 Hello everyone, I'm Haowen. I'm going to present our work computational robust fuzzy extractors for CIS dependent sources. This is joint work with Qiangtang. A basic goal of cryptography is to enable two parties, Alice and Bob, to securely communicate over an ultra channel that may be controlled by active attackers. As everybody knows, if Alice and Bob already share a perfect secret, we have a bunch of tools to enable them to establish a secure channel. But in many scenarios, they may just share a weak secret, or just a pair of clothes, but longer than equal weak secrets. Here a weak secret is a private, but longer than a string. It could be password, or biometric information like fingerprints. This might also be generated by some physical means or caused by leakage. In such a case, Alice and Bob have to run a primitive called an authenticated cake change protocol to agree upon a perfect secret. In the history, this fundamental primitive has been studied under different lengths. Among them, the robust extractor actually defines the one message a.k.a. And if it also works for a pair of clothes weak secrets, we can call it a robust fuzzy extractor. In general, it can be described by a generation algorithm and a reproduction algorithm. Alice can use this generation algorithm to produce a perfect secret along with a helper string. And after receiving this helper string, Bob can reproduce the same perfect secret as Alice does. It has two security requirements. The immediate one is the privacy. It says this producer's secret should be indistinguishable with the uniform randomness, even conditional on the public helper string P. This is also why we consider this primitive as the variant of a randomness extractor, because this generation algorithm actually extracts a nearly uniform string from a non-uniform string. The second requirement is robustness. An active attacker might change the helper string to another. The robustness ensures that any manipulation will be detected and rejected by the reproduction algorithm. There is a stronger notion called post-application robustness. It considers a stronger adversary than can obtain the extracted randomness from other applicable applications. This property ensures this adversary still cannot manipulate the helper string without being detected. To distinguish it, we call the original robustness pre-application robustness. The one message feature is of course appealing and useful, but it's also very expensive. Here, consider the setting of information theoretical security and player model, where the attacker can have unlimited computation power and there is no trusted setup. This is the most desirable setting. However, for robust extractors, dollars and weeks have given a tight bond on the admissible security source. That says, if there is a robust extractor for all secret sources with n bit lengths and k min entropy, the entropy rate k over n must be larger than the half. This requirement directly includes many natural sources, like fingerprints. In contrast, many interactive AKE protocols could work for sources with super-log min entropy. Or if we don't require robustness but ask for one message feature, the conventional randomness tracker can also work for sources with only super-log min entropy. On the other hand, there are triple solutions in the relaxing models. For example, in the random worker model, Alice and Bob can directly query the random worker with the weak secret to get a perfect secret. And in this case, the helped string is just empty, so it's surely a robust extractor. But the problem is, RAM worker clearly does not exist, so it's just a theoretical approach that we wish to avoid. We can also put the seed of a randomness tracker into the common reference string, and Alice and Bob can extract the same perfect secret using this seed. This also gives a robust extractor in the CRS model. But the problem is, the secret sources have to be independent of the CRS, since the seed of a randomness tracker should be independent of the sources being extracted. We found the CRS independence requirement is hard to justify. CRS is fixed and public, and everybody can say it. It's hard to ensure a source produced after seeing the CRS is not affected by the CRS. For example, if the source is from a maliciously manufactured device that contains the CRS, it should be CRS-dependent. And more generally, for any sources, once a CRS-dependent information is leaked to adversaries, the remaining secret is CRS-dependent. So, we are curious about that. Can we have a robust extractor for CRS-dependent sources without raising extra entropy requirements? To have a clear picture, let's recall the landscape. An information theory to secure a robust extractor in the plain model only works for sources with entropy greater than half. On the other hand, we know how to get around this lower bound by using a random protocol where introducing a CRS but require the sources to be independent of the CRS. However, for the CRS-dependent model, then we think it is stronger than the plain model, but more standard than the CRS-dependent model and the random protocol model. There is neither positive result nor negative result yet. And relaxing to computational security was not shown helpful as well. In this work, we first formally proved that the lower bound for plain model and information theoretical construction still holds for CRS-dependent and information theoretical constructions. So, to bypass this lower bound, we have to look at computational settings. Fortunately, we really solved this problem. We proposed a computationally secure robust extractor for general CRS-dependent sources with minimal entropy requirement. We also extended our solution to the fuzzy case and gave the first computational robust fuzzy extractors for CRS-dependent sources without requiring the half-interpreter rate. Now, let's present our first result in more detail. To begin with, a CRS model robust extractor can be described by a CRS setup algorithm, a generation algorithm, and a reproduction algorithm. It's equal to view this construction as a family of plain model instances and distribution over this family. Here, each instance is the generation algorithm and the reproduction algorithm with a fixed CRS. Electric security is like this. For any adversely and any CRS-dependent NK source W, a randomly chosen source instance is good. That says, this adversely only has very small advantage to win the security game. We obtained our result by proving that the quantiverse can be swept in this setting. That says, there must be an instance that is good for any adversely and any source. So, this instance is already a secure plain model construction. In other words, an information-theoretical CRS-dependent robust extractor implies an information-theoretical secure plain model construction. So, the same lower bound applies here. We proceed this proof by swiping the quantiverse one by one. The security definition for single property already guarantees that for each adversely and each source, a randomly chosen instance is good. We first apply standard techniques like Markov's inequality to show that for each adversely A and each source W, there is a set SAW of instances that are good for them. And the weight of SAW should be larger than a parameter delta. We then swap the quantifier between the set and the source. We prove that for each adversely, there should be a set SAW of instances that are good for this adversely A and any source W. Particularly, the weight of the set SAW should still be larger than delta. This step heavily relies on the fact that sources can be dependent on the CRS. Most diversively, we define the set SA as the intersection of all SAW for all sources W. And then, SA, the weight of SAW should be larger than the parameter delta. Otherwise, its complementary set should be with weight larger than 1 minus delta. Then, by definition of the complementary set, each instance in the complementary set should be bad for at least one source. Then, we can define a new source. Its conditional distribution on each CRS in the complementary is a bad source, which Arthur mentioned. Then, by definition, for the adversely A and the new source W star we just constructed, there is no set SAW star with sufficient weight larger than the parameter delta. In the last step, we swap the quantifier between the set and the adversely. We prove that there should be a set S of instances that are good for any source W and any adversely A. This step is similar to the last step we described and relies on the fact that the adversely A is information theoretical and it means it has unlimited computational power. And at this stage, we already have a good set with respect to a single property. We finally prove that the good sets for different properties have an intersection and then an instance in this intersection is a secure plane model construction that we need. Our second result is a computational robust tractor for CRS dependent sources with minimal entropy requirement. To make it a modular and easy to understand, we abstract a new MAC primitive which we call copy MAC and show how to use it to reach our result. Our intuition is very natural. As I mentioned before, a randomly set tractor can be used as a one-message K exchange protocol against passive adversaries. So, if we can somehow authenticate the public seed, such that even active adversaries cannot change it, then we'll already obtain a robust extractor. Let's see our framework in more detail. Since both Alice and Bob already share a weak secret, it's natural to use this weak secret as the main key. Then, the helper string will contain a public seed for random extraction and a MAC tag that authenticate this public seed. In reproduction algorithm, it first checks whether the MAC tag is valid. If invalid, the reproduction algorithm just aborts. Otherwise, it uses the public seed to reproduce the same perfect secret. One tricky part here is that we actually use the weak secret for both random extraction and MAC tag duration. So, to ensure the final construction is secure, the component must provide some level of composition security. Most versically, it's easy to say long macs are insufficient. For random extraction, since the helper string already contains a MAC tag, this MAC tag must contain sufficient amount of information about the weak secret. So, we cannot ensure the extracted randomness is still still random, and for MAC. And since we want to post an application, the public seed and the extracted randomness will be leaked to the adversary. So, we cannot ensure, in this case, the MAC is still unfurgeable. So, we need additional properties to ensure the composition security needed. Most versically, to ensure the randomness extraction is not affected by the MAC, we require key privacy. That is, the MAC tag does not leak partial information about the secret. And in the other way, to prevent the MAC being affected by the randomness extraction, we require the MAC to be secure against auxiliary input leakages. Another implicit requirement is that the key should be structurally, such that we can directly use a weak secret as the MAC key. Putting all requirements together, we define Kappa MAC. A Saturday in our definition is to identify the largest admissible auxiliary input class. On the one hand, it should be computational how to invert. On the other hand, it should not contain authentic text. Otherwise, adversaries can leverage the tag to break the unforgeability. We refer you guys to our full paper for the detailed treatment. Now, I will show how to construct Kappa MAC in the CS model from real study assumptions. Our starting point is using an auxiliary input signature as a MAC. This is the digit signature allows the adversaries to say some verification K dependent leakage. And the most standard way to use it as a MAC is to enable the verifier also have the signing K. But a problem here is that in the setting of MAC, we cannot directly assume a trusted verification K. So, we may put it as a part of the MAC key. But for Kappa MAC, we need the MAC key to be structurally, so we cannot put it here. The only choice is to let it be a part of a MAC attack. But now, the adversaries may have an extra advantage by modifying this verification K. To address this problem, we first directly leverage our CRS model. Most adversarily, we split the verification K into a user-specific part, YK and a common part, and put the common part into the CRS such that adversaries cannot modify it. The remaining challenge is to ensure verification on YK is still useless. That says, even if the attacker changes YK, the signature, and the message together, the verifier Bob can still find its invalid MAC tag. Another challenge is to ensure YK cannot depart information of SK. This is necessary for the K privacy property. To address these challenges, we choose to strengthen an auxiliary input secure signature scheme proposed by KAWS and Vekontana then. In their scheme, it contains two building blocks, a leakage-resonant heart-relation and a true simulation-extractable risk. In our Kappa MAC, we propose a so-called strengthened leakage-resonant heart-relation, which simultaneously guarantees that manipulation on YK is useless, and YK has partial information of SK. Let's recall the KAWS-Vokontana signature. Its building block, leakage-resonant heart-relation, is an NP-relation with a generator, such that, given the system Y and the leakage on Y and the weakness K, finding a valid weakness K prime for Y is hard. When using it to construct a signature, the weakness K will be the sign K, Y and a risk CRS will be the verification K, and the signature is a proof of knowledge of K. From the property of a true simulation-extractable risk, we can extract a valid K prime from a valid signature, which contradicts the leakage-resonant heart-relation definition. So, this signature scheme is unfeasible with respect to auxiliary input leakage. We strengthen the leakage-resonant heart-relation in multiple places. First, we split the generator to PG and SG. PG is independent of weakness, so it can be put into CRS to leverage the flexibility provided by our CRS model. The weakness is just sampled from a secret K source, and the YK is generated according to PG and K using SG. So, we can ensure the MAC, which for structure-less MAC case, PG and YK together are the statement. Regarding the leakage, here is just a function of K and PG. YK is not the input of the leakage function, because it is now a part of an authentication tag and only needs to be considered prior to leakage. This is something we can leverage to improve our construction. Then, the first we need to find, which is K prime, for YK prime specified by himself, instead of finding K prime for the honestly-generated YK. This is because YK is in the authentication tag that can be modified by the adversary. But the YK prime with PG should still be a valid statement with respect to K, since verifier has the original K to check whether YK prime is valid. Finally, YK and PG should hide the information about K since we need K for everything. With this strengthened leakage-reasoned-hard relation, we can build a couple MACs by following the framework of KTH and VK signature. The MAC consists of a YK generated from the WKK and a needs proof demonstrating the knowledge of K with respect to PG and YK. The verification checks both whether YK, PG, K belongs to the relation R and whether the needs proof is valid. Here, the message can also be bound to the proof using standard techniques. Then, we construct this SLRH relation. Recall that an SLRH relation ensures PG, YK, HK, which is necessary for privacy. And it prevents adversaries from finding YK prime, K prime and such that both PG, YK prime, K prime and PG, YK prime, K belong to the relation. We observe that privacy requirement really prevents from finding the same K from PG and YK. So, if we can further provide collision resistance, which means the adversary cannot find a different K prime to the K, we can have an SLRH relation. Following this observation, we first construct a private relation from deterministic public key encryption. Here, we just encrypt the WKK under a fresh public key and let the self-test and public key be the statement. It's an MP relation since it can be efficiently checked by just re-encrypting without using any remnants. It's also private, given the auxiliary input security of the underlying DPK scheme. But it's not collision-resistant because if the adversary changes the PK to a band PK, there might be multiple messages with respect to the same self-test under this band PK. The last step is to leverage the NISC to enforce the goodness of the chosen public key. That says the WK should contain a valid proof that demonstrates the chosen public key determines an injection. In this case, a self-test C and the public key can uniquely determine the underlying message key, so the whole relation is collision-resistant. From our primary result, if a relation is both private and collision-resistant, it's already a SLRH relation, surface for our need. As a conclusion, we first construct a robust tracker between CAPMAC and conventional RAM extractors to make the robust extractor work for any self-dependent sources with minimal entropy. This CAPMAC should also be secure against any unpredictable auxiliary inputs. Then we construct the CAPMAC from a true simulation tribal NISC and an SLRH relation. And this SLRH relation can be constructed from NISC and a DPKE scheme, and the DPKE scheme should also be secure against any unpredictable auxiliary inputs as well. Let's check the assumptions needed for the primitives and the leaf nodes. For RAM extractor, we have information theoretical secure constructions. For NISC, including true simulation tribal NISC, it can be constructed from RSA something or pairings. Or more recently, from the LRBE something or the DDHR something. For DPKE against any unpredictable auxiliary inputs, we have constructions from an exponentially hard DDHR assumption. So our robust extractor can be built upon well-studied assumptions. Our third result is an attention to the fuzzy case. We show that with a stronger CAPMAC, we have robust fuzzy extractors for CRS dependent sources without the half-intermediate requirement. And more interestingly, our CAPMAC construction already satisfies the stronger definition, so we can have the robust fuzzy extractors from the same assumption as the robust extractors we give above. Let's start from a standard construction of fuzzy extractors. It uses a secure sketch, which is an error-correcting code, whereas the code does not leak much information about the message. The help string now contains sketch information, with which the reproduction algorithm can convert the weak secret into another close secret that was used to generate this sketch. And then this weak secret can be used to produce the same perfect secret as the generation algorithm does. As before, we consider using CAPMAC to authenticate the help string such that the adversary cannot manipulate the help string without being detected. However, the standard CAPMAC is insufficient here. This is because we cannot ensure the weak secret key recovered from the secure sketch is identical to that one used in the generation algorithm, and the adversary can manipulate this secure sketch as well. By the definition of the secure sketch, we can only ensure the weak secret is close to the input secret of the reproduction algorithm. So we need a stronger CAPMAC which prevents adversaries from forcing an authentication tag being accepted by a close secret. We call this property fuzzy unforgability. Fortunately, although standard CAPMAC is insufficient, our CAPMAC construction actually satisfies this stronger definition. As Ja said, we construct robust fuzzy character using CAPMAC with fuzzy unforgability. We then construct this CAPMAC from a fuzzy S-I-L-R-S relation which requires the adversary cannot find k' and vk' such that vk' and pp is a valid statement with respect to some k star which is near to the original weightless k. For this fuzzy S-I-L-R-S relation, we don't need other fuzzy building blocks. Instead, we prove a private relation plus a creation-resistant relation implies this fuzzy primitive. The key idea is to show that the privacy already ensures that one cannot find a close secret from vk while we already prove that the exact secret cannot be recovered from vk. We argue this in two cases. First, it's easy to show the invisibility of finding a very close secret. Otherwise, one can guess the exact one with high probability. We also prove it's still invisible to find a not very close one. This is because one can always recover the exact one with the help of a secure sketch if it can find a not very close one. Note that our privacy definition is secure against auxiliary inputs. We can treat the secure sketch as an auxiliary input and give it to the adversary. So we have this result. Now let's have a summary. On the negative side, we prove the lower bound on the entropy rate requirement that was established for information theoretical and playing model robust extractors, studio holds, even when we introduce CRS and consider CRS dependent sources. On the positive side, we beat the bound in the computational setting by giving a concrete computationally secure robust extractors for CRS dependent sources with minimal entropy requirement. We also extend our solution to the further case. Along this way, we present a new Mac primitive called KappaMac that satisfies key privacy and auxiliary input security which might be of independent interest. That's my presentation. Thanks for listening.