 Hello everyone. I'll present my joint work with Hujalin, Fang Song, and Vinod Vaikunthanathan, where we show that oblivious transfer is in mini-QGRIPT. So the main object of our result is implementing the OT functionality. So here we have two parties, a sender and a receiver. And the sender sends a message to message M0 and M1 to the ideal functionality, while the receiver receives a bit B. And the ideal functionality just repasses the message MB to the receiver. So notice that the sender didn't learn which bit B was learned, like MB was learned by the receiver, and the receiver didn't learn the second bit, like the second message chosen by the sender. And you might already know that OT is a fundamental cryptographic primitive, so in particular it implies multi-party computation. So let me talk a bit about protocols for OT. So it is well known that with only classical resources, OT can be built from public encryption, but we have no good results to build OT from 1A functions. So in particular, they proved that OT cannot be built from 1A functions in a black box way. In the quantum setting, Kripo and Kilian and later BBCS, they proposed a protocol where OT could be built from commitment schemes. So they didn't formally prove that, but this would imply that OT could be built from 1A functions, because vanilla commitment schemes can be built from 1A functions. But later, on several results that actually prove the regular security of CKE and BBCS, they showed that for implementing this commitment scheme, we need to actually improve the security of OT, we need that the commitment schemes are extractable and equivocal. And so far, we don't know any equivocal and extractable commitment from 1A functions with only classical resources. And our results is actually showing that in the quantum case, we can build extractable and equivocal code in schemes from 1A functions and of course quantum resources. And in particular, this implies that OT and more generally multipartic computation is in mini-QCRIPT that's a parallel of impaleasos five worlds where we have 1A functions and quantum resources. As a remark, there is a concurrent independent work by Bartusek, Kola, Daniel, Koran and Ma that shows an extractable and equivocal commitment, but using a very different route technically. So let me give more details what we mean by equivocal and extractable commitment. As you might know, a commitment scheme is a protocol between two parties, the committer and the receiver, and the committer has a message M. And this protocol has two phases, a commitment phase where the committer provides a commitment of M to the receiver and an opening where the committer reveals the message M to the receiver. So we want to prove two properties for this commitment, commitment scheme protocols. First is hiding, meaning that the receiver cannot learn the message just from the in the commitment phase. But here we're interested in a stronger security notion that's equivocality that's the simulation version of hiding. And to show equivocality we have to show now with my equivocator, who is able to open the message M to a different value M prime, and a malicious receiver who might do an arbitrary polynomial time quantum quantum computation and output some quantum state row. We won't distinguish when the equivocator open to the right message and to a different one. But here this is made more concrete by saying that the output of the malicious receiver on the honest case and in this equivocation case, the two states that they the receiver output. They are computationally distinguishable. And of course you might, you might ask how the equivocator would be able to open to different values, but not breaking the binding property that I'll mention later to two of the protocol is that the equivocator has more resources or more power than than the original committer, for example, it is able to rewind. So the second security property that you want from this commitment scheme is extractability and is the simulation version of binding. So here, we want the, like to have two scenarios so in the first scenario we have like this algorithm called the extractor that just outputs the message M that the possibly malicious committer open in the second phase. And on top of that we also assume that the committer output some quantum state row. In the second scenario, the extractor is able to output some message and prime, just in already different in the first phase. And again, after the protocol finishes the committer, see Tilda output some message, some quantum state, Sigma. And the security here is that the states a row and Sigma they're computationally distinguishable and M is equal to M prime. And again, the extractor here would be able to do this without breaking hiding, because she would have access to extra resources, for example, we're winding again. So, as I said, we want to build the extractor commitments and in particular this implies OT from one functions and quantum resources. So let me tell you a bit how we do this. So the first thing is building equivocal commitments and this can be done actually only only classically. And what it can be seen is that using this equivocal commitments and implementing this BBCS or CK protocols with equivocal commitments, these already give some weak notion of OT, meaning about the simulator or T. So the first thing is that using a garble circuit so we can use about the simulator or T is to have about the simulator verifiable disclosure of secrets. And then we show that from these verifiable CDs, we were able to implement extractor commitments. And now I'll explain each of these steps independently. So as I said the first thing is showing equivocal commitments only classically so we start from a base commitment where the committer and the receiver they share some public parameters. And the receiver sends the commitment of M using some one SR. And it is based commitment of the the committer just sends M and R to the receiver, who then checks if C is indeed at the committee of M using one SR. And in order to make this protocol equivocal, we just replace, change the opening phase, and instead of sending them at the run on SR, the, the committer proves that there exists some are such that M is the commitment. C is the commitment of M using run on SR. And if you implement use this basic commitment, for example with now worse commitment scheme. Since binding is statistical so there exists a single R with overwhelming probability, and then we have the security guarantees for, for, for this new protocol to show equivocal equivocality we need to show the equivocator and this equivocator and the honestly in the original case and the sorry in the commitment phase. But then from the opening, the equivocator choose some message and prime, and then uses the zero knowledge simulator to convince that C is a commitment of M prime using run on SR. And by the zero knowledge property and by the hiding property of the base commitment scheme. So that the, the, the output of the, of the equivocator is in the signature from the output of the original protocol. So with that we have these equivocal commitments and using this previous result with these already gives us these about a simulator. And now my goal is to explain like this verifiable CDS protocols and explain how to use it to finally achieve extractable commitment schemes. So, we do a conditional disclosure of secret for some NP relation so it's just a set of pairs of input and witnesses such that for, for, for which there is an algorithm algorithm V, such that V on XWs outputs one so it accepts, if and only if X and W belongs to this relation. And a CDS for this relation is this ideal protocol where the sender chooses some input X and some message M. The receiver chooses some witness W. And finally, this verifiable CDS sends a message M prime to the receiver such that M prime is equal to M, if XW belongs to this relation, or it outputs per otherwise so the main idea here is that the, the, the receiver will learn the message chosen by the sender, even only if it has the witness to the corresponding input. In this setting we want an extra property from CDS protocols we wanted to be verifiable. So, we want to have a protocol where the sender and the receiver they exchange exchange messages back and forth and since we want quantum protocols this message could be class core quantum. So here we can fix for the classical messages a classical transcript, so this is not possible for quantum message but you can fix them for the classical one so and you call all this classical transcript. And we say that this protocol is a verifiable CDS protocol. If first it implements fcds so if it implements the CDS idea functionality. And if on top of that the protocol is binding, meaning that there exists a unique message that the malicious sender could use and we can verify that this is the case. So, in order to show that it's verifiable what we want is that the sender is able to output some proof pi. And there exists some algorithm that receives as input, the classical transcript tau, the input X, the message M and the proof pi. And if the sender and the receiver on us these algorithm outputs one if this values are provided honestly. And we want also binding such that and says it for every malicious sender as tilde that outputs some message and tilde and some proof by tilde. But the following event happens with over with negligible probability. So, the event that we want to happen with language probably is the following so we wanted the verification passes with until the end by tilde, and the message provided by the receiver is not until the if X and W belongs to the relation. And we don't want that the verification passes with until the end until the was not the message that would be given to the receiver. Okay, so let me tell you how to build this commitment extractable and equivocal commitment schemes from CDS. The protocol has four phases. So the first phase is the trap set chapter setup, where the receiver just sends a commitment of zero and proves your knowledge that it is indeed the commitment of zero. Secondly, they run VCDS protocol for the relation of inputs that are commitments of one. Okay, and the witnesses are the corresponding runners for for for the commitment. Okay, the runners used to commit to one. And input chosen to the by the committer is the commitment sent by the receiver for the first message. The message will be M that will be used to like this is the message that the the committer wants to. This is the message that the committer wants to commit in the in the later phase. Okay, and the receiver on their side that they use as witness they run on SR, and then they verify with CDS outputs the output of VCDS to both parties. Finally, in the commitment phase, the committer just sends a commitment C star of M using running as our star and prove this your knowledge that exists some value of M and our star, such that this commitment is well formed and the message is correct like a that this message allows us to pass that the verification of the variable CDS protocol. And finally, in the opening phase, the prover, sorry, the committer just sends the message M, and as your knowledge proof that C stars indeed a commitment of M of using somewhere and answer star. And we have that this protocol is binding because if no trap they're a setup then the information of M is not reviewed by the VCDS. We also have the binding of the of the of the base protocol and the design article so this implies that no information about M is leaked to the receiver. And we also have hiding and the hiding also comes from, from the, from the, there's no chapter and all the, all the, all the properties of the VCDS and the commitment scheme is your knowledge protocol. And now we can show extractability so for extractability, we, we, the extractor for can first replace this is your knowledge proof by your knowledge simulation. And here, like, these tools and like these two experiments are distinguishable because of the journal knowledge property of the protocol. And then the extractor can just replace the commitment of zero by commitment of one, and by the hiding property of the base protocol these experiments are indistinguishable as well. So if the extractor has replaced the committed by one, then she can just input the runners are used to perform this commitment, and she received a message in prime that supposed to be M that is committed by the, by the prover by the by the, by the soundness of the zero knowledge proof, we have this in the case like this, the M that is sent by the VCDS in the second phase is the same M that's committed by the committer in the second phase. Okay, so we have extractability. So for extractability use the same trick that you use in the in the first, in the first part of this, like index in the first vocal commitment scheme is that there's your knowledge proof. And so the invocator can just run a simulation of send M prime and run a simulation that that star is a commitment of M prime under runners are star. So, we have what I just showed is that from this amount of simulator refurbished yes, we can have extractable commitments, and the only missus step now is showing that from about the simulation of T, we have these about the simulator VCDS. And for that we use garbled circuits and these are composed by three algorithms the garbler then crypto and evaluator. And the evaluator receives as input some circuit that maps and be input to a cable output, and it output some garbled version of the circuits you had, and pairs of labels one pair for each input a bit. These labels are then in the input to an encryptor that also receive some input x, and using this input x is just chooses the right label like for each pair of labels it chooses the right one. So this is what you call the garbled input. And then from the garbled circuit and the garbled input the evaluator outputs some value why, and we want that for correctness that why is indeed the value of C, when the input is x. We wanted to exist some simulator grab seem such that the only from why so from the output of the evaluator, the garbled simulator can output pairs of circuits and inputs that are indistinguishable from the garbled circuits and garbled inputs. Moreover, we know that from yows result in 86 that there are garbled schemes for based only on one a functions. So our goal now is to build you use garbled circuits to build that these verifiable CDS protocols. And in this protocol again we have the sender receiver and let's have a first attempt where the sender sends the input to the receiver, and then computes the garbled circuit that for the secret word on input w outputs m if xw is in the relation, or doubtful purpose otherwise so it can create the garbled circuit and send it to the receiver, and also computes the labels that are given as input tool to a no t functionality. And the receiver would be able to choose from using the witness as she has, pick the right labels and then compute the garbled version of the circuit using the evaluator. But this is problematic because we don't have any guarantee that the labels and the garbled circuit or performed correctly, like they're implemented correctly, and this could leak information to the resender. So instead of what you want is that like the sender will not create one version of the garbled circuit labels but it will create two lambda of them or a lambda is a security parameter. And we send all of these garbled circuits together with the commitment of the message that was used to like the message chosen by the sender and the commitments of each one of the labels. And on top of that it proves that all of these values there are consistent meaning m is the message used in all the garbled circuits, and that all the commitment schemes they are well formed. Then the the sender chooses the labels and the renons used as the labels as the input to the team. And instead of using all of them to compute the message and the receiver will pick half of them to test if the commitments are correct to indeed, yeah, they all they're all formed, and half of them will be used for for the computation. And for the test so for the competition rounds, the, the receiver uses the actual witness as the input to the team, but for the test rounds, the, the, the receiver will pick just random beats as inputs to the team. And after running the protocol, the, the receiver, apart if the zero knowledge fails or if one of the sets round fails, otherwise she can use one of these competition rounds to extract the right message. And we can show that this is a CDS because the like, if the receiver does not have the witness, then the garbled secret won't always output perp and she cannot learn it from the garbled circuit. It's also verifiable because the server, the sender can just output our star and the verification algorithm just checks that if C star is equal to this commitment of M sent by the sender in the second message. And for that we can show correctness and binding. So these finishes our, like our proof by by showing that from only functions and quantum, we can build extract commitments and OT. And in this result to show that the, in general, secure multiparty computations mini Q Crypt, so we can build it from one a functions and quantum. And I think the main question is what else can we do for money functions the quantum world so can you have that other functionalities that we don't know how to do it classically. And to conclude, I'd like to thank you for your attention.