implications so if you can extract you can encrypt and if you can encrypt you can easily do two out of two secret sharing how well first of all extraction from encryption this is one time pad so if you can extract 15 bits you can encrypt 15 bits by one time pad if you can encrypt 15 bits you can do a secret sharing scheme two out of two where the left share is equal to the key and right share is equal to what so one thing is a key and you know so we assume that we can do a secure encryption so what would be the second share just to make sure we still have somebody following not the message so the message is well there is a message I want to secret share the message and I want to give you two shares such that neither share gives you any information or almost any information about the message so the left share is a key and the right share is a cypher text so in general if you can do encryption at least in the two out of two regime I can do two out of two secret sharing scheme like very naturally so here the result of DOSO2 so unfortunately you know this result the result over here to a large extent shows that the converse is also true unfortunately if you can encrypt then you can extract almost you know the same number of bits so what so this is actually not the open question but I'll just mention what about this implication so definitely the reverse implication is open I don't know it is true so in fact let me tell you what is known what is known here we have a separation for one bit so here we show a non-implication for one bit so with Shishtap and Bartos what we did we gave again a super artificial source which allows you to do a perfect two out of two secret sharing on one bit but you cannot do encryption on one bit so super esoteric it was like a lot of little plots in the paper but so at least in the one bit case similar to this when a small number of bits there is at least a little bit of a gap between encryption and secret sharing what about like longer messages we don't know but in particular instead of like looking at to here because maybe this is a little bit esoteric because encryption and secret sharing I think this thing is very interesting so the open thing is extend BDO7 to two out of two secret sharing so this is one of my favorite open problems so namely so here we said if you have a source of friends capable to do encryption it's extractable here I'm asking if there is a source which is capable to do secret sharing which is another fundamental primitive which is enough to kind of split the secret among two people does it mean that some who so I'm the dealer so I have my message I have some imperfect source and I can produce these two shares that I give to two people so the question is does it mean that I can just deterministically extract some kind of one time pad and therefore do trivial secret sharing so the proof that I'll show you somehow unlike this framework where encryption commitment all those things kind of trivially you know it's just like minor epsilon tweaks in the proof there will be something fundamental that only works for encryption and also commitment but not the secret sharing scheme so we will see it in the next 10 minutes what it is so this is one of my favorite kind of philosophical open questions in this area not because it's practically important for like Intel RNG or anything like that but you know just philosophically it's an interesting thing because for this kind of line of work when we talk about natural sources of randomness we saw that essentially for natural sources nothing is possible in privacy and the proofs were like really kind of very simple like the first step changed like by epsilon and here the question is is it true that in general if you can do a primitive it implies that you need true randomness for encryption it says the answer is more or less yes modulus is log M gap but for secret sharing it's open and I'm really fascinating I wouldn't bet anything because right now I'm literally 50-50 it's like depending on the day I think the answer is yes or no I don't know it's like the proofs kind of almost work let me tell you all right unless there are questions let me tell you this because I think this is cute and we'll see how much time we have you mean like here different threshold of secret sharing yeah I haven't thought about it too much I kind of filled out of 2 is the most fundamental so the short answer is I haven't thought about it and any sufficiently deep detail just because I feel like this is you know the simplest secret sharing which is possible there is a tiny open question here I guess you know like here we kind of showed in the regime 1 vs log N but in general do we need to lose the log N for general B I also don't know but I feel like this is a little bit also less important because qualitatively you know for large enough B if B is like you know square root of N or something like that this doesn't really matter so yeah so this is like one of my favorite open questions and hopefully once you see the proof you will see that it's something elegant that we should be able to solve all right so let me give you the proof we are back to BDO 7 but I feel free to ask philosophical questions or non-philosophical or questions you know okay so let's see what we are doing we are kind of trying to argue that um so I need to argue that if the source is capable of encrypting I need to build you an extractor right I want to build a deterministic extractor so this is a proof so I'll prove it in kind of three steps but first I need to define what the extractor is so this is my extractor it likes lower case x it's just a deterministic function and I have to define extractor in terms of an encryption scheme right I have a hypothetical encryption scheme which is great and I need to show how to extract just you know for now just one bit well actually we'll extract even more than one bit B minus log n bits but okay all right so I will unfortunately completely solve it in one shot I'll reduce it to a simpler extractor I'll call it extractor prime but but this extractor prime will be applied to encryption of zero so this is a form of my extractor and we'll need to figure out what do we need from extractor prime in a second all right so is it clear what I'm doing so this is a kind of extractor that I'm going to define okay so let's see what do I need from this extractor prime and let's make sure to show what I need from extractor prime let's try to do the proof and let's try to see where we are stuck and that will make it clear what extractor prime I need okay all right so take any capital X in your source L all right and well what is what is the extractor of capital X well by definition I guess I just wasted the line all right let me not waste the line let me move above so I'll just replace lowercase x by capital X all right and here I have capital X of zero okay all right so now I should probably use security of my encryption scheme so what a security of my encryption scheme says it says that for any distribution of the source encryption of zero looks like encryption of any other message right well what message should I choose very good because listen I'm trying to extract randomness so I'm trying to inject randomness and here this is a deterministic function but so this is approximately and you know there is a particular parameter which is like delta security of encryption but I'm just not going to do it this is approximately equal to extractor prime encryption X of uniform distribution on b bits okay so here I'm kind of injected randomness for free even though my extractor is deterministic I injected perfect randomness from the security of encryption right okay so now I'm almost done now I claim that I'm not going to use anything over here so I'll say that this is extractor prime applied to I'll be a little bit informal but I'll write this combination so I'm just giving you effectively what I'm doing I'm now giving you this key X for free I'm saying listen you're distinguishing you're trying to distinguish this from random you know just to make your life easier but it's not going to help you now I'm just actually going to give you this my secret key for free but I'm not going to tell you the message so you know my message will be my randomness alright so by giving it for free effectively this is you know irrespective of what it comes this is convex combination of essentially things of the form encryption of little X of UB where little X you know is you know ranges through all possible keys so I mean it doesn't matter what it is but roughly speaking this distribution will be convex combination of this distribution how well what is the convex combination exactly the distribution capital X in question so now what is sufficient for me to argue that this is U of B prime well B prime happens to be B minus log n but you know so all I need to do so it's enough enough to show that extractor prime is a good extractor for the following family for the family of encryption of X of UB per X ranges 0, 1 to the n is it clear so let me just put it in the box so I claim that if my extractor prime which I haven't defined yet is good for extracting randomness for all of these 2 to the n distributions then obviously it will be good enough for any convex combination of them and here I don't even know which convex combination I mean I only know it in there but I'm saying even if I knew X it would be good enough because even if I tell you X for free irrespective of what little X is if it's a good extractor I mean good shape alright so any questions so I reduce so what did I achieve I need to build this extractor for some you know source which has gazillion of distributions about which I don't know much and I reduce it to an extractor for only n equals 2 to the n distributions distributions and the distributions have even a special form the encryptions of a uniform message under a fixed key right and now intuitively I better use something about encryption so far I haven't used anything about encryption well I use security but I didn't use correctness I didn't use anything about encryption so we must use it somewhere so this will be in the construction of X prime right are you guys still with me somewhat so I kind of showed you know I'm trying to I mean this kind of important time philosophically I'm trying to show why encryption implies extraction and the reason is we don't see the final argument yet but the reason is that security of encryption implies that essentially to build an extractor for encryption I only need to build an extractor for these 2 to the n distributions of this form so let's look at this distribution closely and any one of those distributions so if you look at encryption X of 0 encryption X of 2 to the b minus 1 you know is there anything I know about these 2 to the b points they're all distinct why because you should be able to decrypt if you have a fixed secret key you should be able to decrypt so it means they're all distinct right so in particular what it means what does it tell me about mean entropy of encryption of X of UB so if I actually choose a message at random and I get those things I get uniform distribution around this bd joined guys 2 to the bd joined guys so what does it tell me about mean entropy well it's actually equal to b I mean it's there are no collisions that's the only thing I need to use about encryption here so we're almost there so now essentially what I need to do I'll rephrase it over here so it's enough so I'm going to make a weaker conclusion here so instead of like worrying about this distribution I'll write it here it's enough to get a good extractor for n distributions distributions of let's call it even y1 yn of h infinity greater or equal than b each so this is all so now the question is is it true and now I'm not going to use anything more about the encryption scheme so now the remaining question is is it true that if I don't have too many only in quotes a single exponential number of distributions of high mean entropy all the distributions have mean entropy at least b so we have a bounded number of distributions all of them have mean entropy can I find an extractor which is simultaneously good for all of them well and anybody wants to make a guess the answer is yes or no it's Boolean so you'll be well that's so I guess so you know you did more than make a guess you gave a proof this result almost a proof so the answer is yes and that's actually one of those general things which kind of I mean hopefully it teaches something we see in each step we kind of use different thing we didn't need to use everything so here we just use privacy of encryption here correctness of encryption is only needed to argue that mean entropy and now here is a very general fact I'll write it alright I'll test my bending abilities and I'll try I'll put a lemma so this lemma was is I mean it's in a different format it's true for Travis and Wadan but I kind of use it in my PhD thesis as well sorry it's 99 so I mean so this is from my thesis but it's really kind of a restatement of this beautiful paper of Travis and Wadan so speaking of each by the way this is you know you asked about efficiently sampleable distribution so Travis and Wadan shows that if the source is efficiently sampleable you could in principle deterministically extract it and then the under various complexity of all conjectures or assumptions build an extractor but really the thing was just a counting argument and the only thing they said they said listen there are not that many efficiently sampleable distributions they didn't really use anything else about efficient sampleability so really what this fact in this lemma is it's less that for any n distributions of h infinity greater or equal b each there exists extractor prime capable of extracting approximately b minus log log n bits okay so single log of little n became double log of capital n but you know because n is 2 to the n so that obviously implies what we need to show and of course the answer is y and here is the thing let's assume capital n is equal to 1 I assume I have one distribution of min entropy b each so this is the first question just to make sure is this thing deterministically extractable because actually that should be something that we asked like a long time ago you know if I have only one distribution can it just deterministically extract it and you know there is like of course the answer is like you can do it by random function but we can even do it like explicitly so this is 0 and 1 so pretend so here we can just just greedily start putting things so it's like we have a something with some probability p of x we put it here so p of x 1, p of x 2 we can pretend that there are these two bins and we always put the next thing in the lightest bin so they will kind of keep growing like that so at the end both of them will be approximately one half and the gap will be at most like 2 to the minus b so this is just kind of just to convince yourself is out like using like a function of bounds or anything if I have only one distribution that I know principle it is deterministically extractable ignoring questions of efficiency I can always just keep you know having these two bins or possibly more bins and I can just keep throwing the next probability point in the smallest thing and because they're all 2 to the minus b essentially all those things will be eventually roughly equal right I just kind of do it so this is kind of you know a little bit crazy distribution exists if you want to make it a little bit more efficient there is a famous thing called October hash lemo that we are going to talk about later which kind of says you know you can just pick well the next efficiency thing was like you can just choose an extractor at random and do some kind of simple concentration and equality is that it's good and you know if you want to de-randomize it you can pick it from a family of perverse independent hash functions so we are going to here actually look at the rest of this tutorial so stay tuned so in this case it's essentially one way to prove it is just pickaxe at random so what does it mean pick at random you can say wait a second don't we have this no randomness and so on listen I'm just talking about the existence result not efficient computability I'll extend efficient computability next in the next two minutes but here I just want to argue it exists and I'm saying if you pick a random function and fix it with very high probability distribution but the probability is going to be so low that you can just take a union bound as long as there are not too many of them and it turns out if you plug in standard terminal bound there is absolutely nothing deep you get these numbers and the next question is what Reveson what Dan did they said do we need full independence do we need a completely random function and it turns out this is a nice kind of thing approximately log n-wise independence is enough so what does that mean it means that instead of choosing an extractor from a random from a family of all possible functions from n bits to b prime bits or not n bits in this case is whatever the ciphertext size is we just pick it from a family of you know bounded-wise independent hash functions not Paravice unfortunately but log of capital n-wise and the point is so this turns out to be enough like Paravice independence is not enough it's enough of one distribution it's not enough for this many distributions but this wise is enough and in our case this log of n is equal to little n and little n is the size of our secret key so it's polynomial so in particular it means that you know as long as I have an n-wise independent family of functions every single one of them is efficient and we have it it's like polynomials of degree n and so on it means that there exists even an efficient extractor so in particular there exists I can even put the word efficient here and even I can even efficiently choose it just a random function from a family of families independent hash functions with very high probability is going to be good and because all of them are efficient sorry so true random yes of course if I don't have true randomness but what I'm saying is I mean it's just to argue existence that's my way to show existence you know if some mathematician maybe comes in and they can just say for this particular key here I'm showing existence you're right it could be a weakness of this result that's why Travis and Anand didn't stop here they actually did randomize it that's what they did but under particular complexity assumptions about polynomial hierarchy you don't want to know stuff like that they kind of did randomize it in some sense but just to show existence yes I will choose it truly at random but it's done only once it's not like you know once I do it once with high probability if I have true randomness somewhere you know in Australia and they're just nice enough to do it once for me or they'll just do it once for me I'll import it here to the world of not true randomness and you know you know with only v-crams and it's going to be good enough so yes there are some caveats nothing comes like completely for free but at least in terms of existence they're good and in fact it's even going to be efficient in a view inefficiently sampleable it's just not going to be necessarily explicit you know there are all those words you get all of them except except for explicit so in particular what it tells you coming back to this application look at this thing if this guy is efficient I mean as long as encryption scheme is efficient we get efficient extractor as well so in particular it lessens the existence result here if you put the word I'll put it in a different color if I put the word efficient here efficient here I can put efficient here as well at least in terms of existential kind of thing so here we can even well in some sense preserve efficiency essentially we'll just encrypt zero and apply like a polynomial of degree m which polynomial I didn't know but I can tell you majority of polynomials will be good enough or something like that so let me see so I think soon we should take a break so let me just conclude this essentially just maybe telling you the transition points and of course taking questions so there is one more result that I'll mention maybe over here so this is a really great question so feel free to talk to me about it I would love somebody to work on it we did have a partial result here so this is from the same crypto paper there was like a little section of that paper so what we showed is some kind of you know a partial resolution here saying most privacy tasks p under s including secret sharing actually because it's the extension of this paper everything which was like expressive and so on so all the tasks which our theorem which was on one of these boards was true remember when we did this kind of thing so we kind of had an extension so for almost everything including secret sharing and so on it implies so if there is a source of randomness which can do let's say two out of two secret sharing or encryption or commitment or whatever then or differential privacy it implies weak one bit extractor so what do I mean by weak so one limitation is one bit here we have multi bits so that's one weakening but of course even for one bit because it works for secret sharing I would be happy the problem is the weak part so you can judge if you like this result or not so essentially you know the extractor outputs zero one or bottom so it could fail it could say you know what it says listen here I'm confident I should extract zero I'm confident I extract one but if something fishy is going on I'll just fail I will output bottom meaning something is wrong with the source let's just output bottom all the time that will be great so probability extractor equals zero is very close to probability extractor equals one so this is good so it means as long as you don't output bottom the bit is unbiased as we want but of course what prevents us from outputting bottom all the time making it trivial at least probability output bottom on uniform distribution is you know noticeably greater than zero I mean there are some parameters but roughly speaking for encryption it will be like like one half or something like that sorry probability output non-bottom yes or I guess yeah probability so essentially at least on the uniform so it's not going to be like a pathological thing at least if you feed it uniform distribution with some non-trivial probability for encryption is one half or commitment is like one quarter for secret sharing it's something smaller but it's non-negligible probability so with non-negligible probability it will actually output something at least on the uniform distribution and when it output something is awesome but unfortunately it might kind of fail well no no whenever it extracts but you're right it's a weak result so I mean it was like a small section of the paper it leaves the following possibilities that it only extracts from one uniform distribution and fell on every single but it cannot completely do it because the distribution is very close to uniform you know that it cannot like you know flip a switch you know it just takes a bit strings it cannot flip a switch so for most distribution which are kind of intuitively I'm making it informal sufficiently close to uniform it will not fail the extract which I'm not going to tell you well unless you ask me it's not that long but yeah I you know there is a particular form of this extract there so it's a weak result it's just even aside from this thing the fact that it doesn't I would love to say that it fails with probability I have but on every distribution it succeeds with probability at least I have here I cannot say it and unfortunately it's impossible so this result which I just erased but this result of so too if you actually look at that counter example there more closely there we have something where essentially replacing this by any x it's just impossible it gives a counter example there so this is in some sense for this level of generality as a stronger result we can hope to achieve yeah but it implies even for secret sharing and so on so but yeah definitely the big question still remains yeah no no no we just defined it prove it which one oh so my paper in Dory Spencer it's like it didn't look at this kind of one bit extractor but there is a remark in that paper that if you look at something that that paper does that one of those counter example it shows something where I mean it gives you a source where even this weak one bit extraction is impossible in provided you want non-triviality on any source it's like that is unfortunately we show impossible at least for this particular counter example maybe there is a way around it but yeah so so you can judge but at least something for secret sharing we do know at least something non-trivial you know but the main question for secret sharing still kind of remains so before taking questions let me just so yeah it's actually a good time to break let me just tell you what we are going to do in the next part and I'm actually probably going to switch to slides for this part so that we can use this awesome and you don't have to read my handwriting but so what we are going to do we are going to fill that last column so let me just summarize this thing sorry I'll just take two minutes just so that we have this thing so here we are going to do I mean even using different color we can have local randomness exists exists but weak secrets so so here we assume listen the secret key is still comes from a weak source maybe it's my fingerprint or maybe it was uniform but that I can read something about it so Krzysztof will talk about liquid resilient cryptography so we have perfect randomness but for whatever reason our secret key is still weak can we do stuff and the answer will be yes dramatic yes so we will be able to do all those things but surprisingly the questions that we are going to do there are many questions in this setting it's a huge area so in fact I told you maybe like four or five papers of mine so in terms of kind of you know the field of information, theoretic security and randomness extraction so this is essentially my work which I talked about it here and more or less I'm the only one who is working in this area for whatever reason hopefully some of you will like it you know majority of my papers and most of the papers of other speakers is like here and this is like essentially this guy over here so this is really kind of the mainstream thing and it's super exciting because things become possible and here the goal is to do things as efficiently as possible not in terms of the speed but in terms of entropy consumption we want to extract as much you know randomness to derive as long of a secret key as possible from what we do so here you know we are kind of from possibility in possibility we are shifting to a different mode of being greedy and essentially what I'm going to talk about there is one particular aspect where as well like a lot of surprises here in terms of like key derivation functions and somewhat similar here the difference between key derivation and randomness extraction so I will kind of show that it's not necessary to do this application it's not necessary to first extract a key and then just use these check marks you can actually do much better if you directly work you know with a weak source in question but local randomness essentially is of critical help and it goes from possibility land to possibility land for example the kind of well anyway I'll take it there and there are lots and lots of applications of this kind of thing so it's very exciting area yeah yeah yeah right right yes yes oh I mean I didn't go so far you know what it goes from secret sharing well of course in general I mean it's a little bit becomes a little bit esoteric that's why this paper I think it has only like one citation Krzysztof can check if it has more I mean it's a little bit it's kind of interesting question but a little bit esoteric I think extraction is kind of fundamental philosophical thing because what kind of randomness is needed for different applications do I need more for secret sharing than for encryption than for commitment I mean it's a little bit kind of technical and people don't find it that natural so I don't know what is the guy inside what is interesting to me conceptually is there something here for which I can have a meaningful separation not like one in log n separation because nobody cares about encrypting more than log n bits but something where you can do a privacy on you know I don't know like square root of n bits but you cannot extract even one bit so I don't know if you can come up with a privacy primitive anything it might be even artificial I would find it very interesting I mean if it's actually even natural like a secret sharing scheme well it would be great so conceptually I don't know what lies here so far what we know at least for natural classes they're all the same it's like you know it's like nothing is possible in the sense that for natural classes nothing is possible but once you start to define artificial things things are possible like taking a scheme and say my source is all distribution so each scheme is secure these are like artificial things I don't know if there are like this natural separation I think that would be great conceptually even if it's super artificial if you can give me a privacy application not like authentication application where a lot of things are possible but really something where the attacker cannot distinguish like 0 from 1 or something like that when you message is for which there exists a separation I mean it has to be big not just like one bit I think that would be super interesting conceptually this is definitely open isn't there anything about how the disruption for example does the VH hold that you don't have which hold? ETH oh no I mean I haven't looked at this direction the only place where I've seen this or I guess this sorry Riemann hypothesis or something is like for some of the denonimization results there is something at random and you can say under some assumptions if you take the smallest prime as opposed to random or something like that so it was only used non you know kind of to de-rendomize some particular construction like about your criticism over here but yeah I haven't seen any kind of conditional results indefinite at least what I described here and this flavor I described it kind of as an information theoretic thing whether there exists something interesting and meaningful computational among this so this is the results the positive result on separation they work even for computational encryption and so on I'm not sure if there is something deeper where you know making computational assumption of pseudo-randomness can help us separate those things so far all the results that I showed let's say encryption implies extraction if you talk about computational setting you would say computationally secure encryption implies extraction of pseudo-random bits because you know for pseudo-random bit any particular bit is perfectly random at least at the level of one bit it's statistical but it's a level of like b minus log n bits is a little bit pseudo-random so far everything is said extends and it's almost trivial slightly untrivial part is this efficiency thing but that's what I'm saying that's why this red part was kind of nice that this extractor prime we could make it efficient so we could maintain efficiency efficient extraction efficient encryption implies efficient extraction but yeah so I think this was kind of a good summary but so after lunch we'll completely switch gears and talk about I think you know I really like this line of work but things were from being hopeless becoming super greedy and we are trying to minimize entropy loss and stuff