 Thanks for the introduction and this is joint work with Baltazar Bauer here who's here in the audience and Sogol Mazahiri and my name is not Sogol. My name is Pouya, and I will tell you at the end why my name is not Sogol. Okay, so I want to start with an inspirational quote from James Comey, which says that it makes more sense to address any security risks by developing intercept solutions during the design phase rather than the resorting to a patchwork solution when low-end enforcement comes knocking after the fact. So with that quote in mind, I want to look at the security of hash functions and try to see if we can say anything as theoretical cryptographers or practical practitioners. So I guess that you already know about hash functions by now, if you didn't know for the last three days, you know about what hash functions are. Here's it takes a long and arbitrary text like this one here and outputs a random and short string over here and hash functions are used everywhere, one-way functions, key derivation functions, max, etc. However, sometimes the provable security techniques that we have fold short of being powerful enough to provide proofs in the standard model and one response to this has been the introduction of the random oracle model where we assume that the hash function that we have is behaving like a random function, a truly random function. That is whatever input that you put here you get a totally independent and random looking output. And this methodology has been very successful and it has been applied to many protocols out there, RSA or EAP, FDH, as far as I know, still parts of TLS 1.3 use the random oracles. If you don't if you don't believe in that, come and tell me. And other protocols out there, symmetric protocols, etc. So what we want to do in this paper, we basically want to apply this random oracle methodology to analyze the security of hash functions in a setting where they have there might have some weaknesses or backdoors built into them. So we introduce a new security model called backdoor random oracles or bros where we have a big brother who has designed a good looking hash function which behaves randomly on various inputs. However, for his own interest the big brother might have a backdoor oracle which takes any arbitrary function f, a leakage function f and outputs a function of the function table of the random oracle. So it's important to understand what's the input output of this oracle here is. So any function f and you output the function of the truth table of the random oracle. We call this the backdoor oracle. So and in our model, we assume that the adversary has adaptive and unrestricted access to the backdoor oracle, i.e. the set of functions that the adversary can choose could be arbitrary. Of course, you can restrict the model and look at the restrictions as well. So let's just to get some feeling for this backdoor oracle. Let's look at for some examples of what we can do with this backdoor oracle. So for example, we can compute collisions using backdoor oracle. You know, I can just put a function which searches through the table of the random oracle and then outputs two collisions for me. If the random oracle is compressing, there will be collisions and the function will compute. I can also do inversions. So suppose I have a point y that I want to invert, I will just hard code it to my function f and then the function f will look through the table of the random oracle and will try to compute a preimage for that y. And I can do, for example, structured inversions. For example, I want to find preimages which start with a bunch of zeros. I can also do that. And being pessimistic cryptographers and conservative, we actually, you know, allow every function in some certain function class in our setting arbitrary functions to be quarried to the backdoor oracle here and get f of h. So that is the setting. Very powerful oracle. And of course, if you think about it for a minute, you will realize that no security is actually possible in this model if you're given one oracle because whatever construction that I have with oracle access to f, I can just quarry it on a function which searches for a preimage of this construction. So no security is possible. However, suppose that I have two big brothers who have designed two independent hash functions h and g. Which behave independently, but they have also access to their respective backdoor oracles. And the question is then whether we can combine these two hash functions in a way so that we can bootstrap some sort of cryptographic hardness while the adversary gets access to both of these backdoor oracles. Okay. So just to just to mention it once more, these backdoor oracles model the the fact that there could be a trapdoor in the hash function and you can, for example, in virtual search for collisions and the adversary can talk to these what are these oracles and it's trying to break the combined hash function. Now there are a number of ways to combine hash functions out there. So for example, we have the concatenation combiner which takes an input here and then outputs the concatenation of hash of x and g of x. We have the xor combiner which outputs the xor of hash of x and g of x if they're of the same length. You also have cascade. You just sequentially compose the hash functions. So let's just focus on one of these, the concatenation combiner. And so the question is whether this concatenation combiner is, for example, one way or pseudo random or collision resistant in the presence of these two backdoor oracles. So could it be the case that could it be the case that no adversary by cleverly choosing functions to this oracle here and oracle here can somehow combine the outputs and try to invert the outputs of the combined hash function? Actually the answer turns out to be yes and for that we need techniques from an area in complexity theory called communication complexity which is a beautiful area which I did not know much about before so I recommend everybody to look at this area. So what is communication complexity? So in communication complexity we have two parties Alice and Bob and they want to basically compute some task of a and b. Right, some function of a and b. So privacy is not a concern here. They just simply want to compute a function f. Right, and the communication complexity of this protocol is the number of bits which is exchange between Alice and Bob. So of particular interest to us is the communication complexity of two problems, the set disjointness and the set intersection problem. So in the set intersection problem the task is basically to find an x in the intersection of these two sets a and b and the set disjointness problem which is a widely studied problem in communication complexity. The task is to decide whether this intersection is empty or not. Okay, so this problem was studied in the 80s by Bobi, Frankel and Simon. And they showed that for independent random sets a and b in a subset of size 2 to the n which are subsets of size 2 to the n subsets of in a universe of size 2 to the n of size 2 to the n over 2 and protocols which have 99 percent correctness the communication complexity of the set disjointness problem is something like square root of 2 to the n over 2. They need to exchange that many bits to what this basically means that you essentially have to communicate the whole sets across so this is and this is tight up to logarithmic factors. But this this is a very nice results actually has a combinatorial proof kind of tricky hard to understand and but also it restricts the size of a and b to be size exactly 2 to the n over 2. So this result was taken in communication complexity and then was extended using information theoretic methods and simplified versions of these methods appear in two lecture notes by Moskovitz and Barak from 12 Angus Farmy and Cherokhchi from 2013 which basically instead of looking at sets which are of size exactly 2 to the n over 2 they look at Bernoulli sets which are of size which are of expected size 2 to the n over 2 and they prove a similar lower bound for those and this proof is much it's much more intuitive the other proof is quite combinatorial this proof uses information theoretic methods and kind of easier to understand easier I mean sometimes. So what the first result of our paper is that we actually show that we extend this result and we show that for independent random sets a and b in a universe of size 2 to the n of expected sizes 2 to the n times 1 minus alpha and 2 to the n times 1 minus beta the communication complexity of the set intersection problem is at least this for alpha and beta in this feasible region here right so for example if you put alpha equals one half and beta equals one half this is 2 to the n over 2 2 to the n over 2 which is I know what is here and you get half plus half plus half minus 1 which is a half so it's omega of 2 to the n over 2 so it kind of matches that so this is for intersection here so let me just draw that so the half half line the half half point is this result here so what we show in the paper is that we actually extend the hardness of set this join us to this line over here and set intersection to all this region here it remains an open problem whether this this feasible region extend all the way to origin so okay so how do we use this hardness result in communication complexity in cryptography what's the link between these two areas so let's try to prove one main us for the concatenation combiner so the first theorem says that inverting a random value uv under the concatenation combiner 8g in the two bro model is as hard as the set intersection problem right that is if you have a protocol for inverting then you get a protocol for set intersection so let's just intuitively see why this is the case so we have u and v and we want to invert this so a pre-image for this let's let's call the set of pre-images for ua and set of pre-images for vb so these are the sets are looking like this so if I have any pre-image x for this value u concatenated v it's better to be in the set of pre-images for u because it has to map to u under h right so it's a pre-image of u it has to map and similarly it needs to be in the set of pre-images for v because it has to map to v under g right so which basically means that it needs to be in this intersection so that is that is basically the link between cryptographic hardness and hardness in communication complexity okay so as I so just to summarize that the one main insecurity of the concatenation combiner reduces to the set intersection problem and you might ask what about pseudorandomness actually deciding whether a random value uv has a pre-image or not which is a problem quite close to pseudorandomness is as hard as to set this jointness problem because you're kind of deciding to see if something is in the pre-image of the is in the image of the prg or not so which is kind of quite natural because this is search problem goes to a search problem in communication complexity this is a decision problem goes to a decision problem in communication complexity uh what about collision resistant you know this important property what does that reduce to it actually turns out that the natural problem underlying collision resistance is uh the problem of finding two sets among many sets and two elements in their intersection so with picture wise it looks like this alice holds many sets here bop also holds many sets here and their task is is to find two elements in the intersection of two of these giving sets so this kind of gives rise to a natural problem in communication complexity that as far as now have not been studied so it would be interesting to actually uh drive lower bounds for this multi-instance version of the set intersection problem in the communication okay so what about the other combiners uh so we basically resolve the van vanes of the concatenation combiner and down to the set intersection and prg to set this jointness the collision resistant goes to an open problem van vanes of the xor also goes down to the set uh intersection problem and prg also goes down to set this jointness however the concrete parameters that we have for set this jointness are not as strong enough to be uh plugged in into the theorems that we have to actually drive concrete bounds of uh for for the construction that we have so there is a reduction it goes down to uh set this jointness but the actual bounds need to be improved a bit and same here so that is why this this this uh score here is slightly lighter than the others because the problem here is completely open whereas here it's a matter of improving the parameters okay uh so let me end i'm way ahead of the time but that's fine uh so let me end with some open problems there are quite a number of open problems one of that is is to find a lower bound for this collision problem the multi-instance version of the set intersection problem and the other which which is quite important from cryptographic perspective because it will give rise to better concrete security is to extend this uh range of parameters for which the set intersection and set this jointness are hard both in terms of the sizes of the sets and also the protocol error so we had 99 we want to extend that to any protocol error and also combiners for other primitives for for example combiners for permutations or encryption etc okay that uh concludes my talk and uh i want to say that these slides were prepared by Sogol with whom we worked for uh quite a number of months on this project and finally it was uh accepted to uh crypto and she was very excited to come here and talk to people about the project and the follow-up works however due to the visa regulations and the new uh regulations that are affecting dual citizens of Iran and other countries she could not come here in fact the visa did not come in time and uh i want to ask you all to reflect on this problem and uh see what we can do to uh prevent marginalizing certain sections of the community from coming here and participating in research thank you