 Hello, my name is Ben and I would like to tell you about our paper Distributed Merkel's Puzzles, which introduces a new Distributed Key Agreement Protocol based on Symmetric Key Primitives, this disjoint work with itidino. We first described the classic Merkel's Puzzles Protocol, in which two players tried to agree on a secret key over an insecure channel. We consider a variant of this protocol based on a random oracle. The protocol offers a quadratic gap in oracle queries between the honest players and the adversary, which is trying to recover their secret key. This quadratic gap was shown to be optimal in a paper by Barak and Mahmoudi. Given access to the random oracle h, Alice first selects a set of square root of n random inputs and computes the set's image and sends it to Bob. Bob then selects a set of his own and computes its image. By an argument similar to the birthday paradox, the sets of Alice and Bob intersect, thus meaning also the image sets intersect. Bob sends an image in the intersection of the image sets to Alice. Both players know a pre-image of this image and set it as their secret key. With high probability, this pre-image is the same for Alice and Bob. Now an adversary that wants to recover the secret key of Alice and Bob has to invert this image, and to do so he must make omega of n queries to the random oracle. In our paper, we investigated a distributed key agreement model in which there are m honest players that form a fully connected network and there are no pre-existing secured links between the players. The goal of such protocol is to allow all pairs of players to agree on a secret key. The goal of the adversary is to recover some key of an arbitrary pair of players. Our model also uses a random oracle which is accessible by all parties. In terms of complexity, for the players we consider the query and communication complexity, and for the adversary we consider the query complexity only. This model was not studied before and we think it is of interest because it is a natural generalization of the classic merkel's puzzles and it also may introduce techniques useful in other models. A naive implementation of such distributed protocol would be that all pairs of players perform the standard merkel's puzzles independently and agree between them on secret keys. This protocol is wasteful because each player makes m times square root of n queries to the random oracle where the adversary still needs only omega of n queries to recover a key. We can improve upon the naive protocol by having each player create a constant number of secure links in a way that creates a connected graph. We call such graph a connected secure graph. Now, each pair of players that wants to share a secret key can do so by encrypting the key and sending it over a secure path. In this example, if player j wants to share a secret key with player i, it can encrypt the key and send it to l which then encrypts it with its shared key with i and sends it to player i. In this basic protocol, each player makes square root of n queries to the random oracle and then the adversary that wants to recover a key still makes an omega of n queries to the random oracle. By using domain separation, we can make recovering all the keys harder for the adversary. The gap between the adversary and the honest player stays quadratic and the main question is, is this gap optimal? In our paper, we introduce a new distributed key agreement protocol in which each player makes t queries and communicates t bits while an adversary that wants to recover a key has to make omega of n times t squared queries to the random oracle. This gives us a query complexity gap of n times t between the honest players and the adversary. Throughout our paper and also in this presentation, we are ignoring logarithmic factors. Now the following property of our protocol. For a fixed security level, the pair player complexity is decreased as the number of players grows. Throughout our protocol, we also assume that the number of players is upper bounded by t. We also show that the query complexity gap of n times t is optimal and no better gap can be achieved. Furthermore, we show an extension to our protocol for the semi-honest model in which the adversary controls some of the players that participate in the protocol. In our protocol, instead of fixing secure links, we create arbitrary links. This allows us to exploit the birthday paradox in order to find intersections in a larger domain. Each player makes t queries to the random oracle and setting the domain of the random oracle to n times t squared creates a constant number of secure links per player with high probability. This happens because the t queries of the player intersect the n times t queries of the rest of the players with high probability. Also note that setting the domain size to n times t squared allows better security since it makes inverting an image of the random oracle harder. The main challenge with the previous idea is to detect all intersections with minimal communication. A trivial solution would be that each player broadcasts his set of images to all other players. But this solution acquires omega of n times t bits communicated per player. Another solution would be to set an intermediate player to which all players send their image sets and the intermediate player searches for matches between those image sets. Still, the communication complexity of the intermediate player stays omega of m times t. Our solution is to distribute the role of the matchmaker in a way that the image h of x is sent to player h of x mod m. We can think about this as assigning a range of images to each player. Now we describe the details of our protocol. First, each player queries the random oracle on t random inputs and sends images of the form h of x to player h of x mod m. Then, each player detects matches in the received images and informs pairs of players that have a matching image. In the following example, players p i and p j send the image y to player p l, where l is y mod m. Then, player p l informs the players i and j that they have a matching image, the image y, and l also informs them of the player they have a match with. Now, players p i and p j can agree on the pre-image of y. Note that since all the images are uniform, each player receives only order of t elements with a high probability, and there are only order of m matches communicated overall with a high probability. The previous steps result in omega of m distributed secure links, which with a high probability form a connected graph. Now, an adversary that wants to invert a specific image has to make omega of m times t squared queries to the random oracle. This is an improvement over the basic protocol in which the adversary needs only t squared queries to the random oracle. But still, there is a problem. The adversary can invert one of the secure links with a high probability using only n over m queries, meaning that the query complexity graph is still quadratic. The question is, how can we make inverting an arbitrary image as hard as inventing a specific image? We call the previous protocol the setup protocol, and now we run the setup protocol l times independently using domain separation of the random oracle in order to obtain l secure link graphs. Now, in order to distribute pairwise keys, a player j that wants to communicate with a player i picks a key and computes an l out of l secret sharing of that key, and then sends each share on a secure path on a different graph, like so. Now, an adversary that wants to recover the key has to invert a link in all of the l paths. This method is similar to the multi-path reinforcement protocol introduced in a paper by Chan Perry Getzong. Finally, as mentioned, to recover a key, the adversary must recover a key on each of the l paths used. The success probability of the adversary grows with the path's length, but decays exponentially in the number of times the setup protocol ran. Fortunately, each graph achieved by the setup protocol has order of log m diameter with high probability. This property is similar to the GNP random graph model, where each edge appears with a probability p, but in our case the edges are dependent. In the paper, we prove this diameter bound by using properties of extended graphs that exist in our graph. Setting l log n creates a small query and communication overhead for the players, but the adversary now needs omega of m times t squared queries to the random oracle in order to recover any key, be it arbitrary key or a specific key. Now, after the amplification, we have achieved the n times t gap in query complexity between the adversary and the honest parties. A question arises, can one design a distributed protocol which achieves a greater query complexity gap? The answer is no. We show that the gap of n times t is optimal. To do that, for any key agreement protocol pi, where every player makes at most t queries, we show an adversary that can recover a key grid in pi using order of n times t squared queries to the random oracle. We transform pi into a two-player protocol and then we use the adversary introduced in the paper by Barack and Mahmoudi. Given a distributed protocol pi and the two-player protocol pi tag, we have player 1 simulate one of the players from the distributed protocol, we call it P1, and player 2 simulates the rest of the players from pi. The key between player 1 and player 2 is set to some key between P1 and the rest of the players in pi. The two-player protocol adversary can recover a key in pi tag using order of m times t squared queries to the random oracle. The key between player 1 and player 2 is one of the keys of P1 in pi. Thus, there exists an adversary that recovers one key in any distributed protocol using order of n times t squared queries to the random oracle, thus meaning the gap of m times t in query complexity between the adversary and the players is optimal. Now, we consider an extension to our protocol for dealing with a semi-honest participant model. In this model, some fraction of the players are controlled by an adversary, those players execute the protocol honestly but they attempt to recover pairwise keys. The main concern with such players that they have access to the key shares sent in the amplification phase. In the following example, we can see key shares sent on multiple paths where some of the paths include an adversary player in them. Key shares sent in such paths are known to the adversary just like the key shares are one and are two in this example. For the key, for the secret key to remain secret, one of the paths must stay clear of adversaries, must be clear of adversaries, like the path here of the last key share. Our protocol can be easily extended to deal with a semi-honest participant model where a fraction of 1 over log m of the players are semi-honest players, semi-honest players. This extension costs only a constant overhead in more setup protocol execution. In brief, we have described a distributed key agreement protocol in which participants make t queries to a random oracle and communicate order of t bits, while an adversary must make omega of m times t squared queries to the random oracle in order to invert the key. We have also shown that where a complexity gap of t times m between the honest players and the adversary is optimal, there are several open problems that can be further investigated. For example, handling more adversarial players or extending the security model for such model that the adversary's goal is to recover more than one key. That's all. Thank you very much for your attention.