 All right. Thank you for setting up. I'll do the help. Yes. So, so my name. So let's go to what I want to show you today. Oh, yeah. I see. All right. Yeah, so do you know, they know to be unsafe. And on the odd hand. Yeah, cause you don't want to review your locking to Google. Right. So how the current solution work. Okay. I'm sorry. Yeah. Yeah, now can you hear me. Yeah, can you see. Then we can see the screen. Thanks. So this is the motivation. Like, for example, the post with backup. So this is the tool. Oh, yeah, I don't want to do that. I mean, at least they can hear. Yeah. So, can you. When you install the app, like here, for example, on your phone. So, so the app asked you to say whether you can you want to see who is your friends. You telegram so that they can chat with them. So the current solution here is that you send all your address book to telegram. And, and take it like wrong. Who is your motor friend. Right. So see the current solutions and possible. So, the kind of contact contact recovery is happening. You need your friends approval. Right. So, so we need to do some kind of secure computation here. So that's why I come up with why to do that. Stay here. Yeah, so they have different types of mapping. Let me see if they, I, I, okay. Right. How quick I move this one. Okay. Yeah. So this is the first one you see that for the past. Exactly the exact matching. Right. So, we have the white or white card pattern matching. This one is usually for DNA DNA applications. Yeah, we have different kind of matching like approximate matching is for location privacy. Right. So you want to find out nearby friends. And also when you go to the airport, you can see like fingerprints scan. So it's a few applications for the margins. And you want to be like you don't want to reveal your input. Right. And recently like Facebook. They do some advertising. And for example, if I am a blue person. I, I look at the advertising on Facebook. And I make 500 purchase on Amazon. So I do the same thing for the red person do the same thing and make only $5. So at the end of the day, Facebook. Sorry, I Amazon want to know the benefit of that marketing campaign. Right. So if you see the, this person, they not belong to Facebook. I mean, they didn't watch the Facebook advertising. So, if, if Amazon want to know the benefits of ad marketing campaign, then they want to compute only the total amount right of the blue and red person. They don't want to include the gray person here. Right. Yeah. And both parties want to keep their data private. A few more broader applications. You can see here, you see like secure query. And maybe more and more, like more about application on machine learning. So, in machine learning here, you might see right now machine learning see based on all the database. Right. And how to collect the database from different companies. Let's say the company in Asia, they have the data of ice and people. Right. And the company in America and they have the data by people. And now they want to do some training on the joint database. So we really need to protect the company, the data privacy here. Yeah. Actually, the data related to bio information. Right. So, this is like writing much about secure commutation in general. So, well, each party have input. And they want to compute a function on the input. Yeah, and nothing else. So, and a problem I just, I mentioned with you in some applications before, it's called private margins. Right. You want to see where the access to why a very simple one. So, let's say if I have, if you have X, and I have why so the, how easy to compute. How, how can I compute X, where the X equal to Y, which are knowing X and Y. So this is come to, so today the talk today I, I just got very simple protocol for that. So, have you know about the hashing functions, any kind of hashing function like. Oh, I don't know why CFI. So this is the cost of yours. Yeah, yeah, so, so you, you know if you, you know the half function right. I mean in the glass. Do you know what is the half function right. Yeah, so you see, this is like if you go online you can play around with that one. Let's say if you enter CSE 365, it go to this big number. And so for the half functions, so for the harsh functions. If I gave you the input, right, like if you play around with this link, I gave you the inputs. It's easy to compute out book. But if I gave you this one, if I gave you very long this number, it is a little bit hard, it's not a little bit hard to compute back. What is the original input to the hash function. Right. So, but when the inputs domain is more. So you can perform, you can do additional attack. So that you can guess an input from given hash. Right. So, so we can come up with checkup. If let's say this is the Google, or let's me, let's say this is Google. And this is the book. Right. He want to see where the his, his passport. Belong to X or not. So what can he do. Yes, correct. Yeah, is it the good suggestions. Yeah, you just compare hash of X and hash of Y right. And then you don't. But do you see any problem here. Okay. Okay, I'm sorry. Yeah. Yeah, but if you see my previous lies, you can see what is the problems. And if I go into that, thank you for triggering the solution. Fast, right. And they have low communication costs. But the thing here. Sorry, but it's not in secure. In some sense, it's not like completely insecure insecure in some sense. So what a case. So let's say, because the harsh is determined this. Right. So I mentioned in previous lies. If I, I have all X, like if you, your password line 12345 or something like that. Right. So I can thank you all. Yeah. Okay. Yeah, I used to have like, I used to use my mic, any call it to my, to connect to my laptop. But I don't bring it here, but I don't think here. Yeah. Yeah, you see why the insecure. Let me see. Yeah, but surprisingly, right now they don't use this kind of solutions. But this is a storage. I remember I put the day. Yeah, this is a story of 10 years back. The harsh of the in the customer email addresses. And also can be the phone number. Right. Yeah. And also, it's not only Facebook, different, they have made many different mobile machine. Yeah, you see here, they list a few solar telegram the one I mentioned before. Let me see what next. So do you see clearly about the problem here. All right. So now I can come to the show Lucian's. I mean, I think you are curious about what is the secure solutions. Okay, so just want to remind you again what is private marching. I'm watching here. Alice X, both have Y, and they want to compare, they want to compare with X. All right. So this is the symbol I today I present you a very simple. Private marching protocol. And each propose very, very long times ago. So, I'm not sure if you know something like this. Alice to a random. This is the secret. And then what if before the previous solution I, I show you Alice and harsh of why, but now what if I listen harsh of why and rise to the alpha. So because the alpha is secret. So both, let's say both want to compute harsh of 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, but the server here doesn't know alpha. Right. So the server can compute. It's an attack that I mentioned before. Right. So this one they can do. So the solution he is Alex to the alpha randomly. And then send harsh of the Y to the alpha to server and the server to data. Also random, the dollar signing the random. And now, let me see if I can change the color. I think so, let's do that. He sent harsh of the Y. Oh, let me. Yeah. And for this is the whatever they already have before. And now they rise to the beta. So it kind of I can Puzi to the beta. And because Alice. So Alice can remove the alpha from these. So Alice can get something like harsh of Y to the beta. Because he can, he can compute something like. Let me see if I can choose some color here. Yeah. Never mind. Yes. So basically. You can compute something like. Let's say this is what this is T. So Alice can compute something like one to the alpha. This is Alice. Harsh of Y to the beta. And now we're in the next step. What do you think? Yes. Yeah, very good. So you see now. The server send harsh of. To the beta. And Alice don't have beta. So Alice doesn't cannot do this. Attack. So now. To the beta. And that is alpha. And the server have the beta. So each of the party have some. So you can think about like some key, some private key. I don't have a word with you. Yeah. Let me turn off the share screen first. Yeah. Okay. Too much. Can I do that? All right. Yeah, sorry. Before because some technical issues. Yeah. Yeah. So do you see the. The secure private. Like secure solutions for private matching. So the main key. Each party. Have alpha and beta. Which can be like a private key. Okay. Yeah. So my writing is not good. So this is the solution. I just represent again. And in this case. In this case. Alice might have. Several. Password. Right. So. Yeah, I can. I just present again. Whatever I have right before. Yep. The solution for. How you want to compute. A bunch. Private matching. So I think you are. I know that you know about contact tracing. Right. And I just today I want to show you how. The contact tracing. Can be confused. From private matching. So I'm not sure if you know about. This is the very. Alpha view. Of. Tracing. So basically. The. They want to find out individuals. Right. That a patient has been contact with. So what is the current solution. Do any of you like. Have some. A new. Some things you know how contact tracing work. No. Okay. So I can show you. So the contact tracing. You. Bluetooth device. They use. Bluetooth. They use. Bluetooth. And. If I install. The contact tracing application on my phone. So. The phone. Broadcast. A render. So. So you see. Let's say. My phone broadcast. One, two, three. And if anyone nearby me. The phone. The phone. The phone. The phone. The phone. The phone. The phone. The phone. The phone. The phone. Your phone will also receive number one, two, three. So let's say I contact with you. You will. Yeah. The TA. So. So when I get positive with this. I send. All the topic. Like I have number one, two, three in my phone. I send it to the server. Right. So number one, two, three indicates positive. I send it to my phone. Right. The phone. The phone. I send it to my patient. Like. Anyone nearby me. Before. He. Like. Sama here. Alice. Download. All the positive. Random. To the phone. Right. And you see Alice seen number one, two, three. Before. What the number one, two, three before. And now Alice can do the marching. And. have some I contact with like Alice can say Alice contact with the positive person before right and so this solution they gave you a random number the personal information never shared or collected right yeah however it have some problem with um she has some problem with contact tracing thank you so the a few security issues in the current contact tracing protocol so today I will cover because of time limits so I only cover linkage attack and how to scalable for the large end user device so what is the link attack so basically it means that the attacker can link the users and then re-identify their contact of their contact history right I can show you why do you see any suggestion why they have this attack yeah the the problem here is because all tokens all the positive tokens here publicly publicly available right so let's say I come to the class today I talk with the TA right and I will see the token one two three and later I see that token belongs to the list of the server so I know that sorry but I know that the TA have some some problems right so this one I can re-identify who the bot in this case yeah and also even more thing you can inform the bluetooth device and then you can collect all the random tokens so this is the real this is the real attack to the google google and solution so another issue is about the performance so when you like contact tracing needs to be scalable for billion or trillion users right but right now is because Alice have to download all the token so it's not it's not scalable so you see here the solution needs to download like 500 megabytes per day yeah so it's not a good solution and for that to do the contact tracing you have to use the good for so today I call the time left I want to show you how to prevent the link attack using private matching so you you see the the main problem here again here is because of token here publicly available right so this is a main problem and this one you see is similar to the password checkup that I mentioned before basically Alice have a list of numbers and this she consider like google right have a list of numbers and they want to find out where the there is a match the solution here is that we build private matching between Alice and the server and what we would really want here is that let's say Alice have the checkup x right and the server have y and now you want to know where the the size like different like the previous sorry different with previous one now you want to find out the size of the magic it's not the match or not but now you want to find the size of the magic yeah so if if we have this tool if we build this tool in the middle between Alice and server then Alice doesn't know which token in package yeah so this is a solution I have I show before you remember how to find out how to find out where the where the they have the common between x and y this is a solution I show before let me see yeah but for this solution you see Alice still can learn which one in match right because he know the corresponding if you send in order if you send in order something like this and let's say y1 y2 equal to s1 right if you send in order so so if let's say I want it to equal to sorry y2 equal to s1 then at the end of the day Alice can compare this with half of s1 to the beta right and can see exactly why one equal to s2 so female tool what I have before here Alice can see number one two three right and from the number one two three Alice can see who who he who she was content with right so we really want what we really want here we really want something like the size only the size of the intersection and nothing else right we don't want to reveal which item in the intersection because if I can see that I can again do the same thing as I mentioned before I can try back and see who from whom I receive the token right so what would you think any suggestions about how to so what I have here is for to compute the size of the intersection right and they also learn which item is coming so what do you do you have any suggestions how to learn only the size and nothing else yeah the tricky here is very simple um basically you just permute you see this one it permutes basically you just remove the link between the I mean remove the order right so I can show you again yeah so basically you just the permute the server just permute all the half so now you see if I do the permutation so you see the computation here you have some permutation and where the server not hold the p right so you can consider like the permutation function is private so if if they have the permutation then Ali still can compute the size of the intersection why he doesn't know so let's say he can see like something like half of the y pi of number two or maybe let's say pi of one equal to two right so so Ali can see half of y pi of one to the beta equal to half of x to the beta x one to the beta but the point the main point here is that Ali don't know the permutation function so Ali can trace back which item is in the intersection right so the tricky very simple you just do the permutation and yeah any questions so far how okay yeah this is a good question yeah I think I came to the next slide for that solution so for your question so you know when you compute the thing here in cryptography maybe later in the class you will learn that in cryptography if you compute something like half of the x to the beta to the alpha and where you keep the alpha so that one is not efficient because you how you you have to compute the exponentiation right see exponentiation so it's not efficient uh yeah let me go further but before going to your your before answering your question um they have another problem with this solution so the server you see the server have to send a last like if I have if the contact tracing for trillion users so you can image how big you have to send from the servers to the users right yeah I mean even your phone like one gigabyte two gigabytes you can hold all the data yeah so we have the solution for that in crypto we have kind of like private information retrieval it's something very high level idea but I want to say here that so if you can consider like this one is the building block so very magic why want to allow you to book the information I mean allow Alice to give this one to the box and the server gave this one to the box and then say yes or no yeah um so with this solution we can prevent the link effect right so I no longer know now I thought I no longer know which token is positive if I'm the user so yeah but as you are asking it's very heavy on property of operation and it requires exponentiation for each item right so here is some number we don't have the like this is already a few number only on client side and because we use the pick for peer as I mentioned before this is the solution be the the cost on only on the user side I didn't report the time for the ones I mentioned for you but I think so I think this is what I if for two twenty something like that if you compute the house I might be I don't let me see let me give you a few numbers so if you want if you have two to the twenty item and if you want to compute half of x right to the alpha yeah probably it costs at least I can't get I mean I have the paper I can give you the number if like exact number if you want if you are interested but it costs at least a few minutes yeah this is the yeah at least a few minutes if you have a million items only if you compute the house you rise to the alpha it costs a few minutes but for this solution you see it's only a few a few milliseconds yeah but again this is the on the user side yeah I think I don't remember exactly the number in my paper we have paid for that one but I don't have that number here yeah but people try to avoid the implementation this is the point yeah but in company because the solution is simple easy to maintain easy to implement so this show the solution the hashing solution with the alpha here he still prefer yeah people still prefer that solution because it's easy to implement it do many things easy to understand too right and easy to maintain all right yeah so you see this is only the cost on the user and how how about on the server let me see what I have here yeah and okay and one thing I want to say here is on the peer efficient on the good form I mean if you have the good I think this is using the good form so my question like if I have smartwatch or my parents have very poor phone right so how can they do contact tracing so this is another question we want to ask what time we have yeah so to improve the performance I mean if I want to do contact tracing and I don't have a good phone so what can I do so let's say if I want to go to uh the if I want to go to campus I live very far from here so what can I do I can walk right so I have to rent I have to rent I don't have car but I have to rent a car or I take the bus so it's similar here if I now have a good phone and but I really want to do contact tracing I have to outsource my computation to the server so very trivial uh uh concept here so what I want here is I send all my tokens to the black server right and let the server do whatever they want to do and then the server gave me yes or no yeah all right let me see what yeah so all right you already see this but yeah yeah however you see this solution leak the again leak uh at least travel history to the black server right do you see why yeah let's say let's say we have three people here and all two people receive my token number one two three right and the black server if he can collect all the topics so he can link who are together who talk together right so so this is this is how why we this solution still work if you believe on the server if you trust the server right so so we have uh all the protocol so the key idea here is instead of using one server now I can use many different servers right kind of I have the key and if I gave the key to the ti and if the ti go gave the key to someone else then I have to see problem with me right but now if I have the key I see pressure to each of you in the class so if all of the person in the class collude then it comes to problems otherwise it's okay right so similar similarly here I have number one two three I gave number one to this server I gave number two to that server and I gave number three to this server so if if if the server wants to know my token the server has to be together right because each of them holds a piece of my key yeah so kind of it calls secret sharing in the field it calls secret sharing so if I if I do something like that and now I let the server the server together do some computation with the with the back end server right then somehow it can give me the answer so I'm I won't go to the detail of the protocol it's very complicated but this is the high level idea how I can use contact tracing using my smart watch are you a very powerful just to pressure my token to several servers and the security assumption here that if I use more servers then the protocol is more circuit right yeah I don't know so in in my field people call that when it delegated so it's kind of you do that to get your computation to someone else yeah but the important thing here is somehow you don't review the information to to to the one you will delegate if I can do you see this is a few performance that I want to show you and again it's only on the user right it's not on the server side it's only on the user and if I use delegated it takes only two milliseconds in span of like 394 here so you you see you have 200 times improvement if you use the outsourcing computation all right so do you have any questions with me to me about contact tracing before I move to something else yep sorry we call them the role the interactive which one do you refer I'm sorry I can't see yes and what oh I see it oh yeah I'm sorry yeah this is called negligible so it's very small it is very small like it's even smaller than 0.000 I don't remember exactly but yeah it's very small like it kind of 0.0001 or something like that oh I can recall you this is a pack solution and for this solution why it's very small because it go back to here it just the solution is something like that yeah I send the token to the server so that why it's very small okay yeah so they have a few open programming my few so the first one is about privacy preserving machine learning uh like very recently several company has to go to that and working on it so kind of a few problem that I'm listing that I'm listing here about circular software learning yeah and also something about glustering let's say we want to cluster several people in the class yeah but we don't want to reveal each information of the students yeah a few more things like system recommendations so let's say I you know right now if you if you go I think this is what you see if you go to amazon right you shop for a book or you shop for something else and I'm not sure if you you Facebook or Twitter but but if Facebook if you you go to amazon you you shop for the book later if you if you go to Facebook you can see that the book you just see on amazon right yeah you see you you have you ever asked why like Facebook have your data so this is the system recommendation and right now the the following can be not private I mean because they based on the form so it's not like completely secure and say for example if you go to some video website you see something like I mean some video like sensitive video right you don't want people know which which video you watch so this is the system recommendation and that's why we need privacy preserving they have a few more many different problems and also about secure query as I mentioned before right so yeah you want to shop for something but you don't want to reveal what you shop for and few more application like voting you know when you when you vote when you go to when for like for if you want to vote who is president or something you want to keep your vote private right but in the meanwhile you want to you want to verify that your vote is out at the final right finally your vote should be called so how can you verify how can you make sure that your vote is private and how can you check the final answer it counts your vote so this is it come we've come up problem with secure voting and it come with the problem of secure let me verification yeah somehow you can verify your vote finally count in the final result yeah so right now it's very complicated so people don't do electric voting right people do just do minority but I think I don't know in how about in the future but secure voting and secure option is very interesting problem all right I think this is this is all my talk today so do you have any questions about uh like the future it normally say future it's high or something too broad but I think if you see any problem that you are interested in if you want to learn more you can talk let me know so this is all some like I hear I'm just highlight some problem that people looking for right uh yeah but before any application we need to make sure that the protocol is secure and we want to do something that helps us how to how to how to produce half of us to the alpha efficient yeah so they have a few directions in in our in my view yeah I think I'm done yeah let me see if I have any questions in the chat wow the people can hear me all right yeah yeah thank you for coming so um if you have any questions you can I mean because I usually gave another like three or four minutes left if you have any question you can film otherwise you are free yeah hi yeah thank you very much for for answering the questions very nice yeah so uh thank you