 Hey everyone. I am Ghadal Mashaqba from the University of Connecticut. In this talk, I will present our work on unclonable polymers and their cryptographic applications. This is a joint work with Ran Kaneki, Yeniv Erlach, Jenthanger Shani, Tal Malkin, Itzik Pierre, Anna Reutbert-Bermann, and Iran Traumer. Imagine we have memory devices that are unclonable and they self-destruct after retrieving the stored data. Also, if this memory stores several messages, only a few of them can be retrieved after which the device will be fully distracted. So you cannot retrieve all the messages that you see in the photo. Such bounded query memory devices can be used in many applications. Among them, we have bounded execution software known as one or K-time programs. These are programs that can be run over only a few inputs, which is impossible to do using software alone. Even in the quantum model, it was shown that without these special memory devices, it is impossible to build bounded execution quantum programs. This idea was first put forward by Goldwasser, Keli, and Rothblum, who assumed the existence of simple one-time memory devices, which imitate the functionality of non-interactive oblivious transfer tokens, which they used to build one-time programs from garbage circuits. That was an assumption without any real-world realization. The only way we know to construct these devices relies on tamper-proving a whole computation, while assuming that these sophisticated hardware tokens resist side-channel attacks and reverse engineering. So we wondered if we can build these memory devices based on minimal and better understood hardness assumptions. To achieve this goal, we joined forces with top-notch and brave biologists to find an alternative technology to build unclonable and self-destructive memory devices. We do that in a rigorous way, laying down foundational modeling and analysis of the capabilities and security guarantees that we are able to achieve. We also introduced novel amplification techniques, so we can use the weak and simple memory devices we build in provably secure cryptographic applications. Our request was inspired by recent advances in biochemistry and engineering that allowed storing digital data in the form of DNA. So a digital message can be encoded into a set of nucleotides that is synthesized into DNA material. By the way, don't worry about the biology details here, just focus on the big picture that DNA can represent digital data, and given a DNA sample, we can retrieve the original message or the digital data from that sample. However, DNA evolved to be clonable. So a sample of DNA can be replicated as many times as you want, meaning that you can read the stored data as many times as you want. This led us to consider another biological polymer. Proteins also can be used to store digital data. So in this case, the digital message will be encoded into a sequence of amino acids, which are the basic building blocks of proteins. And then this sequence is synthesized into protein material. And here, the magic has started. First of all, proteins are unclonable. The central dogma of molecular biology states that once information has got into a protein, it can't get out again. So given a protein sample, we cannot replicate it or get the genetic information out of it. This challenge is still standing for 65 years and even for billions of years of evolution. To us cryptographers, this is a biochemical one-way function, and we know what to do with hardness assumptions. We turn hard lemons into lemonade. Another amazing feature is that sequencing a protein to retrieve the digital message is destructive. So you cannot get the protein sample back after feeding it to the mass pick instrument or machine that is designed to read proteins. Also, this machinery provides an output only if the protein is pure enough. So if you feed a mix of random proteins, or if you feed this machine with a mix of random proteins, it will output nothing. Based on these observations, we propose another construction for consumable storage tokens. At a high level, as before, we take a digital message and transform it into a protein. Then we connect the target protein with another short protein sequence called header, such that this header can be recognized by matching antibodies. So knowing the header description, which can be digital information, by the way, allows identifying the matching antibodies. This header to us represents the secret key tied to our secret message. After that, we mix the target protein or the protein that represents our secret message with a massive set of random decoy proteins that are attached to different random keys. So the vial containing the mix, where here in the photo, our co-author Anna is holding one, is the consumable token. Now, to retrieve the message, again, remember, if you just give the mix to the mass spec machine, it will not be able to identify the secret protein or the secret message. This sample must be purified first. To do that, we apply the matching antibodies, the ones that match the secret header to the vial, to pull down the target protein with high enough purity. Then we cleave the header and then use the mass spec machinery to read the amino acid sequence of this target protein, which will be decoded into the digital message. After months and months of designing the token, we spend more months distilling the model that best represents biology. Our goal was to require the minimum on the biology side to produce the simplest possible construction. In particular, our consumable token can store only a small number of short messages using short keys. So here we need amplification techniques in order to deal with that. Also, the only meaningful interaction with the consumable token is by applying antibodies. So present a key, either you get the message tied to that key if the key is correct, or you will get nothing. Also, each retrieval attempt will consume part of the vial. Even when you are applying the matching antibodies, these antibodies will pull down the target protein with high amount. Also, it will pull down or consume parts of the other proteins in the mix. So there will be a degradation for the whole mix. In our construction, we designed the token in a way that under that non-technology that is available now, an honest party will be able to perform one data retrieval query. So it can apply one key and get the corresponding message if that key is valid. But to account for more powerful adversaries, maybe I don't know, some adversaries out there may have more advanced machines that allow them to use the sample to perform multiple data retrieval queries. We say that, okay, this consumable token and honest can perform one data retrieval query, while an adversary can perform up to n data retrieval queries, where n is a small integer. Also, our consumable token has non-negligible soundness error gamma. So applying an incorrect key that is close enough to one or to the correct key may retrieve or may return the secret message with probability gamma at maximum. Also, we extended our construction to build what we call partially retrievable memory. So a consumable token can store a vector of the messages using v keys. And even knowing the set of keys, the v keys, an adversary can retrieve only up to n messages out of the v messages stored in the token. After that, we put our cryptography toolbox on the table and asked two questions. How to amplify this weak device that supports constant size storage to obtain powerful functionalities that can deal with arbitrary size data? And how to do that in a rigorous, provably secure way? This took us a long journey. Our first step was building a mathematical model for the biological construction. This produced what we call the vector model in which a vial or a consumable token is represented as a vector of protein amounts. We also modeled each of the biochemical procedures performed in the wet lab as an algorithm operating on this vector. Then we defined an ideal functionality for consumable tokens with clean interfaces and formally showed how it is realized by the vector-based construction. Then we developed several algorithmic and cryptographic techniques to amplify the weak properties of the token and showed how to use these tokens in various cryptographic applications. In this paper, we show two of these applications, namely digital lockers and one-in-time programs. In the interest of time, I will discuss these applications briefly. A digital locker is simply encrypting a secret message using a low entropy key or a human generated password such that we build digital lockers that resist exhaustive search attacks. An adversary can try to decrypt the messages only up to in time, so he can try only up to in password guesses. Using our token, we were able to construct lockers that are resistant to exhaustive search attacks. This application required additional techniques to amplify the soundness error to be negligible. These techniques relied on sharing the message into U-shares and store each share in a separate token. Now instead of sending one consumable token that stores the encrypted or the secret message M, now we are sending U tokens. Also we had or we changed these tokens together to enforce sequential operation. The latter is needed to preserve the number of password guesses to be N despite sending multiple tokens, all of them tied to the same password. The second application, one in time programs, here we have a secret program or one that contains some secret data. Ascender sends that program to the recipient such that an honest recipient will be able to execute the program over only one input while a more powerful adversary can execute it over in inputs. As you might realize, this is a modified version of one time programs introduced by GKR, but it is one that is based on real-world weak memory devices rather than just a strong assumption. The core idea of our program or our construction, sorry, is to obfuscate a program containing the intended functionality F such that evaluating F over an input X requires a corresponding secret message M. So the program first will check, okay, do you have the secret message M corresponding to X? If that's true, it will output F of X, otherwise it will output nothing. And what we do is that we store the messages corresponding to the domain of F in a consumable token. And remember, because now actually this depends on having a consumable token containing or storing several secret messages that again correspond to the domain of the function. And now the adversary can only retrieve up to N secret messages from the consumable token. And so it can run this program only up to or over only up to N different inputs. We faced a problem here, which is related to the weak properties of the consumable token. A consumable token can store only a small number of messages denoted as Q here, which means that we cannot deal with functions that have domains or domain size larger than Q. In order to deal with functions with exponential domain size, we use linear error-correcting codes. So instead of sending one token, we send omega tokens. And now instead of mapping X itself to a secret message, we first encode X and take the code word, which is of length omega. Each symbol in that code word will tell us which secret message to retrieve from each consumable token. So now in order to execute the program over input X, we need omega secret messages from the omega tokens sent to the recipient. And now the obfuscated program will check that is this the set of correct secret messages corresponding to the code word of the input. If that's the case, it will output f of X, otherwise it will output nothing. And based on that, we can cover a domain size of Q to the power d plus one, where d is the dimension of the linear code. We set the code distance in a way that only invalid code words can be retrieved. So despite sending omega tokens to the adversary and now there is more cancer protein material available with that adversary, still by setting the distance correctly, we can guarantee that it's still the same guarantee. Only in inputs or only encode words can be retrieved and the program can be executed over only up to n inputs. To conclude, this work introduced an innovative real-world construction of unclonable and self-destructive memory devices. This was done along with formal treatment and showing proof of obscure cryptographic applications. For our ongoing and future work, the directions are to fall. On the biology side, we are working on a sister paper showing the detailed biological construction along with empirical results. And on the cryptography side, we are refining our model strengthening them and we are developing more cryptographic applications. Thank you so much for listening and happy to take questions. Thank you.