 Thank you very much. So this talk is about bit security of certain elliptic curve-based one-way function. And it's a joint work with Alexander Duke. So first, to introduce the problem, very often, whenever we have a secret, a long secret, we are interested to know whether parts of this secret is secure, so that we can use only certain bits of the secret. In particular, one question is whether we can use individual bits as hard-to-compute bits. And the main sort of one-way function on which I want to focus, it's a hardness assumption known as the fixed argument pairing conversion problem, or FAPI. And it's the underlying assumption of various protocols. So just to state the assumption first, I'm going to fix a prime, p, and an elliptic curve over Fp. And then I will consider a large cyclic subgroup of points on the elliptic curve, g. And I will consider a cryptographic pairing from g cross g into a target group. So if I fix one of the arguments of the pairing, the second argument, what one gets is a function from the group g to the target group. So that's the function that we often believe is hard to invert. And the problem of inverting this function, we call it fixed argument pairing conversion to problem. So if I fix the first argument, then I'm getting the problem that's known as FAPI 1. OK, so why is this problem relevant and interesting? Well, we can just mention a few schemes that are whose securities based on this assumption. So the celebrated identity-based encryption scheme of Bonet and Franklin, then we have the three-party, one-round key agreement protocol by Jue that's based on this assumption. And we have also signature schemes, identity-based signature schemes, due to Hess. So basically, the assumption that we want to make is that FAPI 2 is hard. And why is this assumption valid? If you believe that FAPI 1 and FAPI 2 are simultaneously hard, then this, well, if you can solve FAPI 1 and FAPI 2, then this yields a solution to the computational Diffie-Hellman assumption. So it is reasonable to believe that FAPI 2, at least for the moment, is hard. And this is what we're going to do in this talk. So the contribution that I will report on today is assuming the hardness of this problem, FAPI 2, then we can show that all the bits of the input to the pairing-based one-way function that we just defined are secure. So any of the bits. OK, so let me tell you a little bit about the model of analyzing this problem. So first of all, elliptic curves for us will be given by short-various stress equations, y squared equals x cubed plus ax plus b, with non-zero discriminant. And of course, some of these equations will be isomorphic. So we need to distinguish isomorphic equations. And the way in which we would distinguish, it's very classical how you would distinguish two isomorphic equations. Basically, their coefficients have to be related via a scalar lambda in the way that a prime is equal to lambda to the minus 4 times a, and b prime is lambda to the minus 6 times b. So there should exist a lambda. So the two equations are going to be isomorphic, even only if there is a lambda that relates the two coefficients in this way. And we can also write down the isomorphism explicitly between the two curves just by multiplying the x and the y coordinates by lambda squared and lambda cubed respectively. So now it's very easy to see from here that each isomorphism class will have precisely p minus 1 short of bias stress equations, namely, that will be determined by the number of scalars lambda that we have in the multiplicative group of the finite field. So what we would assume, and the way we would state the main result, is as follows. So we would assume that we have an oracle that predicts the k-bit of the input to the one-way function on a significant fraction of all the bias stress equations in the isomorphism class. So here I should make it very precise that when we talk about bits of an element in a finite field or in a group, we usually specify the explicit representation of the finite field. Here we talk about bits of a point on an elliptic curve. So we need to specify exactly the short bias stress equation that represents this elliptic curve. That's why we're assuming that the oracle works on a significant fraction of all the bias stress equations representing the elliptic curve. So we can query the oracle with the output of the one-way function together with specifying the short bias stress equation. So basically we show that if we have such an oracle, then we have an efficient algorithm to invert the function fq. OK, and as a conclusion, this shows that if we believe that fapi2 is hard, then all the bits of the input to the pairing-based one-way function are going to be hard to compute. OK, so just to mention a generalization of that, so the argument that we are using uses very little from the properties of the pairings. So in fact, all we are using is that the one-way function is defined on the isomorphism class. And that's why we can state a much more general result here. So assuming that we have a function from the elliptic curve group to the target group with the property that its definition is independent of the choice of the short bias stress equation so that it's defined on the isomorphism class, then if inverting f is hard, we get that every bit to the input of f is secure. Well, here is an open question that's currently the only interesting cryptographically interesting example of such a function is the pairing-based one-way function. It would be very interesting if we can find other examples to which the above result could apply. So let me see a little bit about the method used to prove the security result. So our method is based on defining a special code. So we would use the oracle to transform the problem of inverting the function to a least decoding problem, a coding theory problem. So we would define a special code which we call the elliptic curve multiplication code, ECMC, whose code words will be in bijection with the points on the group that are the input points to the function. And then we would use the oracle to construct a noisy code word corresponding to the hidden point. And then we would inverting the function would basically mean least decoding. So the least decoding part is based on Fourier transforms. So it's a technique that's known as least decoding via Fourier transform. And it's due to multiple people. So the code words, the idea is that the code words, in our case, will be viewed as functions on the multiplicative group of the finite field. Then the first step of the algorithm will be taking this function and doing a Fourier transform and picking only the heavy Fourier coefficients. Of course, we cannot do this always because the function is defined on an exponentially large domain. So what we need is a requirement is that the number of heavy Fourier coefficients is small. And if we assume such a requirement, then we can apply an algorithm that's due to Kavya, Goldwasser, and Safra, which is known as the SFT algorithm, that will give us a list, a polynomial size list, of all the heavy Fourier coefficients. I will comment a little bit about this on that later. And finally, once we have this list of coefficients for each of the heavy Fourier coefficients, we're going to try to list all the code words that have this coefficient as heavy. So given a frequency, basically, on the frequency domain, we're going to list all the code words that have a significant Fourier coefficient at this frequency. So this is what we call the recoverability part of the algorithm. Now, let me comment a little bit on how we could use the prediction or a code. So if we are given the hidden input R on the group, and if we're given a short-virus stress equation, w, then one thing we could do is we could use the prediction or a code b, plugging in the short-virus stress equation together with the output to get the k-bit of the x coordinate of the point R on w. So using that, we can define a code word. So that will be a function from the multiplicative group to plus or minus one as follows. At each coordinate, I'm going to change the various stress equation, w lambda, with the isomorphic one obtained by lambda, and then query the oracle on that equation. So this gives me a code word. I can't really represent it efficiently because the domain is exponentially large. But at least I can access it. I can access every bit of this code word. OK, and it's a noisy code word because my oracle is noisy. Now if I have a, now I have to constrict the code. And the most natural definition of the code is simply to take the x coordinate of the representation of the point on the corresponding various stress equation. So in other words, I have to multiply it by this factor of lambda squared here. Well, that doesn't really, so first of all, we need to see how we can decode what kind of properties are needed. And as I kind of implicitly mentioned already, we need three properties that I list here. First of all, accessibility. So any bit of the input, any bit of the noisy code word has to be accessible. Then the second property is Fourier concentration. And then the third property is recoverability. So unfortunately, with this definition, the Fourier concentration, one cannot establish the Fourier concentration. So let me tell you a little bit about the Fourier concentration. Very simple background on Fourier analysis. If we have a function, then after doing the Fourier transform, we're getting a set of frequencies. And each of these frequencies comes with a coefficient. So we call the function Fourier concentrated if it has a small number of significant Fourier coefficients. So if we have only a small number of these frequencies, that would approximate sufficiently well the function. So the frequencies, we call them Fourier basis. Well, they form a Fourier basis. And in our case, since we are working discreetly, those will be characters of the group. So the second point is recoverability. So recoverability, once we have a list of the significant Fourier coefficients and the corresponding frequencies, for each frequency we would like to obtain a list of full-D code words that are having this frequency as significant. So the recoverability, once we have Fourier concentration plus recoverability that typically implies less decoding. So let's look at the first attempt a little bit more closely. So we have these code words that are defined here using multiplication by lambda squared, or taking the x coordinate on the corresponding Varstras equation. This will work fine if we can show that the code words are Fourier concentrated. However, establishing such a result is very difficult. Because if you do the Fourier transform, then the Fourier transform, the Fourier coefficients are estimated using very famous Gauss-Sampson analytic number theory. And this has been very well studied by the analytic number theory people. And basically, one cannot get any good estimates to show the result of the type that we need. So this approach seems to be not so fruitful, and we need a different approach. Basically, what we would do is we would define a different list decoding problem. And here, to modify the list decoding problem, we use an idea that's due to Bonet and Szperlinski from 2001, when they studied the bit security of the least significant bit of the Diffie-Hellman function. So the idea is that we would modify our prediction oracle by taking the square root whenever possible of the position lambda of the element lambda in the multiplicative group of the finite field via a random square root function. So if one does this, one is slightly randomizing the prediction oracle, and that allows for linearization in the code. So our code now will look like multiplication by lambda as opposed to multiplication by lambda square. And here we can do very precise estimates on the Fourier coefficients and proof Fourier concentration. So this code is Fourier concentrated, and one can also show that it is recoverable. So this uses a nice technique of Morillo and Ruffles on a representation, convenient representation of the interval from 0 to p minus 1. So as a summary, just to summarize the results, we prove that every bit to the input of any elliptic curve based one-way function is hard to compute. In particular, the input bits to the fixed argument, pairing-based one-way functions, are going to be hard to compute. And here we also list several open questions. So of course the most difficult problem here, which is out of hope for the moment, is can you prove the same result if you fix the short viastras equation, if you don't allow, if you assume only an oracle that gives you the bit prediction on a fixed viastras equation? And another generalization here is to look at the entire class of curves with a given number of points, which is relevant for the choice of elliptic curves in cryptography, and then show that if you have an imperfect oracle working on this class, then you can again invert the input to the pairing-based function. So we have done some progress on that question. And finally, we are interested in assuming the prediction oracle that predicts a block of bits. So this is also possible with Fourier transform ideas. Thank you very much.