 Hi everyone! The topic of our paper is on de-randomizing Yao's weak to strong one-way function construction. This is a joint work with Chris Brususka, Jojo Akuto, Pihla Karankov, that's me, and Felix Choupa. First, let's start with some definitions. So first, what is a weak one-way function? So let me define that. We say that f is a weak one-way function if, for all probabilistic polynomial time adversaries a, the probability that the adversary, when given the output of the function, returns a correct preimage of the function if this probability is at most 1 minus 1 over p of n, where n is the length of the input. So our x is sampled uniformly at random from the strings of length n. And now here this p should be some polynomial. And sometimes we write that f is a p-weak one-way function to emphasize that this is the polynomial. So weak one-way functions can be inverted in all but this polynomial fraction of inputs. So it's indeed very weak concept of one-way function. And now the next strong one-way function. So let's define that. What is a strong one-way function? So strong one-way function is the usual notion of one-way function that we have. So we say that g is strong one-way function or just one-way function if, for all probabilistic polynomial time adversaries, the probability that this adversary, when given the output of the function, returns a correct preimage of g effects if this probability is negligible in the input length. All right, so now we know what are weak one-way functions and what are strong one-way functions. So what is the construction by Yao? So a famous theorem by Yao from Fox 82 was that if we have a weak one-way function, so if p weak one-way function, then the following g, which looks like this, it takes some long input x1 to xl and then we define the output of g as concatenation of a bunch of calls to the weak one-way function f. So f of x1 concatenated with f of x2 etc. until f of xl. So now this famous theorem by Yao says that such a g is strong one-way function if this l here is of at least the length of each of these xi's that we have here times this polynomial p of the length of this weak one-way function inputs. All right, so if we take this many of these calls to the weak one-way function, then the result in g is a strong one-way function. So now we know what is weak one-way function, what is a strong one-way function and what was this Yao's construction, how to get strong one-way functions if we have a weak one-way function. And now what do I mean by de-randomizing in this context? I'll show that. So first, let's write this Yao construction that we have here. Let's write this in a circuit notation. So we would have our g that takes some inputs, so take some x1 to xl inputs and then it feeds each of these inputs to this layer of calls to the weak one-way function. And we get as a result some y1 to yl and we return these. So this is nothing fancy, I just re-brought this definition of g as a circuit. Now the question we are interested in is, is it possible to have shorter input here to the g? So now since each of these calls to the weak one-way function f takes individual random input, completely independent random inputs, it means that g must have very long input. It was this polynomially long input. So in other words, we are interested in whether we can use less randomness and I can write this again more precisely using this circuit notation. So let's take this Yao construction here and now could we add some pre-processing function here in front so that we could have some short input x, then do some pre-processing to it. Maybe, I don't know, something that yields maybe pairwise independent xi's here or something and then only after this pre-processing pass these inputs to the layer weak one-way function calls and then we could return these. So we are interested in whether this kind of g would be possible. In particular, if these inputs to the weak one-way function are of length m and the input to the whole strong one-way function was of length n, then it would be cool if we could get n equals some constant times m. So only linear blow-up in the input length to the strong one-way function g would be nice. So then g would be security preserving. Now the result of our paper is unfortunately negative. So, no, you cannot have short input here. And how bad exactly is the situation. We show that there exists no pre-processing function, no pre-processing with input length n less than or equal to constant times p of n. Where p was the polynomial related to the weak one-way function. So if our weak one-way function is p weak, then the pre-processing must have input which is longer than constant times this polynomial of this n. That is, in other words, we show that you cannot rule that g which uses such short input pre-processing is a strong one-way function. And what exactly do we rule out? We rule out black box rules. So you cannot prove in a black box manner that g is a strong one-way function if it has such a short input pre-processing. And black box with respect to what? Well, it should treat this f as a black box. So it is allowed to know this inversion probability p, but otherwise g should be completely black box with respect to f. And additionally, the proof should be relativising. In particular, we would rule out the proof of this Yaw theorem. So that proof is black box and relativising by our definitions. So even though that proof uses polynomial p, we still say that it's black box because otherwise it treats it as a black box. But before I go to the proof, let's look at what is still open. So what we don't prove in the paper? Well, we only look at constructions that look like this. So there is some x, then some pre-processing, and then this layer of function calls. But what if we want to generalise this to all non-adaptive constructions? So in general, a non-adaptive construction might also additionally have some post-processing. And it might also use in the post-processing layer some additional data, let's call it d, which is not passed through the f-calls. Now, what do we say about general non-adaptive constructions? So constructions that look like this? Well, first, if this post-processing is almost injective, so if I'm given this z, and I can then guess all these y's with non-negligible probability, then our proof still holds. So the same negative result holds for any almost injective post-processing function. But what is still open is if we have some compressing post-processing. For example, this post-processing could be xor of all these y values. So if we just take a bitwise xor of these y's as this post-processing, then it is highly compressing. You cannot guess these y's given only the value z. And in that case, we don't know. Then we don't have a result. And then, of course, this takes care of all non-adaptive cases. But what if we allow g to be adaptive? Maybe we only care about whether the input to g is short, but we don't care about really what the construction looks like. Well, in that case, there actually is a positive result by Goldchai in Pagliatso, Levin, Venkatesan, and Zuckerman from Fox 1990. And there they show that if the weak one-ray function is regular, then there exists a short input, strong one-ray function construction D. And their proof is quite nice. So their g looks like this. It takes some short input x and then some set of indices i1, let's say i1 to ik. And then they pass this input x into the weak one-ray function and the output y. And now, if this f is length preserving, we can think of the inputs to the weak one-ray function and the outputs to the weak one-ray functions as nodes in some x-thundergraph. So now we also have some big x-thundergraph that has equally many nodes as how many bit strings there are of this length. And once we get this output y, we interpret it as some node here in the x-thunder. And then we take the first index here and we move and we take this i-thedge on the x-thunder from that node y. And then we end up in some other node, let's call it y-prime. And then we put this y-prime again in this weak one-ray function and get some y-prime-prime. And then we again interpret the y-prime-prime as some node in the x-thunder. And then we take the next index and take another step in the x-thunder and again put it to the weak one-ray function and so on, alternating steps in the x-thunder and weak one-ray function calls. However, there is a small caveat. Namely, this only works if the regularity parameter of f is known. And to overcome that, more recently in 2006, Heitner, Haanik and Heingold show that you can change these x-thunder calls into hash function calls. So they again have a regular weak one-ray function f and then they construct a g that takes some short input x and some hash functions h1, h2, h2, let's say, hk. And now we again pass this x into the weak one-ray function. But now instead of using this x-thunder, we use the first hash function. So we put the output here into the hash function h1 and then we again make a weak one-ray function call. And then we take the next hash function h2 and so on, alternating calls between weak one-ray function f and the hash function h. This is also known as the randomized iterate. And now again we get a strong one-ray function from weak one-ray function, but now this weak one-ray function is allowed to be arbitrary, regular weak one-ray function. So now we don't need to know the regularity parameter. Okay, so here is the big picture. So we rule out non-adaptive constructions where the post-processing is almost injective, but we don't say anything about compressing post-processing or adaptive constructions. Now, you might wonder how our result is related to the paper from 2013 barriers in cryptography with weak, correlated and leak sources by VIX. It turns out that we are not actually studying the same question, but the setting looks very similar. So let me quickly lay out the differences before we go to our proof. In VIX paper and our paper, we both rule out some black box proofs. VIX is interested in the case where we have some direct product construction like this, where we concatenate multiple calls to some function F. And now it's like the yaw construction, but the inputs to this G come from some correlated source. VIX shows that there is a particular correlated source that they present in the paper for which no matter what this function F is, as long as it's some efficient function, such a G cannot be a strong one-way function. While in our paper, we are interested in a different question. So we show that there exists some weak one-way function F for which no matter what this pre-processing function is, as long as it has a short input, this G is not a strong one-way function. So we rule out all possible pre-processing with short inputs, but VIX rules out all possible efficient functions F when the inputs are correlated in certain way. So in our proof, this is black box with respect to the adversary and the proofs that we rule out are black box in the weak one-way function F. While in VIX paper, the proofs are black box with respect to adversary and the correlated source. I hope this clarifies the differences between these two papers. And then to the fun part, let's go to the proof. Similar to the impagliato Houdi 89 result, we introduce some oracles and what kind of oracles we introduce. So first we introduce the P space oracle to get rid of all possibly already existing one-way functions. And then we add something that acts as a weak one-way function, namely, we add a random permutation oracle. Random permutation? But now there is a problem because a random permutation oracle is already a strong one-way function. So now we need to somehow make this a weak one-way function. And how do we do that? Well, we simply add another oracle for inverting, which will invert our function f. So this inverts a random subset of the function f. This functions outputs. All right. And what kind of a random subset of these functions outputs we want to invert? Well, in order for f to be a weak one-way function, this random subset let's call it the easy set. So things that are easy to invert. The easy set should be of size 1 minus 1 over the polynomial p of m. So this fraction of all the inputs. And if we invert this big fraction of all the inputs of all the outputs of f, then this becomes a weak one-way function instead of a strong one-way function. So now f is a p weak one-way function. So this part should be easy to prove. And now the non-trivial part of the proof is to show that g is still that we cannot have a strong one-way function that looks like this. Now what is left to prove here is that relative to these oracles all functions g that look like this, where this input x is of length less than some epsilon times p of m. Let's call this number m and where these are of length m. So all g that look like this can be inverted with non-negligible probability. And in particular, now this pre-processing function should also not make calls to the inversion oracle. So this pre-processing function can be anything, but it should not make oracle calls to in. It can make oracle calls to p-space, that's fine, but no calls to the inversion oracle. Since we restrict g in this way, we will only rule out reduction proofs where the reduction uses the adversary against g as a black box. And this is for example the case in the yaw proof and this is how we usually do it. So the adversary against g might even be inefficient and still the reduction should work. And as it uses this adversary just as a black box. So we only rule out black box proofs that are black box with respect to f and with respect to the adversary to be precise and see the paper fall more deep or ask me of the words. Cool. Okay, so now we should show that such a short input g can always be inverted with non-negligible probability. Okay, so first observation that we can make here is that if l, so the number of calls we make here, if l is less than or equal to this polynomial p of n, then the probability that all of these y-calls all yi are in the easy set. So in this set that the inversion oracle inverts so the probability that all of these y's are in the easy set and now I say probability over the choice of this random notation oracle and here when I say over f I mean the sampling of f and the sampling of the easy set. So I always think of the easy set as part of f and over the choice of x this input to the strong one-way function g. So this probability, what is it? Well this is more or equal to 1 minus 1 over poly p so this is the probability that one of these things is in the easy set and well now we have l of them less than p of n so the overall probability that all of them are easy is more or equal to this 1 minus 1 over p to the polynomial p because they are at most p many of these y's and now this thing here is a constant so this goes to e to the minus 1 and hence we can see that already whenever p is bigger than 2 or something this is more than 1 over 4 so with probability all of the y's will be easy when this l is small enough and from that it follows that if that happens if all of them are easy well then we have actually an adversary against g so then our adversary can just invert all of the y's one by one and get this string of x and then it can use p-space oracle to find one fitting pre-image of the pre-processing for those x when the adversary knows all of the x's so in that case inverting is easy we can surely find a pre-image using the p-space oracle so without loss of generality that l is bigger than p of m because if it's smaller then with constant probability g is very easy to invert okay so now we know that this g should have a short input and it should have many calls to this weak one-way function f and now second observation is that with high probability 1-1 over p fraction of these y's are easy so if we look at the probability over the choice of f and over the choice of x then the easy set was chosen so that it's a random subset of this size then it means that whether some particular y i is easy or not follows the binomial distribution with this kind of weight so this is the individual y i is easy and hence the expected value is expected number of y i in any output that are easy is this fraction and now with probability 1 half indeed we reach at least that many easy values and we trust that there are at least this fraction of easy y's so with constant probability this holds and now we get to our main observation so when there are this many easy y's the remaining hard x's have this many easy y's and then we invert them using the inversion oracle then the remaining hard x's have little entropy of their own in expectation so let's write this more precisely what our theorem says so now the expectation of x let's take some permutation pi and this expectation is now over the permutation pi so we take some permutation of the x values so x1 and now since there are this fraction of easy values there is this 1 over poly p fraction of hard values so we take the entropy of the hard values so pi of 1 over poly times L so what is the entropy of these hard values conditions that we know all the rest so pi 1 over p L plus 1 up to x pi of L so this expectation of the entropy of hard x's when we know the rest of the x's so the easy ones this is on expectation less than n over this polynomial p of n and now since this n was some epsilon times p of n so this is epsilon times p of n we get that this expectation is this epsilon so in expectation the hard x's have only epsilon much so some small constant of our choice some small constant number of entropy and this entropy was over over the choice of x and since Shannon entropy is always more or equal to the mean entropy or the guessing entropy it means that it is easy to guess these hard values because they don't have much entropy if we have only constant bits of entropy then you can guess these with high probability and now if you can guess them correctly then again we are in the situation when we know all the x's and then you can just use p space oracle to get back the x here so this is our main observation and let's prove this so this is our main quality here so why do we have only little entropy left for these x's so we don't know what this pre-processing function is but for some reason there cannot be much entropy left for these hard hard x's let's divide these x values into blocks so what do I mean by that we have these x if we have some fixed permutation pi then all of our x's can be divided into x pi 1 x pi 1 over p l x pi l over p plus 1 et cetera until xl and now let's divide these into blocks so this would be the first block so block of size l over p and just for convenience of notation let's denote this first block let's define this as b pi 1 and then the second block of size l over p would be b2 pi et cetera so in total we would have here p blocks b pi 1 up to bp pi so now we have divided all of our x into blocks of size l over p so this is the size of the hard how many hard values we have in expectation and now we are interested in this expectation of entropy let's write this sum of the expectation of the pi of this entropy of some j block conditions that we know all the blocks that come after j so j plus 1 pi et cetera until the last block and this sum we would let j go from 1 to p so over all of these blocks and the reason why we look at this sum in particular even though we are only interested in the entropy of the first block given all the rest we look at this sum where we have some of these additional entropies we look at this sum because then we can use chain rule so let's see how it goes well first by linearity of expectation we can put this sum inside the expectation so now we get expectation of the pi of the sum where j goes from 1 to p of whatever was here before alright so this is just linearity of expectation and now we can use chain rule of Shannon entropy and this is exactly the reason why we use Shannon entropy here and not Shannon entropy directly is that now we can use chain rule so this is now just the entropy of the 1 pi to p pi so this is by chain rule this sum of entropies is just the entropy of all the blocks well now we know that the entropy of all the blocks is the entropy of all of these x values and now what is the entropy of all of these x values well all of these x values come from some x and this x of length n together can have only at most n bits of entropy so now this entropy here is upper bounded by n because it's well it's upper bounded by the entropy of x which we know is n great so now we have the entropy of all the blocks that we found for this summation here let's write it down again so we know that n is more or equal to this summation we know that entropy of something conditioned on the entropy of all the blocks that come after it well this entropy is certainly more or equal to the entropy of the j block conditioned on all the other blocks so now we only had the blocks that come after j but if we also additionally add the blocks that come before j so b1 pi to b j minus 1 pi and then the blocks that come after so bj plus 1 until until bt so certainly if we condition more things the entropy can only decrease this is more or equal to summation and this whole thing here and now if we look at this expectation here so expectation of one block given all the other blocks and this is expectation over pi so expectation over the permutation so in particular here we are looking at the expectation of one block conditioned on all the other blocks and the expectation is over the permutation and the permutation goes through all possible permutations but in particular it also goes through the permutation where j is the first block so now actually we can simplify this and write this as expectation over some pi prime and this pi prime is just some reordering of the permutations here but the order doesn't matter in the expectation so we could as well write expectation of b1 pi prime given the rest so b2 pi prime until bt for some other permutation pi but since this permutation goes through all of them like this one it doesn't really matter what the j is, we anyway reach that also so this thing goes through all the possible permutations and this thing as well but this is just a simpler to write and now we notice that this actually doesn't depend on the j anymore because it is completely arbitrary what we consider as the first block while we anyway go through all the permutations so this whole thing where we sum over j we just sum the same thing p many times so we get p times this expectation but now is actually what we wanted so now we have the expectation of entropy of the first block conditions that we know the rest of the blocks this entropy is less than or equal to n divided by p and this is exactly what our theorem says so expectation of entropy of the first block conditions that we know over other blocks is less than n over the polynomial p and now this proves the statement the high level intuition of this proof is that since g has to divide the randomness of x between many calls of f it does not know which of them are hard it is very likely that the hard values have little entropy conditioned on the easy values now this is of course just the expectation so we still need to do some averaging argument to say that the adversary can indeed invert g with high probability but this is the main observation that yields it eventually okay so this is it thank you for watching bye