 Hello everyone, it's working, so welcome back to one of our last sessions on Primitives 3. Before we start, we have a couple of announcements, so remember today there is this organ concert. You can find the instructions on the web page, they haven't posted. There are a few buses, one is at 540 and the other at 5.6, but we encourage everyone to walk, so there will be a walking caravan leaving from the front door at quarter to six, because we don't have enough buses for everybody. Another announcement is that we found a mobile phone, so please check if you have your mobile phone, and just come on the front desk to get it. Okay, so now we start the session and the first talk will be given by Geoffroy Coutot, who presents joint work with Krish Bruska on building fine grain one-way functions from strong average case partners. So the story starts with a 1995 work of Russel Impagliatezo, who asked, what world do we live in? Because we cryptographers, we hope and believe that we live in a world that Russel Impagliatezo coined cryptomania, where public cryptography exists, so we get to write nice papers, attend nice conferences, and also secure our data. And there's also the possibility that we don't have public encryption to public a crypto, but we still have symmetric cryptography, so we can still do many things of interest. At the other end of the spectrum, there is a possibility that P is equal to NP, so all crypto is broken, but many people in the more algorithmic side are happy because they can solve the traveling salesman problem, so they're very happy about it, and that would also be fine if they lived in the world heuristic, where P is not equal to NP, but P is still equal to NP on average, so you still don't have crypto, but you can solve all NP problems very efficiently on average. So essentially in those four words, some computer scientists are always happy. Then there is the middle possibility, the fifth world, which Impagliatezo called pestilent, which is a logical possibility that cryptography does not exist. You don't have one-way functions, nothing, but you have a lot of NP problems which are hard on average, so you don't get even fast algorithms, so that's the worst of all possible lengths, and something often called Impagliatezo's program is, can we rule out this world? Can we show that computer scientists are bound to be at least someone happy? If we could do that, that would be a win-win for humanity. We will know that either we do have some crypto or we have fast algorithms. Unfortunately, it turns out to be a very hard problem, and the core issue is that if we look at the hierarchy of hardness assumptions related to this world, so the bottoming wastes hardness, the third being public encryption, we know that there are black box separations between any two of these hardness assumptions, so it's not possible to rule out the existence of some of these, the logical possibility of these worlds just using black box techniques. What might save us, or what we can find an array of hope, is that the real landscape is actually a bit more subtle. It's known that in some levels of this hierarchy, if we look at extreme hardness, then that gets us somewhat in the higher level. So for example, exponential worst case hardness does imply average case hardness. This is classical list decoding algorithms. Or at the top of the hierarchy, if you have exponentially hard runway functions, this actually gives you quadratically hard public encryption. So maybe there's hope, and the main question we ask is, could it be possible that extreme average case hardness suffices to imply a very weak form of runway functions? So this is what we study in this talk. So if we could do that, we could rule out an extreme version of pestilent, the worst of all possible lengths. So I have to explain a bit more what we mean by very weak runway functions and extreme average case hardness by very weak runway functions. In this talk, I will mean specifically fine-grained runway functions. I'll explain right after what it means, but it's possibly one of the weakest notions of runway functions you could imagine. Then for extreme average case hardness, we look at different notions from the weaker to the stronger, which we call exponential average case hardness, amplifiable average case hardness, and the new notion that we call block-finding average case hardness. So let's explain these terms before I can go on with the results. What's a fine-grained runway function? Well, your typical runway function takes time n to evaluate and maybe 2 to the n to invert or something way too long. Fine-grained runway function, we just want that inverting text time at least n to the 1 plus epsilon for some positive constant epsilon. It's slightly harder to invert than it is to evaluate. It's really the minimal amount of non-traviality to get something that the adversary can't do as efficiently as yourself. So this is a fine-grained runway function. Here we have these various notions of average case hardness. So exponential average case hardness is quite natural. Essentially what it says is that if you have an NP language, the best an adversary can do to find out whether words belong to the language is try all possible witnesses in exponential time until it lands on the witness. So that maybe it can get some speed up, but in the end it will still take exponential time to decide membership to the language. So if we could show that exponential average case hardness implies fine-grained runway functions, we will get a win-win result which is that we either have some weak form of cryptography or all NP languages can be decided in time less than 2 to the n on average. That would be nice. Unfortunately, our first result is that this is not possible with black box proof techniques. So this result turns out to be actually not too hard, but what we really like of course will be a positive result. So we say, okay, what happens if we start from even stronger notions of average case hardness? What do we get out of that? The first natural candidate is what we call amplifiable average case hardness. So remember at average case hardness, exponential average case hardness, I give you a word, you have to decide whether it's in the language, it takes time to do the n. I say that it's amplifiable if when I give you m words to decide for all of them if they belong to the language, you need times m times 2 to the n. And the more you have words, the more you need to spend time to decide. So, basing from going on a function on this would still give a win-win for humanity because you would either have crypto or a faster than 2 to the n algorithm to decide all NP languages when amortizing our main instances. So that would already be a nice win-win. And another motivation for this study is that in the past, assuming non-amortizability has been the key to circumvent some impossibility results. So it helped, for example, getting n squared hard public encryption with negligible security error. So there, the authors had to assume a dream axolema that says that XORing hard predicates amplifies hardness optimally and without it, it's black box impossible to achieve that. Or it was also used in a very nice recent work to show that if you have one-way functions with some amplifiable hardness, then you get collision-recent hash functions. While without it, it's a black box impossible. So we thought, OK, maybe this is the key to getting our fine-grained-one-way function. And it was not. So our second result is that there is still no black box construction of fine-grained-one-way function for any arbitrarily small constant epsilon even starting from this insanely strong notion of average case hardness. So not great for humanity, but let's not stop here. And then so we looked at an even stronger hardness notion which we call block-finding hardness. So the previous one said, I give you M words. If you have to decide for all of them whether they belong to the language, you need to spend times M times 2 to the N. Block-finding hardness said that it's even hard to decide something about the membership of these words to the language. So for example, I give you the pattern 0 1 0 0 and I tell you, can you find four consecutive words such that if you look at whether they belong to the language or not, the answer will give you 0 1 0 0. So block-finding hardness essentially says that just to answer this question, can you find a pattern of membership bits for M words? This already requires times M times 2 to the N. So that will still give some very weak positive like win-win results, right? If we had fine-grained-one-way function from that, either you have crypto or you can decide something non-trivial about the membership, the pattern of membership bits for all NP languages. Quite weak though. But still, from this one, we do manage to get a fine-grained-one-way function with quadratic hardness gap. So it rules out at least some extreme, extreme version of pestilent, if you want. So in the rest of this talk, I'll go over the techniques we introduced to solve these problems. And one central unifying theme is the notion of a random language in NP. So what's a random language? Well, take a universe, many possible words in it, and you flip a coin for each of these words. If you want one over two, you put it in the language. If you want one over two, you put it outside of the language. So then your language in the end contains roughly half of the words. No, I want this language to be in NP. So I take a set of witnesses, and for each word of the universe, I pick a uniformly random witness in the set, and I say that this is a witness associated to this word. Okay? And then I give a check-oracle to the adversary. So this check-oracle receives queries of the form xw, where x is a word, and w is a candidate witness. And the check-oracle checks whether this is a right witness associated to this word. If it is, then it tells you whether the word was in the language or not. If it's not, it tells you nothing. So this is equivalent to taking a random language in NP in terms of co-NP. And when the adversary manages to find the right witness, we call his query a hit. It's a terminology that I'm going to use a lot in the rest of this talk. So the point of these random languages, well, there are two points. First, they help us checking that hypothesis we make about average casual languages are plausible because we can check whether they at least hold for a random language. And it's also the basis for all of our black-box separations. So more precisely, we prove three things. We prove that a random language satisfies block-finding hardness. So that gives support for the plausibility of this strong notion of block-finding hardness in the same way that when you use a new notion about hash function, you will check that it at least holds for a random oracle. So here we do the same, but with a random language. Then we prove that random languages are extremely hard to solve, even if you weaken them. So we prove that even if you give to the adversary an inverter that will agree to invert all sufficiently, that will sample all sufficiently likely pre-mages to any oracle circuit, then even relative to this oracle, a random language is still amplifiable average case hard, and yet, relative to this oracle, there cannot be any fine-grained one-way function because you can invert them with this inverter oracle. So together, this result two and three prove that fine-grained one-way functions and amplifiable hardness are black-box separated. So let's go over this second result, so these two and three. So we use two oracles. The first one is this check oracle. It's a random language, and you can check whether a word is in the language or not if you found the right witness. And the second is an inversion oracle. So intuitively, what do we want? You feed to the inversion oracle an oracle circuit that can call the check oracle and an output, and it samples a random pre-image. However, this will be too strong because think, for example, about this simple example. Consider the circuit that just takes as input some X and W. It queries X, W to the check oracle, and it returns X and B, where B is the answer of the check oracle. The solver who would simply query the inverter on this circuit together with the output X1. Now, if X was indeed in the language, which just happens with pretty one over two, that means that the valid pre-image will be a valid witness for X. So with a single code to the inverse oracle, I've been able to completely break all harness properties about my language because I can find the witness in one call. But the reason why the adversary managed to do that is because he has to invert an output which was unlikely. In the sense that the path from the input to this output makes a single query to check, and this single query makes a hit. And making a hit should be a low probability event. So what we do is a sequence of sanitizing of the circuit. So first we look at all the possible paths from an input to the output, and we say that if a path contains too many hits compared to the average number of hits it should contain, then it's a heavy pass. And we'll remove all heavy paths and we will only allow the oracle to answer a light path from the input to the output. Now, for technical reasons, we cannot force all paths to be too light because if they have too light, later we'll have to do some kind of union bond over all gates to show that with high probability for random input, all paths will be sufficiently light. So to pass this union bond, we need to keep some room here and define a path to be light if it's the average number of hits plus some kind of bond like necessary to allow this union bond. And it turns out that this allows for other attacks based on what happens when you can make queries to the oracle with inputs which are too large. And we have a different techniques to handle those too large queries by shaving the circuit. So you take the circuit, you look at all gates that make a query to check where the input is too large and you replace this gate by dummy gates. And we can show with a bit of work that this suffices to get rid of this annoying side effect. So proof intuition. Suppose you have an adversary that breaks amplifiable hardness of your language. Okay? From this adversary, we build an emulation procedure which accesses a check oracle and also uses some carefully crafted advice string which is some information about L. We show that with this advice string the emulator is able to correctly emulate all answers of the inversion oracle yet the size of the advice string is not too large. It's of bounded size. So that means that if there is an adversary that can break amplifiable hardness then we can build from it a new adversary that can get too many hits when accessing the check oracle when being additionally given a not too long advice string. And this we show is impossible using a new abstract technical lemma which we call the hitting lemma with advice which I will explain soon after. And before that there is the other side of the proof, right? We want to show that relative to these two oracles we don't have any Feynman-Norway functions. So we have a hard language but we don't have Feynman-Norway functions. The intuition is just take your candidate Feynman-Norway function and the output and query it to the inversion oracle and you hope to get a pre-image. So this boils down to showing that actually with high probability the path from like one of the paths from pre-image to the output will be a light pass because our inversion oracle only agrees to invert if there is a light pass. And intuitively the funny thing here is that you can think of your one-way function now as being an adversary that will be making queries like these queries that it makes are the paths from the input to the output and if there are no light pass it means that you somehow get an adversary that can make too many hits again. And again our heating lemma shows that this is not possible so using the heating lemma we can show that with very high probability if you evaluate an arbitrary function on a random input there will be a light pass from an input to the output that you got. So what is this heating lemma? It says the following you have a bunch of sets in the skies and in each of this set I pick a uniformly random element and now an adversary is trying to get as many hits as possible so the adversary has a budget of queries and he wants to he can ask questions of the form is r i equal to r star and his goal is to get as many possible yes answers as possible. And so the heating lemma shows that for any adversarial strategy the probabilities that you do too many hits decrease exponentially. So this is the technical statement forget about it, the intuition is what's the naive strategy? Well the naive strategy is you pick the smallest set and then you query one by one in any order the elements in it until you get a hit. When you get it you take the next smaller set then you create one by one and so on. Well first we prove by induction that this naive strategy is the best possible strategy and if you call h the number of hits that this naive strategy makes on average we show that the probability of getting c hits more than this average increase exponentially we see and the exponent in this exponential decrease is actually more than one which is important for our proof to be tight enough to work. So yeah, that's the intuition and the very nice thing about this is that the brand is actually so tight that even if you allow the adversary to get an arbitrary advice about all these sets you can directly extend the heating lemma to a heating lemma that takes into account this advice simply by guessing the advice in advance because the result is tight enough that just guessing the advice only gives you two to two k loss which is already sufficient to derive a contradiction. So we get this heating lemma with advice with an arbitrary advice of bounded size and that's the key to proving our first our core separation. Then I don't know how much time I have left but yeah, okay so another so the positive results just to very quickly about it is getting final non-way functions from block finding hardness so we are going into details with a block finding hard language what we managed to build is a puzzle. A puzzle is something where you can easily generate an instance but solving an instance takes some long time time n for example and the solution to the puzzle is just some integer and so how do we build our final non-way function the idea is just I'll generate n puzzles I'll pick one of them at random and I'll solve it. So it takes time n to generate the puzzle time n to solve one of them and I give you the n puzzles and the solution and I ask you can you find the puzzle which I solved? And intuitively if the language is hard enough to find out which puzzle I solved you will have to solve all the puzzles one by one which takes quadratic time and to prove that this intuition work we have to the hardness we need is block finding hardness of the language and so I won't have time to go over that but using the heating lemma with advice again it's possible to prove that a random language does satisfy block finding hardness so it provides some support for this very strong hardness assumption and yeah that's the end of my talk that's a global summary of what I just said I'll be happy to answer an equation okay thank you very much other questions somebody can come yeah I don't know if you can comment on this but I do remember this crypto 2018 paper by Marshall Ball and Alon Rosain and others and they comment on how it would be surprising to obtain one-way functions from some type of assumptions the ones they have in that particular case now how does this particular the last result to show to one-way functions from block hardness how does it what's the relation between those surprising results they show so thank you for the question actually though I tell the story in an order which fits the way we write it in the paper the actual historical chronology of the paper is we started from this result and we wanted to get around the limitation they said and an idea we had was so what they show is from exponential time hypothesis you can get what I just called here a cryptographic puzzle you can build an average case-hard cryptographic puzzle from exponential time hypothesis by going through this orthogonal vector problem and then getting average case-hardness out of it and they managed to prove that actually this is not only hard on average it also satisfies this amplifiability property that I told that I spoke about if you have many many many puzzles solving them requires spending a time proportional to the number of puzzles so we wanted exactly to get this and we had this construction in mind and basically the unfortunate story is that our impossibility results our blackboard's impossibility results show that what they managed to prove about their puzzle which is amplifiable hardness does not suffice to go all the way to fine-grained one-way function so it's another limitation in addition to the one-day exhibited to the program of building fine-grained one-way functions from exponential time hypothesis or strong exponential time hypothesis and so this alternative road goes through block finding hardness but if you try to prove block finding hardness for their construction then you end up having to prove so it uses this kind of bellicombe messy algorithm bellicombe Welsh algorithm sorry and essentially adapting the bellicombe Welsh algorithm to this notion of finding a pattern it seems extremely hard and we've never managed to make any progress on that I don't think it's feasible at all but yeah so essentially we show new barriers toward using what they already showed to get fine-grained one-way functions and we try to get around but when getting around we can't use anymore their construction so we just need to abstract out the notion of what suffices to get what we get thank you I think we need to move on to the next cut so Ashuji