 All right, so our final talk of the session and actually final talk of the conference is secure non-interactive reduction and spectral analysis of correlations and Varun Nareen will give the talk. Thank you, Zaramaya. Hi everybody. Thank you for sticking around. My name is Varun Nareen and this talk would be dealing with the same model that I presented in the previous talk. So we call it secure non-interactive reductions, not spectral. So let me begin by introducing the main object of interest here. These are correlations. Specifically Alice and Bob would be getting two parts of the correlation. It's a random variables X and Y are distributed according to a correlation C that is distributed over the domain X cross Y. Now throughout this presentation, we would be denoting a correlation by its probability mass matrix, probability distribution matrix. So here the value at the Xth row and Yth column of this matrix will represent the probability with which X is going to be equal to X and Y is going to be equal to Y. We can think of X and Y as numbers. Yeah, so a good example of a correlation is a binary erasure correlation. So here as shown in the figure here Alice would be getting X uniformly at random and Bob will be getting the same X as Y, Y equal to X with probability 1 minus P, but with probability P, Y would be erased. So the probability distribution matrix for the same would be like this. So this column corresponds to the symbol 0, this corresponds to the symbol bot. 1 and so on and so on. Now when P is equal to half, that is all these numbers are 1 by 4, this corresponds to the Rabin Oblivious Transfer Correlation and classical results show that if Alice and Bob have sufficiently many copies of the Rabin OT correlation, they can compute any function with security. So to motivate our problem, let's consider the following situation. Alice and Bob have a binary erasure correlation with them with erasure probability P, but P is not exactly equal to half. And what they would like to do is somehow derive the OT correlation, Rabin OT correlation by going from erasure probability P to erasure probability half. Now they would like to do this without interacting with each other. So Alice wants to locally transform their side of the correlation by running some function, some potentially randomized function A on X to get R and Bob would like to do the same B of Y equal to S and they would like to have R and S correlated according to this erasure probability half correlation. So, of course, they would like to do this securely so that they can use this as a sub protocol in their bigger secure information, secure multi-party computation protocol. So let's see a potential protocol that might even work. So here Alice simply outputs whatever she gets and Bob will take their input and further erase it with a certain probability. Specifically, we can choose this probability to be 2 times 1 minus P below 1. And indeed, if they follow this particular scheme, whenever P is less than half, they indeed get R and S to be correctly correlated. But this is not secure. Why is this not secure? Because in the Rabin OT, whenever Bob receives a bot, they have no idea, they have no guess about what value X could have been. But over here, note that Bob is sometimes getting an actual symbol that's either 0 or 1 and then it is reporting an erasure. So in that specific instance, the security breaks. So let's try another attempt. Here we'll use two copies of the binary erasure slash P and then Alice is going to XOR X1 and X2 and Bob is also going to do the same as long as Y1 and Y2 are valid, not non-erasures. And whenever either one of these are erasures, they output a bot. And here things are secure. Why is this secure? Because if both these messages are non-bot, that belong to 0 and 1, then Alice and Bob are going to output the same value because X1 XOR X2 equal to Y1 XOR Y2. But when either one of these is bot, then Bob has no idea what Alice's output is because it's pretty much masked by the input that is not known to Bob. But something to note here is that interestingly, in the attempt one, we get correctness but not security. But this works for any P that is less than half by appropriately choosing this quantity with the probability with which we further erase. But here we are using two copies and somehow we are only able to move from P is equal to 1 minus 1 by root 2 to P is equal to half. And this is a property that we will see going forward to. So how would we define our model in general? And going back to how I began the talk, the model that we will be dealing with is the same as what Hai had mentioned. We would be focusing on general correlations and we are interested in presenting a linear algebraic way of analyzing this particular model. So secure non-interactive reduction. Alice and Bob get X and Y correlated according to a correlation C. And they want to locally apply a potentially randomized function to their input to derive R and S respectively. And as we noticed, when security is not a concern, we just want R and S to be correlated appropriately according to the distribution, the D that is, the D is the distribution that we want to derive from C. But in terms of secure non-interactive reduction, these functions A and B are said to be an SNIR or secure non-interactive reduction of the target distribution D to the source distribution C. If firstly R and S given here are distributed according to the correlation D and then we have the security conditions. The security conditions are the natural security conditions. Alice's view should not reveal what Bob's output is and Bob's view should not reveal what Alice's output is. But note that here Alice's view is just X that Alice got from the correlation. So it simply translates to, so this is security against Bob or Alice's security guarantee. It says that Bob's view, which is Y, does not reveal anything about Alice's output R, conditioned on his own output. So R should be independent of Y conditioned on S. Similarly, S should be independent of X, which is Alice's view, conditioned on R. So the fundamental question that we ask is when can a correlation D have an SNIR to another correlation C? So in this work, we will be seeing in a linear algebraic tool, which we call the spectral analysis toolkit to analyze statistical SNIR. This is something that we will come into in the next slide itself in some detail. And we will use this toolkit to obtain exact characterization of SNIRs between interesting classes of correlations. And these interesting class of correlations coincide with highest presentation. So why study SNIR? We got motivated to study SNIR coming from a slightly different point of view than high at all did. So correlations are a fundamental tool in information theoretic cryptography, as we noticed with the Rabinoti. We can use correlations to promote or facilitate secure computation. Now SNIR is in the sense the most basic cryptographic question that we can ask about correlations. Can we securely derive a correlation from another? Furthermore, we can think of SNIR as a non-interactive variant of general secure computation. And we know that lower bound for secure computation is a deep complexity theoretic question, which has connections to circuit complexity and PIR complexity and so on. So in that sense, this is an easier question that we do not know the answer for. Furthermore, if we think of a secure computation between correlations as in take a correlation and obtain another correlation, in that case, an interactive protocol itself splits into two phases. There's an initial interaction phase in which Alice and Bob exchange messages with each other. And in this phase, there is no necessity for a security. And then in the final phase, where Alice and Bob have this correlated view that they have developed over this communication. From that, they want to obtain the correlation that they are interested in. So this is in a sense a local derivation, a secure non-interactive reduction from the output that you want back to the view that you have generated so far. So in short, secure computation with interaction has security concentrated only in the SNIR phase of the specific protocol. Furthermore, there is an entire area of non-interactive correlation simulation, which is the same problem as that we discussed without the security constraint. And this is studied rather extensively in theoretical computer science and in information theory. And this is the natural secure variant of this particular notion. And there are recent series of works on pseudo-random correlation generation, where Alice and Bob would take a pair of small correlated seeds, and they will expand it to a larger correlation securely. But the security is computational, of course, in that setting. And this can be thought of as the information theory variant of the same. So what are our results? So we asked the question, when can we do statistical SNIR from a target distribution D to a source distribution C? And we say that a protocol A, B is a statistical SNIR under certain conditions. So let me back off a little bit. So what is statistical SNIR? So our results would be presented as necessary conditions for the weakest notion of SNIR that we could formulate. So the weakest notion is we just want one copy of the target distribution D to be obtained using arbitrarily many copies of the source distribution C. But with the error in the secure reduction driven to zero with more and more potentially more and more copies of C. So in this setting, we show that it's sufficient to look at correlations without any redundant symbols. So two symbols on Alice's side in the correlation is said to be redundant. If conditioned on both these symbols, the output at Bob looks the same. So it's easy to argue that we can merge or split redundant symbols in pre and post processing without any concerns about security. So we can essentially settle for looking at only correlations without redundant symbols. Further, an important observation that Hi also makes is that an SNIR protocol involves only deterministic functions. Both A and B in this instance can be thought of essentially as deterministic functions. Then our main necessary condition says that the so-called spectrum of a correlation D has to be contained inside the spectrum of the correlation C. Now we will see this notion of spectrum, which is like the name of the title of the talk. So this is about spectral analysis of this particular model. So and in the spectral analysis, we'll say that if we take this, if we look at this protocol in the spectral domain, then this turn out to be symmetric in the sense that both Alice and Bob are essentially doing the same operation in some sense. Finally, common information that is present in the source correlation does not really help in, you know, SNIR. So common information is something that Alice and Bob can agree on with probability one by looking at just the correlation. And as intuition suggests, you can't get any security from these kind of information that is present at both places. So as an application of our toolkit, we get exact characterization for the statistical SNIR for interesting classes of correlations. And as we saw, in high stock, the previous paper presented does a more fine grained analysis for special classes of correlations, the same, pretty much the same things that we are looking at. And for that, they get results for the rates as well as feasibility. Okay, so to formally define, so am I running low on time? A couple more minutes. Okay. Okay, so the security and correctness of SNIR is defined in the formal way that is, you know, the usual way that you define security in the UC setting. And here there is no difference between the semi honest and malicious because nobody is talking in the protocol. And the first observation that we make is that we can move from status, a definition in terms of simulation and correctness, we can move to a an equivalent set of conditions that is described entirely in linear algebraic constraints. So we can say that corresponding to the protocols A and B, there are stochastic matrices A and B. And with respect to the matrices for correlation, correlation matrices C and D, we have correctness written as a particular matrix product being close to the desired correlation. And the security at Alice would correspond to having a simulator U, which a simulator sims of A which corresponds to a stochastic matrix U and we get another matrix multiplication constraint and so on. So our analysis begins with this linear algebra characterization. So these matrices are nothing surprising. So for example, the matrix A corresponding to Alice's, you know, function A is just the matrix with Xth row and Rth columns value being the probability with which R is output condition on X as input by this function A. So the first observation that we make is that SNIR is essentially deterministic. Yeah, we've given a SNIR with an epsilon error, we can always move to another SNIR with a slightly larger error in which both the functions used are deterministic functions. Now, so yeah. So let's look at what we can get with this kind of observation. So going back here, once we show that A and B are deterministic, we can also show that the simulators have a very simple and direct representation in terms of the protocol itself whenever this is secure. So now using these facts that A and B are deterministic and that the simulators are completely determined by the protocols themselves in a very direct way, we can show that this quantity that is A transpose, C C transpose is equal to D D transpose into A transpose. It's a linear algebraic inequality. And then by simply observing that you can do some simple manipulations, we can show that if D transpose D has an eigenvalue, then that eigenvalue should also be present in C transpose C. And this is exactly the spectral condition that we were talking about specifically for these kind of simple matrices, that is simple correlations. So for the simple correlations, the spectral containment exactly means that the eigenvalues of D transpose D is a subset of the eigenvalues of C transpose C. So this already can be used rather directly to show that simple correlations like BSE and BEC have SNIR amongst itself, that is SNIR from a BSEQ to a BSEP for example, can only occur when P and Q are related in this very special sense that for example over here 1 minus 2P is equal to 1 minus 2Q for a certain fixed value of Q. And the constructions here turn out to be rather simple and straightforward. Now, so the observation that we made is for very specific and structured correlations in which the marginals are uniform and the correlations itself have like the same domain size on both Alice and Bob's side. But when we want to generalize it to arbitrary correlations, the object that turns out to be of interest is not exactly the correlation matrix but the so-called correlation operator matrix. So it is the correlation operator matrix itself can be computed as the correlation matrix pre and post multiplied by the diagonal matrix corresponding to the marginal of the correlation on Alice and Bob's side. And the interesting thing about the correlation operator is that when we take the SVD of this operator, it shows a lot of properties that have been found to be meaningful in previous analysis of the correlations. So I hope that everybody knows singular value decomposition. It is essentially talking about how much the matrix expands any vector along the different directions. So in the general sitting for an arbitrary correlation, the spectrum of the correlation turns out to be exactly the singular values of this correlation operator. And that is specifically the non-zero singular values of this correlation operator. And yeah, just to give an idea about what we mean by correlation operator, so when we look at the spectrum of this correlation operator, we will see that they fall in this interval between 0 and 1. And the second largest value of this is the maximal correlation. In fact, the correlation, the spectrum of a correlation is closely related to the, so several spectral graph theoretic quantities related to the bipartite graph representing the correlation. Yeah, so and another nice property of the spectrum of a correlation is that if I take like n copies of this correlation, the spectrum of that would be just an n-wise product of this. And we, our analysis is mostly based on first going from the linear algebraic constraints that we had for SNIR to a spectral domain. And over there realizing a lot of structures and showing that because of the structure, we can show an inclusion of the spectrum of D in that of C and showing that the protocols for A and protocols for B in the spectral domain, they have a mirroring property. And very interestingly, with some painstaking analysis, you can show that these properties are robust to errors in the sense that when we go for epsilon error in the SNIR, these properties only vary in a more in a natural way or only fluctuate in the most natural way. So yeah, so the kind of results that we get for this exact correlations coincide with that in high result. So other results, we also show the, we also show impossibility for more larger correlations like OLE and OT and so on. And we can also show that SNIR cannot be done using only a single type of correlation. For example, we cannot use a single type of correlation to get all sorts of correlations in this model. Yeah, finally, we show that common information is not useful in this model. So to conclude, we used spectral analysis to reveal a lot of structure in SNIR and we characterize SNIR for a lot of natural correlations. And an interesting question that is left open is the question of decidability. That is, can I get a correlation from another correlation in this model? And we settle this question in an upcoming follow-up work. And the main open questions of interest are one of them is rate in which the previous paper made some interesting advance and the decidability when you allow, let's say, one directional communication. That's all. Thank you. All right, thanks. Are there any questions? If you have a question, please come to the microphone. Okay, it's working. That's great. Very elegant. Love this talk. Love this result. I have a general question about the reductions, basically. And most of what you have analyzed looks at primarily independence among results, like A's result is essentially independent of B conditioned on B's outputs. Yeah, this is the security notion. That's important. Yeah. And that actually has a lot of relevance when you look at, say, quantum protocols and even in privacy amplification kind of results and when you relate them to a simulatability and or UC proofs. And the aspect of that that I wanted to ask you about is that it is possible in some of these cases for Alice to have something that is independent of Bob's result, but still somehow bound by Bob's result. So there are committal aspects of this as well. So these are concerns in the quantum realm because of entanglements and so on. For example, in the quantum, that's a very good concrete example. It does, in fact, happen in classical as well. We were curious about exactly how this particular tool goes through in more general models, but we didn't quite make enough connections about what this this particular spectral operator or the correlation operator is with respect to other domains. But yeah, this is an interesting direction. Okay, thanks. And the half of it, that was just a motivational thing, but the half of it, that's that I wanted to ask, which I think you're answering is that the binding nature of the outputs where Alice's output is bound by Bob's but still independent information theoretically of it isn't something that you really covered so far. Okay. And it's maybe open in this. Thanks. Thank you. All right. So we have a message from our program chair to close out the conference, but let's give a round of applause for all the speakers of the session. Can you hear me? So this was the last talk of the session and the last talk of the conference. I wanted to thank you again for coming and again thank all the authors of the papers and see you in a year in Lyon. Thank you.